imessage

Researchers from Johns Hopkins University have found a vulnerability in iMessages that allowed them to decrypt both photos and videos sent via the service. Apple said that iOS 9 provided a partial fix – making the attack method more difficult – while it is fully fixed in iOS 9.3.

The Washington Post reports that the team advised Apple of the flaw, and will publish a paper as soon as iOS 9.3 has been officially released, expected for later today. The team has, however, explained in outline how their attack worked …

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.”

Computer science professor Matthew D. Green said he suspected there might be a vulnerability in iMessage when he read an Apple security guide to the encryption process, and he’d initially alerted Apple at that time. When the company didn’t fix it, he and a team of students decided to try it in practice. The attack took several months.

Green says that the fact that such weaknesses still exist is support for Apple’s position against the FBI.

Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.

iOS 9.3 has been in public beta for some time, and is due to be released later today. It runs on all iPhones from the 4s onward, on all iPads since the iPad 2 and on the 5th- and 6-generation iPod Touch.

Image: iosdevicerecovery.info

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear