Apple updated iOS to version 9.3 yesterday, and it’s a major release.
Although Apple is boasting about new features in iOS 9.3 that may or may not appeal to you – such as Night Shift, a feature that supposedly helps you sleep better by changing the backlight on your device depending on the time of day – you’ll definitely want to get the update based on the security fixes alone.
The update fixes 27 security vulnerabilities, affecting iPhone 4s and later, iPad 2 and later, and iPod Touch (5th generation).
Apple doesn’t rate the severity of the vulnerabilities, as Google does for Android security updates, but several of the bugs should be considered critical because an attacker could exploit them to execute arbitrary code on your device with kernel privileges (which is like having an uber-administrator login).
Another now-fixed serious vulnerability makes your iMessages vulnerable to an attacker who could intercept and read your encrypted photos, videos and other attachments.
Or, as Apple says, an attacker who could “bypass Apple’s certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments.”
This bug has attracted more attention than the rest because the bug-finders, cryptography researcher Matthew Green and a team of students at Johns Hopkins University, made a media splash about it before Apple’s fix was out.
Drastically simplified, the researchers found a method for intercepting an encrypted iMessage with a link to a file stored in Apple’s iCloud, and used special software to make thousands of guesses to crack the encryption keys of individual files.
As my colleague Paul Ducklin explained yesterday in his article about the bug, this attack doesn’t crack your iPhone or your iMessages wide open, but seems to require an attacker to recover photos or videos one-by-one by effectively cracking a cryptographic secret for each one.
Still, any chink in a system’s cryptographic armor is bad news and any bug that might give a hacker, spy – or law enforcement – a way to read your encrypted iMessages is a backdoor, and should be taken seriously.
Plus, the vulnerability affects more than just iMessage attachments, according to one of the researchers who tweeted that “Apple had to fix other apps, but won’t say what.”
This security flaw also has relevance to the ongoing debate over encryption backdoors.
One of the researchers, Ian Miers, told Wired that encryption backdoors for law enforcement would undermine the effectiveness of encryption overall:
The real message is that encryption is hard. People thought iMessage was secure, and wanted to add ways for law enforcement to get access to it. It’s hard [to protect data] even when you don’t do that. When you do, you make it even harder.
The update to iOS 9.3 is 222 MB in size and may cause your device to reboot several times, so plan accordingly.
Image of iPhone courtesy of guteksk7 / Shutterstock.com.
JR
The concern now becomes… do we trust this update to NOT give government a new backdoor? Quite frankly, with all the hubbub regarding Apple’s refusal to assist in cracking their own devices, might this all be a ruse to falsely encourage confidence in Apple?
Paul Ducklin
So what you’re saying is that anyone who caves in to government demands for backdoors is a sellout. And anyone who doesn’t cave in is just pretending, and is a sellout.
To be fair, if you think that way, you’re probably selling *yourself* out, because you won’t install the update and so you will have the iMessage backdoor :-)
Bryan
I refuse to sell out and divulge to you if I had an iPhone whether I’d patch it or not.