SAN FRANCISCO — A security flaw could allow email and passwords to be intercepted from millions of iPhones, according to a iOS update released by Apple on Friday.
On Friday, Apple released iOS 7.0.6, a patch for the issue. The flaw in previous iOS versions could allow hackers ”with a privileged network position” to “capture or modify data in sessions protected by SSL/TLS.”
The flaw exploits a possibly vulnerability with security certificates signed by “trusted certificate authorities.”
The patch was released for iPhones 4 and 5, the fifth generation iPod touch and iPad 2 and later.
Most phones, iPods and iPads will update automatically, but you should check your iOS 7 settings and make sure you have the latest update.
To update your software, go to: Settings > General > Software Update. It’s recommended you have at least 50 percent battery and be connected to WiFi before updating your device.
Left unfixed, hackers could potentially read private communications sent over Apple devices: emails, instant messages, social media posts and even online bank transactions.
But experts say it’s unlikely any hackers did, since the vulnerability was first disclosed when Apple released a security patch over the weekend.
Without the patch, a hacker could be what experts call a man-in-the-middle — it’s like a game of Telephone you don’t even know you’re playing.
“Alice wants to communicate securely with Bob,” explained Nathan Sportsman, a mobile security expert and CEO of Praetorian. But Eve, a hacker, uses this vulnerability to put herself between the two. “Now Alice is talking to Eve and Eve is talking to Bob,” he explained. Alice and Bob think they’re talking to each other privately.
This lets hackers view the communications, such as bank deposits or Facebook posts. If they intercept a username and password, the hacker could return to your account later and cause more damage, Sportsman said.
Hackers can also modify the transmission, said Dmitri Alperovitch, the chief technology officer at the security firm CrowdStrike.
For the most part, Alperovitch said, the hacking ability is limited to people who are on the same network as the hacker — such as in a coffee shop or on an airplane.
He said Apple users should make sure their device is updated with the newly issued software before next connecting to a public wireless network. He recommended owners of Apple computers wait until an update is available before using it on a public network.
And if you’re already tapped into an insecure network, sign off, then perform the update, Alperovitch said. Otherwise hackers could corrupt the update as it travels to your phone.
Editor’s note: There are a few reports that some iPhone 5s and iPad Air users have had trouble with the latest update. Apple has not officially confirmed this issue. Read more here.