Skip to main content

Johns Hopkins researchers find way to decrypt iMessage photos & videos; fixed in iOS 9.3

imessage

Researchers from Johns Hopkins University have found a vulnerability in iMessages that allowed them to decrypt both photos and videos sent via the service. Apple said that iOS 9 provided a partial fix – making the attack method more difficult – while it is fully fixed in iOS 9.3.

The Washington Post reports that the team advised Apple of the flaw, and will publish a paper as soon as iOS 9.3 has been officially released, expected for later today. The team has, however, explained in outline how their attack worked …

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.”

Computer science professor Matthew D. Green said he suspected there might be a vulnerability in iMessage when he read an Apple security guide to the encryption process, and he’d initially alerted Apple at that time. When the company didn’t fix it, he and a team of students decided to try it in practice. The attack took several months.

Green says that the fact that such weaknesses still exist is support for Apple’s position against the FBI.

Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.

iOS 9.3 has been in public beta for some time, and is due to be released later today. It runs on all iPhones from the 4s onward, on all iPads since the iPad 2 and on the 5th- and 6-generation iPod Touch.

Image: iosdevicerecovery.info

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Marc Orcutt - 8 years ago

    So the attack took several months and iOS 9.3 already fixes it. Got it.

  2. Robert Wood - 8 years ago

    While fixing this bug, Apple can also add able to create multiple draft text/message before send option in iMessage App. Missing since it’s inception against android stock message app. iPhone users say create multiple draft using Notes App and cut/paste into imessage when ready to send. I say why ? why not build into imessage like android.

    • shareef777 - 8 years ago

      What’re you sending in Messages that requires this? Are you sending novels in text? Seems excessive for a platform that’s meant to be quick text.

      • flaviosuave - 8 years ago

        Our society is worse off for having missed out on Robert Wood’s magnum opus – which does not exist solely due to a lack of draft functions in iMessages!

      • srgmac - 8 years ago

        “Meant to be” — I hate phrases like this. The fact is, iMessage is a better platform than email for sending messages, not to mention they’re encrypted (well, at least they’re SUPPOSED to be!). If someone wants to use this as their primary communications service, I say more power to them.

    • srgmac - 8 years ago

      You can do it in the Mac version (kind of) — but yes, I see that on iOS it’s basically forcing you to send the message or not use anything else in the messages app. Lame. iMessage should be treated by Apple as one of the best things they have to offer to the public — a fully secure platform for sending and receiving messages with attachments. The apps themselves not only deserve a full overhaul (there are several bugs in place right now with client side caching \ messages saving on both Mac and OS X) but the service itself should also get top priority and get security audits.
      Not listening when a prominent researcher tells you there’s a security flaw, is a pretty atrocious thing for Apple to do, I must say.

  3. PhilBoogie - 8 years ago

    The Feds better be careful with upgrading their iPhones then¡

    Seriously, this is nothing new. The encryption used by Apple most certainly doesn’t apply to everything on iOS. Heck, even music downloaded from iTunes is tagged with the user email *after* the user has received the file. iTunes adds it then, not before. So intercepting the data before it hits iTunes would be DRM free. But that doesn’t matter since its removed now anyway.

  4. Jake Becker - 8 years ago

    Excellent news for iMessage and encryption.

  5. Grayson Mixon - 8 years ago

    So, iOS 9.2.1 can run on everything back to the iPad 2, but iOS 9.3 can only run on the iPad Air 1 and 2?

  6. Mike Knopp (@mknopp) - 8 years ago

    So, has the FBI and DOJ tried to block this patch yet since it is obvious that Apple is supporting terrorist, child pornographers, and kidnappers with this unacceptable increase in security.

    I am, of course, being facetious to make a point about how absurd the FUD spouted by the government is.

  7. John Smith - 8 years ago

    Yet another security failure.

    Perhaps Apple should spend less time/effort on obstructing law enforcement and more time on keeping our devices secure ?

  8. srgmac - 8 years ago

    What the…He told Apple about it originally and they never bothered to fix it? This is very concerning….

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear