A Simple Guide to iOS 7.0.6 and the SSL Fix

Recently, Apple released updates to iOS 7 (iOS 7.0.6) and iOS 6 (iOS 6.1.6), regarding a fix for an SSL vulnerability.  Read on to find out what it’s all about.

So what is this SSL bug all about? Well, in short, it’s a major security flaw that would allow for a man-in-the-middle attack.

Here is the text from Apple’s support document:

iOS 7.0.6

Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID

CVE-2014-1266

Simply put, whatever you send over the internet, including passwords and login details, could be intercepted by someone. This is known as a man-in-the-middle attack, because while you are sending something from your phone to the server, the hacker sees everything you are sending to the server, monitoring and intercepting everything in real time, which means none of your data that you transmit is safe. If you log into Facebook, your login details could be intercepted. If you buy something off Amazon, well, if someone is listening in, he could buy things for himself using your account.

Also, for over a year, your data has been technically unsafe and susceptible to such an attack. That is pretty bloody scary, if you ask me. There is actually a rumour going around that last time in iOS 5, this SSL bug was not there, but in iOS 6, released on September 2012, the bug was present. And, get this, in the NSA leaks by Snowden, Apple “joined” the NSA in sharing personal information in September 2012. It’s far fetched, of course, possibly coincidental, and you can choose what to believe in yourself, but what is verity is that your data has been unsafe for over a year and that’s a major security breach.

This bug is also present in OS X, but it has not been fixed yet by Apple. Apple has informed Reuters that they are aware of the problem and are working on a fix. We will inform you when Apple has fixed it, but till then, avoid using public WiFi on your MacBooks as they are still susceptible to this attack. Actually, just avoid using Safari and other native Apple apps like Mail, until Apple pushes out a system update. You can use Chrome, as Chrome does not have this bug. Go here to check if your browser is vulnerable; Safari gives me a massive red warning, and Chrome gives me a yellow alert stating that while Chrome is safe, other system apps are not. If you wish to use Firefox or some other browser, check if the browser is safe first before using it.

(UPDATE: The Mac bug is fixed now. Go to the AppStore, Updates section, wait for it to refresh and install the update.)

So what does this mean for you, the end user? It means that you must update to the latest version your device supports, to fix it. The iOS 6.1.6 update supports only the iPhone 3GS and the iPod Touch 4G, and the iOS 7.0.6 update supports the iPhone 4 upwards as well as the iPod Touch 5G.

For you to do this, just head over to Settings>General>Software  Update on your device, then download it and install it OTA (Over The Air). If your device does not have enough space for an OTA update, plug it into your computer, launch iTunes, and click “Check for Updates”.

There are some of you who are still on iOS 6 but using devices not supported by iOS 6.1.6 (i.e. an iPhone 4 upwards or an iPod Touch 5G), presumably because you do not like iOS 7. My personal recommendation is that you update, and update ASAP, because this security flaw is now out in the open, and hackers who previously did not know of it now do, and will certainly attempt to intercept your login details as they are being transferred over the internet. If you do not update, then you are at risk of theft of your login details, credit card details, and more.

What about the jailbreakers? Good news for you (and me), it seems that Apple has not fixed the Evasi0n exploits needed to jailbreak iOS 7, so you can update, then rejailbreak. You can grab the latest Evasi0n jailbreak tool from here, which has been updated to support iOS 7.0.6.  Sadly, this is a time consuming process as it requires you to backup everything, and start anew. You could try using PkgBackup to back up your Cydia packages, so the restore process would be made less torturous but there is another way! *cue dramatic music*

Ryan Petrich, a renowned iOS developer, has come up with a Cydia package that allows those of you not on iOS 7.0.6 to fix the SSL vulnerability without updating to it. I am unsure whether it works on iOS 6, but you can try installing it (although even if you can install it, there is a chance it may not work and you would not know that it does not work).

Here are the steps to install it:

1. Go to Cydia>Manage>Sources and add http://rpetri.ch/repo/

2. Search for SSLPatch. Verify that it is by the repo you just added.

3. Install it, and respring.

I personally used this method because it’s way more convenient. I do not have the time to go and update and restore everything, and I doubt many do as well, so this method does help quite a bit. However, there is a vulnerability to using this method. If your phone is in Safe Mode and you are using the internet, then, like many tweaks, this would (likely) not work. Therefore you would be unprotected. Just ensure that you do not use your phone when in safe mode, and you should be fine.

tl;dr: Update to iOS 7.0.6 or iOS 6.1.6 NOW. And try not to use public WiFi on your MacBooks as they are still susceptible.

Tell your friends, tell your family, tell everyone but your biggest enemy (well, tell him too), to update their devices to iOS 7.0.6. Share this article with your loved ones, and hopefully this article will convince them to update, and our data will be safe once more.

Until the next security flaw, that is.

UPDATE: The Mac SSL bug is fixed now. Go to the AppStore, enter Updates section, wait for it to refresh and install the update. It will require a reboot. 

Leave a Reply