Handshake: a signifier of trust
Handshake: a signifier of trust

A flaw in the latest versions of both iOS and MacOS could enable hackers to take over Apple devices and use them in a DDoS attack.

According to security researcher Maksymilian Arciemowicz, both the mobile and desktop operating systems have a weak OCSP validation process which allows attackers to send OCSP requests (up to 200k) in the name of the victim during a MiTM attack.

The vulnerability affects both Apple MacOS 10.12.1 and iOS 10.

He said that Apple's SecureTransport trusts and checks OCSP URLs without verification of certificate authority or common name among other things.

“[The] attacker is able to create self-sign certificate with huge list of OCSP URLs in order to trigger network traffic before inform[ing the] user about untrusted certificate,” he said in a blog post.

Arciemowicz said the attack scenario is trivial. “The attacker sends victim a link to some resource e.g. image through SSL like <img src="https://abuse.cert.cx/noexists.jpg"> and OS's victim will perform a few thousand requests to OCSP URLs.”

He said the attack may be directed to a third party resource, so that many users unknowingly become part of a DDoS attack. One HTTPS request can trigger several thousand other HTTPS requests.

Another scenario assumes extension of handshake time. “Observed timeout of OCSP requests to seven seconds. However, you can try to increase the size of the OCSP response. In order to consume network bandwidth,” said Arciemowicz.

“In the case of the iPhone, restart Safari will not stop defective handshake. Similarly, in macOS. It's recommend[ed] to restart device or disconnect from network until all OCSP requests will expire,” he warned.

Alex Mathews, EMEA technical manager at Positive Technologies, told SCMagazineUK.com that the minimal consequence of the flaw is the participation in a DDoS attack.

“If the attacked application is highly reliant on HTTP, it may be possible to steal users' credentials or perform some actions on his behalf (e.g. using web app cache poisoning).

“Organisations can prevent DDoS attacks from their network by lowering bandwidth of outbound OCSP requests. To protect servers from DDoS (coming from outside) inbound OCSP requests should be blocked. Also blocking malware certificates on firewall is a good idea,” he said.

“If you are using MacOS you can disable OCSP certificate validation until the patch release. Unfortunately iOS has no option to disable certificate validation using OCSP. In addition iOS and MacOS users should not visit unknown URLs and not use untrusted proxies, VPNs or Wi-Fi access points to protect themselves from MitM.”

SC contacted Apple for a comment about the vulnerability but at the time of writing we have received no reply.