Skip to main content
banner image
venafi logo

Apple Fixes Flaw That Leaves [Just Part of] Your Email Exposed [Encryption Digest 19]

Apple Fixes Flaw That Leaves [Just Part of] Your Email Exposed [Encryption Digest 19]

Apple flaw in email encryption
November 14, 2019 | Katrina Dobieski


As data increasingly translates to dollars, an ever-more-vigilant eye is turned towards the providers we trust. This week, three of the biggest players in the information sector battle encryption vulnerabilities, bugs and flaws as holes in encryption strategies are exploited. The fight for privacy takes a turn as Apple faces heat for storing encrypted emails in an unencrypted location. And, internet giant Cisco faces several bugs in its small business routers while the Amazon Ring faces wi-fi takeover as a consequence of using HTTP. How key players in data management are defining encryption protocol, this week in the Encryption Digest.

 

 

 

Cisco Firmware Needs an Update: Same Crypto Keys on Multiple Routers


 

 

 

 

 

 

 

According to their website, 85% of all internet traffic runs through Cisco systems. That’s a lot of data to protect. And when that data leads to web traffic for small businesses, mistakes can become even more costly.


 

That’s why networking giant Cisco has been issuing firmware fixes for several vulnerabilities found on several small-business routers. According to one report, Cisco “explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices' firmware.”
 

Therefore, all infected devices are host to the same encrypted keys—rendering them useless.
 

Venafi’s Kevin Bocek weighs in on the significance of the finds; “It's unfortunate that many organizations still haven’t realized how important machine identities are to security. For example, it would be unthinkable for an organization to use the same default password on multiple machines but similar missteps with keys and certificates are increasingly common.”
 

Researchers then found another set of routers with a bug that could allow an authenticated bad actor a malicious takeover with root privileges. This time the alert sounded a weighted warning, earning it a rating of 8.8 out of 10 for severity. 
 

Cisco reports that the incidents were oversights by the development team, and that the “keys were never used for live functionality in shipping products.” However, the presence of these oversights is concerning.
 

With the proliferating number of private keys to keep track of within any encrypted enterprise strategy, it’s no wonder that some get lost, forgotten, or “overlooked.” Bocek suggests, “The only way to prevent these kinds of mistakes is to put in place a strong machine identity management program.”
 

Related Posts:

 

Apple Fixes Flaw That Leaves [Just Part of] Your Email Exposed

 


It’s not that unencrypted.
 

Only parts of your emails are stored in a macOS database where Siri learns more about you from other apps. And it’s only the unencrypted text from emails that were supposed to be encrypted. Well, that’s only because it stores S/MIME encrypted emails in an unencrypted database.
 

Wait a minute.
 

In a Medium article back in July, IT specialist Bob Gendler disclosed that (should-be) encrypted S/MIME emails were being stored in a file, snippets.db on macOS, unencrypted. S/MIME emails require a private key to read the encrypted message, secured with a public key on the side of the sender. Storing in snippets.db  removed the need for a private key, leaving the emails exposed.
 

Alongside other Apple apps, Mail is stored in the database for the purpose of helping Siri learn more about the user. It’s always nice when she suggests your favorite taco place.


But disabling Siri should prevent the system from collecting your personal data, including personal emails. Only it doesn’t.

 

As we turn to private entities to secure our data from the prying eyes (government entities, perhaps), this is a highly inconvenient mistake. In the wake of the multi-million dollar “Privacy. That’s iPhone” campaign, it raises some uncomfortable questions.
 

Concerning the exposure, you can go into System Preferences and switch off Mail’s “Learn from this App” to prevent anyone else [besides Siri?] from getting access to new emails. You can mitigate current risk by deleting the old.
 

The incident was brought to Apple’s attention in July of this year. The company says they will resolve the issue with the next round of updates.
 

Related Posts:


 

Amazon Ring Video Doorbell: Still Using HTTP?





No fancy attack needed here. Unfortunately, by some oversight, what was becoming trusted as one of the safest ways to answer the door was secured by one of the lowest forms of internet security.
 

Amazon rolled out its very popular Ring Video Doorbell over the porous HTTP. As we may know, “HTTP is a 'sniffable' protocol, which means that everything exchanged between parties can be eavesdropped on by a potential actor within physical proximity," as Bogdan Botezatu states, director of threat research and reporting at Bitdefender, the company that broke the news.
 

In something out of a Home Alone sequel, all the attacker needs to do is scout out a house with an Amazon ring, get within distance with the right equipment and then send de-authentication messages until the owner thinks the device is malfunctioning and runs the authentication process again. Doing so will expose the plaintext credentials, allowing an attacker to pick those up and run with them to potentially connect to any device on the network. This can be your family’s cell phones, your personal work emails, and of course, the video feed from your Amazon Ring.
 

Ever wonder who your kids bring over? You’re not the only one.
 

As Botezatu explained, "The doorbell receives the Wi-Fi network password in plain text. Anyone who has access to the password in the proximity of the router can connect to the respective network and start probing for new devices, access network shares or even control equipment."
 

Amazon has released an automatic security update; no word on if that includes HTTPS.


Watch how one expired TLS certificate could bring down one of the most trusted companies in personal data protection.

 

 

 

 

Related Posts:

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more