Researchers Discover iMessage Encryption Flaw, iOS 9.3 Will Fix It

Messages hero

A group at Johns Hopkins University has found a bug in Apple’s encryption that allows decryption of photos and videos sent through iMessage, reports the Washington Post. While this flaw won’t help the FBI to obtain data from the iPhone used by one of the San Bernardino shooters, it does shatter the notion “that strong commercial encryption has left no opening for law enforcement and hackers”, says Matthew D. Green, the computer science professor at Johns Hopkins University who led the research team.”

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green, whose team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

The connection between the seized iPhone and the Johns Hopkins University research is that all software has vulnerabilities. Apple, on the other hand, thanked the research team for bringing the flaw into their attention and says it is working to increase security “with every release”:

“Apple works hard to make our software more secure with every release,” the company said in a statement. “We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. .?.?. Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”

The company says it has fixed the flaw with iOS 9.3, which will likely be pushed out to the public today.

Green was skeptical about Apple’s end-to-end encryption statement, so after alerting the company about the flaw and then seeing that Apple didn’t do anything to fix it, he put together a team of researchers to mount an attack to show they can decrypt photos and videos sent as instant messages using Apple’s proprietary messaging platform. They did it in a few months:

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.”

To protect their privacy, users should upgrade to iOS 9.3 when it becomes available, Green recommends.

Technology enthusiast, rocker, biker and writer of iPhoneinCanada.ca. Follow me on Twitter or contact me via email: istvan@iphoneincanada.ca

  • Andy

    Yet if a civilian did this, s/he would be arrested and charged with hacking.

  • Yep. The ‘news’ of this discovery looks to have been timed just ahead of the release of iOS 9.3.

  • KS

    Should this mean 9.3 may appear later than expected?

  • BigCat

    “he put together a team of researchers to mount an attack to show they can decrypt photos and videos”

    Given their success, one can only imagine what the Governments team has managed to achieve. When you have the ability to access people in both chip and software blueprint design there is bond to be a good measure of success. And this does not even consider their ability to access quantum computing power.

    How does the that old saying go: “Never bring a knife to a gun fight.”