In 2014, researcher Raul Siles of DinoSec discovered that an attacker could intercept the traffic between an iOS device and Apple’s update servers and prevent the device from receiving an update. The vulnerability was a major one, as it would allow the attacker to block security fixes from reaching a device and effectively freeze the device on a given iOS version. The attacker could then exploit known vulnerabilities in the software.
Sales disclosed the bug to Apple at the time, and the company released a patch for it in iOS 8, but the fix was incomplete. It’s only now, more than two years and two major iOS releases later that the root cause of the vulnerability has been addressed. By not using HTTPS for the software update process, Apple had left the attack scenario open for years.