New tool sniffs, intercepts vulnerable iphone connections

Users of Apple Inc.'s iPhone and iPad mobile devices now have another reason to apply the latest patch to their devices' iOS operating system: an updated tool that can sniff and intercept their supposedly secure communications. Software engineer-hacker Moxie Marlinspike said he has released a "10th anniversary" edition of his tool that can particularly detect —and snoop on— vulnerable devices running iOS. "Since this is the anniversary of the bug that prompted the release of sslsniff to begin with, I've updated it to add iOS fingerprinting support (to) intercept traffic from vulnerable iPhones," he said in a blog post. Interestingly, Marlinspike said the "sslsniff" tool exploits a vulnerability, BasicConstraints, that had been around way back in 2002. At the time, he said Microsoft CryptoAPI and Webkit browsers would validate signatures in a certificate chain but not the intermediate certificates. Such a setup allowed man-in-the-middle attacks that can intercept supposedly "secure" communications. Computer security firm Sophos noted the tool came out after Apple released its latest iOS patch. "This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open WiFi," Sophos' Chester Wisniewski said in a blog post. But he said the "really bad news" is for users of iPod Touch generation one or two, or an iPhone older than the 3GS, where the latest patches may not apply. — TJD, GMA News