Heartbleed, the new OpenSSL hack: How does it affect OS X and iOS?

An OpenSSL exploit leaves vulnerable countless Internet services that rely on data encryption. Is your Mac or your iOS device vulnerable?

OpenSSL is popular open source encryption software used all over the Internet. It's been in the news a lot lately, with a lot of dire warnings about what a newly discovered bug means for your personal data. Is it a threat to OS X security or iOS security? Do you need to be worried about your Mac, iPhone or iPad being vulnerable? AskDifferent:

No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x.

So Mac users can breathe a sigh of relief. iOS users are also off the hook. Apple doesn't use OpenSSL in iOS at all. Apple doesn't like OpenSSL on OS X either, thanks to what it calls an unstable API (application programming interface). The company actively dissuades registered developers from using it in its security documentation.

Apple does keep an older version of OpenSSL around that isn't vulnerable to the exploit. Safely chained to a wall. In the dungeon. It prods it with sticks now and again to make sure it's still breathing.

Oh, by the way - do you depend on iCloud for anything? Mail, maybe, or using iCloud.com apps? Syncing your data with iOS and Mac devices? You can rest assured that OpenSSL isn't an issue there. you can rest pretty easy at this point that your Apple ID is safe.

That means we're all off the hook, right?

No. Not even close.

Apple devices are safe, but data is not

I can't overemphasize this: your Apple device may be safe, but your encrypted data may not be. This is a very big deal because it affects many of the web sites and other Internet services you use. If the service uses OpenSSL to help manage the flow of encrypted data, it may be at risk. Hit up the services you depend on to find out if OpenSSL was used to encrypt data, and make sure they're up to date. Once you know that they are, it may be wise to change passwords for additional security.

OpenSSL's vulnerability is important to understand, regardless. The flaw enables the theft of information otherwise protected by SSL/TLS encryption, making vulnerable many web sites, virtual private networks, e-mail systems and more.

It's called Heartbleed because it exploits the security protocol's "heartbeat" extension, which keeps a connection alive between the client and the service. Exploiting a flaw, information can be decrypted and viewed by a third party.

Deja vu all over again

Doesn't SSL/TLS ring a bell? Just a couple of months ago Apple published updates to SSL/TLS for Mavericks, iOS 6 and iOS 7 to correct an entirely different issue related to connection verification. That was commonly known as the "GoToFail" bug.

That problem directly affected SSL/TLS connections on Apple devices for reasons unrelated to OpenSSL. But suffice it to say that 2014 hasn't been kind SSL/TLS thus far — a security protocol that the Internet is dangerously dependent on at present.

Are you worried about seeing your encrypted data hijacked from Internet services you depend on? Let me know in the comments.

Peter Cohen
  • I'm simply not visiting any websites that contain sensitive info until Friday. By then everything should be patched and sites ready to issue new certificates. I will then be changing passwords. Is Mobile Nations patched?
  • Mobile Nations sites are safe.
  • I tend not to be an alarmist about security stuff (I have been in the IT security industry for about 20 years), but this one is pretty bad. I think your approach is pretty reasonable. I would like to see published updates from all the companies that I have sensitive data with.
  • edit ...
  • Thanks, and I'd like to suggest that this post be stuck to the top of the page for a few days etc.
  • Site on github purporting to check current vulnerability: http://filippo.io/Heartbleed/ And a list of sites scanned as vulnerable: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt Take with appropriate sized grain of salt, or comb through the code yourself :) Sent from the iMore App
  • Changing passwords what a royal pain in the ass. Maybe its time to use one of those password Clients. Thanks for the heads up.
  • Rushing to update passwords might not be a great idea at this juncture. http://www.theguardian.com/technology/2014/apr/09/heartbleed-dont-rush-t... Ars Technica has been covering the updates pretty exhaustively. Worth a read. The fact that even banking websites are vulnerable is what is the scariest part of all. http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-hav... Sent from the iMore App
  • Yep - which is why I noted that you should wait to find out if your service provider has updated OpenSSL before changing your password. Otherwise you may be opening yourself up to even more problems.
  • Cnet and Mashable both released lists in the last 18 hours and both indicate they're waiting on a response from Apple about this vulnerability. I am at present holding out to change my PW on all the affected sites til the weekend just so I don't have to up and do it again in another day.
  • As usual the panic and misinformation spreads like wildfire with stuff like this. On the Apple discussion forums there is a thread entitled “When will Apple fix the Heartbleed bug?” followed by comment after comment full of nonsense. There are comments stating that iOS uses the affected version of OpenSSL and is therefore vulnerable. There are people posting terminal commands to find the version of OpenSSL on their Macs. The fact that this only applies when you are running a server on OS X is lost in the pandemonium. People are confused by all the nonsense crap being offered. Some think that since OS X is “okay” they have nothing to worry about. Shear befuddlement.