Thursday, January 24, 2013

Apple's Skimpy Software Update Descriptions

UPDATE: January 28, 2013
Coincidentally, iOS 6.1 includes a security fix for a DoS Wi-Fi vulnerability (CVE-2012-2619) whose advisory was published on October 23, 2012, by Core Security (including a PoC), affecting the Broadcom Wi-Fi chipset of iPhone 3GS (BCM4325), iPhone 4, iPad and iPad 2 (BCM4329), as well as other Apple and non-Apple mobile devices.

NOTE: This article was cross-posted on the SANS Penetration Testing blog edited by Ed Skoudis.

This blog post is a follow up about the concerns regarding Apple's iOS updates and potential improvements from a previous SANS Penetration Testing blog post by Josh Wright, titled "Apple's Combined Patching", published in October 2012.

Since the release of iOS 6 last year, Apple has published iOS 6.0.1 and then iOS 6.0.2. The main concern with iOS 6 (Sep 19, 2012) was the huge amount of security flaws fixed on a single version (197), plus the combination of platform changes and security patches rolled into a single update. The iOS 6.0.1 update (Nov 1, 2012) included fixes for four specific security flaws, with their corresponding CVEs, plus other non-security rated bug fixes, like one that improves Wi-Fi reliability for WPA2 networks. And then... iOS 6.0.2 was released on Dec 18, 2012, one month ago today.

The iOS 6.0.2 update is neither listed on the Apple Security Updates webpage nor on the Apple Product Security Announce mailing list, so one could assume it is a non-security related update, but... are we sure? The truth is - We as a community don't really know, as Apple hasn't provided any information about security issues addressed in this update! The iOS 6.0.2 update page only says (it) "Fixes a bug that could impact Wi-Fi.":

Gosh! Thanks for almost nothing, guys. It is hard to think about a software update description that can be less useful, unless you remove the last four words leaving simply "Fixes a bug". Still today, one month after its release date, a significant number of IT people are not aware of the update, and hardly anybody has any related details. In the same way we learned a decade ago about the importance of separating functionality updates from security patches, we also learned about the importance of getting descriptive and actionable security update details.

With such limited information, if one turns to the community (sometimes a questionable source of trustworthy information) trying to find more details about the update, you can find all kind of reports and very long Apple forums threads: from people whose iOS 6 device couldn't connect to any Wi-Fi network and required 6.0.2 to use Wi-Fi, to just the opposite, people that cannot connect after updating to 6.0.2. Supposedly the 6.0.2 update fixes various Wi-Fi connectivity issues introduced by iOS 6, but it additionally may impact battery life, an issue that could be associated to a change in the Wi-Fi behavior related to the mysterious bug that shall not be named (at least by our friends in Cupertino in their patch description).

Back to the original question... are there any security implications to this software update considering it fixes an undocumented Wi-Fi related bug? Wi-Fi is one of the most, if not the most (together with 2/3/4G mobile communications), relevant communication mechanism for mobile devices today. As we cover in detail in the SANS SEC575: Mobile Device Security and Ethical Hacking training class, modern mobile devices are affected by various security weaknesses in their Wi-Fi capabilities, even when using enterprise Wi-Fi networks. Since we do not have official details about this update... when is a software update considered security related?

By default, when multiple known Wi-Fi networks are available, iOS devices connect to the last-used network. However, there are reports of iOS 6 devices prioritizing open networks over secure networks. From my perspective, this behavior has some rather serious security implications. It is not possible to know yet if this is the bug fixed by 6.0.2, or any other of the multiple Wi-Fi connection issues reported all over the Internet (not including here the fact that the Apple web testing page used by iOS devices to discover if they are under a Wi-Fi captive portal was not available for some time and was the cause of some of these connectivity problems). Troubleshooting Wi-Fi issues is not a trivial task, as multiple factors can influence the testing, such as nearby signals, radio frequency glitches, or even the frequency band used by the access points (2.4 or 5 GHz).

In the SANS SEC575 class, when we cover the security of the iOS mobile device platform, people frequently try to validate the following statement: "So, can we say that the latest (mobile device) hardware models are more secure?" If they can answer in the affirmative, they have a solid business argument to ask their boss for the latest and greatest mobile device model! In many cases, the statement is indeed true, as earlier models are left in the dust unable to run the latest patched versions of mobile device software. Leaving business and marketing strategies aside, today's mobile device security is a mix of hardware, firmware, and software updates, where the latest hardware models implement security protections not available in previous models. But, the update cycle is shockingly small, making the PC upgrade cycle of two-to-four years look like a snails pace.

Besides Apple, other mobile device platforms also present relevant weaknesses in their security update processes. Platform fragmentation and the lack of timely updates are a major concern, especially for Android devices. Unfortunately, the security maturity level of the mobile world today is still a decade behind in many aspects. We need to learn from history, and apply, to the mobile world, the best practices we have learned!

Should users and enterprises update to iOS 6.0.2 for security reasons? The truth is: we don't know! Should Apple provide more detailed descriptions about software updates? Yes, absolutely. For the love of all things Apple and the security community: please, please, please arm us with the information we need to make intelligent decisions about patching and security our devices. Am I holding my breath? No.