A group at Johns Hopkins University has found a bug in Apple’s encryption that allows decryption of photos and videos sent through iMessage, reports the Washington Post. While this flaw won’t help the FBI to obtain data from the iPhone used by one of the San Bernardino shooters, it does shatter the notion “that strong commercial encryption has left no opening for law enforcement and hackers”, says Matthew D. Green, the computer science professor at Johns Hopkins University who led the research team.”
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green, whose team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
The connection between the seized iPhone and the Johns Hopkins University research is that all software has vulnerabilities. Apple, on the other hand, thanked the research team for bringing the flaw into their attention and says it is working to increase security “with every release”:
“Apple works hard to make our software more secure with every release,” the company said in a statement. “We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. .?.?. Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”
The company says it has fixed the flaw with iOS 9.3, which will likely be pushed out to the public today.
Green was skeptical about Apple’s end-to-end encryption statement, so after alerting the company about the flaw and then seeing that Apple didn’t do anything to fix it, he put together a team of researchers to mount an attack to show they can decrypt photos and videos sent as instant messages using Apple’s proprietary messaging platform. They did it in a few months:
To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.
Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.
“And we kept doing that,” Green said, “until we had the key.”
To protect their privacy, users should upgrade to iOS 9.3 when it becomes available, Green recommends.