Apple Turns on Safari BEAST Attack Mitigation by Default in OS X Mavericks

Apple’s OS X Mavericks release included code that turns on by default a mitigation for the BEAST cryptographic attack.

Apple enabled a feature in its recent OS X Mavericks update that neutered the BEAST cryptographic attacks. BEAST is a two-year-old attack tool that exploits a vulnerability in TLS 1.0 and SSL 3.0 and could lead to an attacker stealing HTTPS cookies or hijacking browser sessions.

Apple’s Safari browser was the lone holdout among major browsers to enable by default a 1/n-1 split that would mitigate the attacks; other leading browsers had turned it on by default by early 2012. The code, meanwhile, has been present since the previous OS X Mountain Lion release but had not been turned on until OS X 10.9 Mavericks.

The 1/1-n split technique stops attackers from being able to guess which initialization vector blocks will be used to mask plaintext data before it is encrypted. Ivan Ristic, director of application research at Qualys, told Threatpost in September that a man-in-the-middle attack would facilitate the ability to predict those blocks and influence what is encrypted. An educated attacker with enough guesses would likely land on the correct block, Ristic said.

He wrote in a blogpost at the time that the BEAST attack would help retrieve small data fragments that would give an attacker some guidance.

“That might not sound very useful, but we do have many highly valuable fragments all over: HTTP session cookies, authentication credentials (many protocols, not just HTTP), URL-based session tokens, and so on,” Ristic said. “Therefore, BEAST is a serious problem.”

With the Mavericks release, however, Ristic said at first he didn’t think the 1/1-n split had been enabled by default. Safari did support TLS 1.2, which Ristic said was an important update, but that alone did not mitigate BEAST attacks because they targeted TLS 1.0 and earlier protocols.

“Client-side support for TLS 1.2 is currently not sufficient because (1) only about 20 percent of servers support this protocol version, and (2), all major browsers are susceptible to protocol downgrade attacks, which can be carried out by active MITM attackers,” he wrote last week.

Ristic did a little hunting and digging beyond the security release notes for Mavericks and looked at some of the source code Apple released as open source and found that the 1/1-n split had indeed been turned on.

“With this, we can finally conclude that BEAST has been sufficiently mitigated client-side, and move on,” Ristic said.

The BEAST tool was released in September 2011 by researchers Juliano Rizzo and Thai Duong at the Ekoparty conference. An attacker using BEAST could decrypt TLS 1.0 or SSL 3.0 sessions on the fly and break into any encrypted browsing session, putting online banking or ecommerce transactions in jeopardy.

BEAST flexes its muscle specifically against the AES encryption algorithm that stands up TLS/SSL. Once a man-in-the-middle position is established and the victim surfs to their banking site, logs-in and receives a cookie, BEAST code would then be injected into the browser via an iFrame or loading BEAST javascript into the browser. The malware then sniffs network traffic looking for TLS connections and is able to decrypt HTTPS cookies, essentially recovering the plaintext version of the data and giving the attacker remote control over a browsing session.

Rizzo and Duong said that BEAST exploits a vulnerability dating back to the first incarnation of SSL, a bug that was largely thought to be non-exploitable.

BEAST attacks are ideal in targeted attacks against specific individuals because attackers would need to be in a man-in-the-middle position; BEAST cannot be done on any kind of scale, Ristic said. Also, the source code for BEAST was never released by Rizzo and Duong.

Suggested articles