News

Actions

Apple issues fix for security flaw

Posted at 7:25 PM, Feb 23, 2014
and last updated 2014-02-23 19:25:35-05

NEW YORK (CNNMoney) — Security experts say Apple has patched a hole that could have exposed sensitive information to hackers.

Left unfixed, hackers could potentially read private communications sent over Apple devices: emails, instant messages, social media posts and even online bank transactions.

But experts say it’s unlikely any hackers did, since the vulnerability was first disclosed when Apple released a security patch over the weekend.

The patch fixes the issue in the most recent software available for iPhones, iPads and iPod Touches.

A fix is not yet available for the OS X software, the operating system for Apple computers.

Without the patch, a hacker could be what experts call a man-in-the-middle — it’s like a game of Telephone you don’t even know you’re playing.

“Alice wants to communicate securely with Bob,” explained Nathan Sportsman, a mobile security expert and CEO of Praetorian. But Eve, a hacker, uses this vulnerability to put herself between the two. “Now Alice is talking to Eve and Eve is talking to Bob,” he explained. Alice and Bob think they’re talking to each other privately.

This lets hackers view the communications, such as bank deposits or Facebook posts. If they intercept a username and password, the hacker could return to your account later and cause more damage, Sportsman said.

Hackers can also modify the transmission, said Dmitri Alperovitch, the chief technology officer at the security firm CrowdStrike.

For the most part, Alperovitch said, the hacking ability is limited to people who are on the same network as the hacker — such as in a coffee shop or on an airplane.

He said Apple users should make sure their device is updated with the newly issued software before next connecting to a public wireless network. He recommended owners of Apple computers wait until an update is available before using it on a public network.

And if you’re already tapped into an insecure network, sign off, then perform the update, Alperovitch said. Otherwise hackers could corrupt the update as it travels to your phone.