Last week Apple released a new version of iOS (version 7.0.6) that fixes a major security vulnerability. CVE-2014-1266 is a vulnerability in the way iOS verifies the identity of servers on the internet. Many applications make a good assumption that the network their data is transmitted over is insecure and therefore an encryption method (SSL/TLS) is often used to add a layer of protection on top of these untrusted networks. This security flaw however allows an attacker to pretend to be someone that he isn’t and even if the data is encrypted that attacker is able to decrypt and see the sensitive information. Usernames and passwords are often sent over an SSL/TLS encrypted channel and so the potential data loss risk of this flaw is significant.
To mitigate the risk of this vulnerability it’s crucial to notify employees using vulnerable devices that they shouldn’t connect to public WiFi access points. It’s nearly impossible to discern legitimate public access points from those setup to steal data and so devices that are vulnerable to this attack should stay on private ones. A better solution is to have your employees update their devices to iOS 7.0.6. Don’t make the assumption that employees will automatically update their devices to address this issue. Mobilisafe data shows that even more than a week after the release of iOS 7.0.6, over 50% of active iOS devices are still running vulnerable firmware. Often times employees are unaware of the implications of these security updates and since there’s no new feature in the release that they’re looking for they’ll simply ignore the notification from Apple.