• On The Heels of Air Force Switch to iPhone, Apple Announces Serious Flaw in their SSL Implementation

    Fresh off the Announcement that the United States Air Force is trading in their BlackBerry's for Apple's iPhone, comes an announcement from Cupertino that they've discovered a serious security flaw in their implementation of their SSL/TSL data protection on not only OS X but for their iOS powered devices as well.

    In a support document regarding the patch for this specific problem Apple noted that the bug would allow "an attacker with a 'privileged network position' to capture or modify data protected by SSL/TLS."

    The security site CrowdStrike actually goes into more detail about how serious the flaw was:

    To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.

    This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).

    This security flaw and it's potential for exploitation only hammers home what BlackBerry said in a press release last week in response to the USAF announcement of their switch to iPhone:

    The ongoing threat of cyber attacks requires organizations to be vigilant about mobile security. For customers that have the highest security requirements, such as those in government, there is nothing more secure than a BlackBerry device managed by a BlackBerry Enterprise Server.

    There is a clear reason why BlackBerry has more government certifications than any other vendor, and the only enterprise mobility management vendor and handset maker to receive the Department of Defense “Authority to Operate” certification. Security is built into everything we do, and we've been doing it longer and better than anyone else.

    Perhaps this will cause the USAF to pause and rethink their decision. Given the history of providing secure communications for the DoD that BlackBerry enjoys, the better move for the "Aim High" folks would be to upgrade their aging fleets of Bolds and Curves to Q10's, Z10's and Z30's.

    If it's good enough for the Commander-in-Chief, shouldn't a BlackBerry be good enough for the guy (or girl) flying him around in Air Fore One?

    comments powered by Disqus