A lot has been said about the severe ramifications of the SSL certificate validation bug (dubbed ‘gotofail’) that Apple fixed in iOS 7.0.6 and iOS 6.1.6. In a nutshell, it allowed nearby attackers to monitor the victim’s network activity via a Man-in-the-middle attack. And although on its own that doesn’t seem particularly disturbing, the “sting in the tail” is that due to the way Apple’s SSL library worked, successful attack could also intercept and decrypt SSL traffic without the victim’s knowledge or consent. In other words, sensitive services such as bank, email and internal corporate apps could be easily comprised by an attacker that exploited the ‘gotofail’ bug.
A significant aspect of the vulnerability that calls for consideration is the amount of time this bug was exploitable without a fix. The bug started with iOS 6.0, which was released in mid-September 2012, and was fixed in iOS 7.0.6/6.1.6. That means it was around for nearly one-and-a-half years before Apple patched it.
That’s a lot of time to be vulnerable. So when we come to think of it, this story is not only about being vulnerable, it is also about knowing when we are attacked. At the end of the day, security is about risk management. In today’s world, where mobile IDS and IPS solutions are still rare, both organizations and individual consumers suffer from a visibility challenge. Organizations in particular often have trouble building up a realistic overall picture of their mobile fleet’s security status. That’s a lot of potential vulnerability.
Here at Skycure we were curious as to how our mobile IDS/IPS solution handled the bug while it was at large. We were happy to confirm that the Skycure solution was able to identify and protect against attacks exploiting the gotofail’ bug, even before we had learned about it. So our customers were protected throughout.