UPDATE: January 28, 2013
Coincidentally, iOS 6.1 includes a security fix for a DoS Wi-Fi vulnerability (CVE-2012-2619) whose advisory was published on October 23, 2012, by Core Security (including a PoC), affecting the Broadcom Wi-Fi chipset of iPhone 3GS (BCM4325), iPhone 4, iPad and iPad 2 (BCM4329), as well as other Apple and non-Apple mobile devices.
NOTE: This article was cross-posted on the SANS Penetration Testing blog edited by Ed Skoudis.
This blog post is a follow up about the concerns regarding Apple's iOS updates and potential improvements from a previous SANS Penetration Testing blog post by Josh Wright, titled "Apple's Combined Patching", published in October 2012.
Since the release of iOS 6 last year, Apple has published iOS 6.0.1 and then iOS 6.0.2. The main concern with iOS 6
(Sep 19, 2012) was the huge amount of security flaws fixed on a single
version (197), plus the combination of platform changes and security
patches rolled into a single update. The iOS 6.0.1 update
(Nov 1, 2012) included fixes for four specific security flaws, with
their corresponding CVEs, plus other non-security rated bug fixes, like
one that improves Wi-Fi reliability for WPA2 networks. And then... iOS 6.0.2 was released on Dec 18, 2012, one month ago today.
The iOS 6.0.2 update is neither listed on the Apple Security Updates webpage nor on the Apple Product Security Announce mailing list,
so one could assume it is a non-security related update, but... are we
sure? The truth is - We as a community don't really know, as Apple
hasn't provided any information about security issues addressed in this
update! The iOS 6.0.2 update page only says (it) "Fixes a bug that could
impact Wi-Fi.":
Gosh! Thanks for almost nothing, guys. It is hard to think about a
software update description that can be less useful, unless you remove
the last four words leaving simply "Fixes a bug". Still today, one month
after its release date, a significant number of IT people are not aware
of the update, and hardly anybody has any related details. In the same
way we learned a decade ago about the importance of separating
functionality updates from security patches, we also learned about the
importance of getting descriptive and actionable security update
details.
With such limited information, if one turns to the
community (sometimes a questionable source of trustworthy information)
trying to find more details about the update, you can find all kind of
reports and very long Apple forums threads:
from people whose iOS 6 device couldn't connect to any Wi-Fi network
and required 6.0.2 to use Wi-Fi, to just the opposite, people that
cannot connect after updating to 6.0.2. Supposedly the 6.0.2 update
fixes various Wi-Fi connectivity issues introduced by iOS 6, but it
additionally may impact battery life,
an issue that could be associated to a change in the Wi-Fi behavior
related to the mysterious bug that shall not be named (at least by our
friends in Cupertino in their patch description).
Back to the
original question... are there any security implications to this
software update considering it fixes an undocumented Wi-Fi related bug?
Wi-Fi is one of the most, if not the most (together with 2/3/4G mobile
communications), relevant communication mechanism for mobile devices
today. As we cover in detail in the SANS SEC575: Mobile Device Security and Ethical Hacking training class,
modern mobile devices are affected by various security weaknesses in
their Wi-Fi capabilities, even when using enterprise Wi-Fi networks.
Since we do not have official details about this update... when is a
software update considered security related?
By default, when multiple known Wi-Fi networks are available, iOS devices connect to the last-used network. However, there are reports
of iOS 6 devices prioritizing open networks over secure networks. From
my perspective, this behavior has some rather serious security
implications. It is not possible to know yet if this is the bug fixed by
6.0.2, or any other of the multiple Wi-Fi connection issues reported
all over the Internet (not including here the fact that the Apple web testing page
used by iOS devices to discover if they are under a Wi-Fi captive
portal was not available for some time and was the cause of some of
these connectivity problems). Troubleshooting Wi-Fi issues is not a
trivial task, as multiple factors can influence the testing, such as
nearby signals, radio frequency glitches, or even the frequency band
used by the access points (2.4 or 5 GHz).
In the SANS SEC575
class, when we cover the security of the iOS mobile device platform,
people frequently try to validate the following statement: "So, can we
say that the latest (mobile device) hardware models are more secure?" If
they can answer in the affirmative, they have a solid business argument
to ask their boss for the latest and greatest mobile device model! In
many cases, the statement is indeed true, as earlier models are left in
the dust unable to run the latest patched versions of mobile device
software. Leaving business and marketing strategies aside, today's
mobile device security is a mix of hardware, firmware, and software
updates, where the latest hardware models implement security protections
not available in previous models. But, the update cycle is shockingly
small, making the PC upgrade cycle of two-to-four years look like a
snails pace.
Besides Apple, other mobile device platforms also
present relevant weaknesses in their security update processes. Platform
fragmentation and the lack of timely updates are a major concern,
especially for Android devices. Unfortunately, the security maturity
level of the mobile world today is still a decade behind in many
aspects. We need to learn from history, and apply, to the mobile world,
the best practices we have learned!
Should users and enterprises
update to iOS 6.0.2 for security reasons? The truth is: we don't know!
Should Apple provide more detailed descriptions about software updates?
Yes, absolutely. For the love of all things Apple and the security
community: please, please, please arm us with the information we need to
make intelligent decisions about patching and security our devices. Am I
holding my breath? No.
Thursday, January 24, 2013
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment