Apple released on Monday a new version of its mobile operating system and, in addition to some interesting new features, the latest version includes fixes for several security issues.
According to an advisory published by the company, one of the fixed vulnerabilities (CVE-2014-4428) could have been exploited to establish a connection from a malicious Bluetooth input device by bypassing pairing.
“Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections,” Apple said in its advisory.
Another issue addressed with the release of iOS 8.1, which has been assigned the CVE identifier CVE-2014-4448, refers to insufficient cryptographic protections applied to files transferred to a device. In previous versions of iOS, files transferred to an application’s “Documents” directory may be encrypted with a key that’s protected only by the hardware UID. In iOS 8.1, the key is protected by both the hardware UID and the user’s passcode.
A TLS certificate validation flaw affecting iCloud (CVE-2014-4449) has also been addressed. The vulnerability could have been exploited by an attacker with privileges on the network to leak sensitive iCloud data.
Another interesting bug is caused by QuickType, which can “learn” users’ credentials when switching between elements.
“This issue was addressed by QuickType not learning from fields where autocomplete is disabled and reapplying the criteria when switching between DOM input elements in legacy WebKit,” Apple said.
Carl Mehner of USAA, Jonathan Zdziarski, Kevin DeLong, and Mike Ryan of iSEC Partners have been credited for identifying the vulnerabilities.
In addition to these vulnerabilities, Apple has also disabled CBC cipher suites when TLS connection attempts fail in an effort to protect customers against the recently discovered SSL 3.0 flaw dubbed POODLE.
The SSL 3.0 vulnerability and the Bluetooth pairing bypass issue have also been addressed by the company in Apple TV with the release of version 7.0.1.
With the release of iOS 8.1, Apple has introduced Apple Pay, a new contactless payment system that should prevent fraud.
“In general, we cannot say with certainty that mobile payment systems are more secure than payment cards; only time will tell. However, as with any new addition or feature to a platform, even ones meant to enhance security, this expands the overall attack surface, making it attractive for criminals looking for vulnerabilities to exploit,” Mike Park, managing consultant at Trustwave, told SecurityWeek.
“For instance, previously mobile payments were usually done via an app or third-party add on, and only very few of these were targeted. With the introduction of this type of functionality into a platform, it makes every device a possible target,” Park added. “It’s still very early, but with this new feature attackers are likely looking to steal identities and mass harvest payment card information as they do in other platforms and verticals now. With a credit card selling for more than $100 USD in black forums, this is an incentive to go after these new containers.”
Last week, Apple released security updates for OS X to fix the POODLE flaw and several other vulnerabilities.