Researchers Uncover iMessage Encryption Flaw

In the midst of the ongoing debacle between the Federal Bureau of Investigation (FBI) and Apple over the concept of iPhone encryption, researchers at Johns Hopkins University published a report about a vulnerability that ironically shatters the tech giant’s encryption techniques. The Baltimore-based institution shared details of a flaw in iOS and OSX in transmitting messages via the instant messaging application, iMessage—one that could allow an attacker to decrypt sent photos, videos, and messages.

Leading a team of researchers, computer science professor Matthew D. Green noted that the flaw may have been around since last year, realizing that the encryption process divulged by the company in a security guide was weak.

Following months of observation, Green’s team staged a proof-of-concept attack that challenged the encryption of photos and videos sent through the app. Several attack attempts later, the graduate students succeeded in targeting devices with outdated OS versions.

Intercepting files was made possible by creating software that masqueraded as an Apple server. The targeted encrypted transmission involved a link of a photo stored in the iCloud server together with a 64-digit key used to decrypt the photo. It was also noted that a modified version of the attack could work on newer OS versions. Using this key, the researchers were able to access a photo from Apple’s server. The result of the test attack serves as a warning that a cybercriminal could easily do this without the knowledge of the user.

The report also shows that the exploit could be used to decrypt even those messages that are left undelivered in iMessage, but remain on iCloud servers for 30 days

However, in the context of the recent friction between Apple and the FBI, the researchers noted that the discovery of the vulnerability does not, in any way, aid the latter in gaining access of the device in question involved in the San Bernardino shooting. As such, Green said in a statement, “Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right. So, it scares me that we’re having this conversation about adding backdoors to encryption when we can’t even get basic encryption right.”

[Read: The story behind the feud between Apple and the FBI]

Apple was notified of the vulnerability after the research team’s discovery. In a statement, the company notes, “Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”

Upon notification, Apple said that the security issue has been “partially fixed” last fall with the release of iOS 9. Users are then urged to keep devices—from phones to laptops—updated with security improvements that come with the rollout of iOS 9.3.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Veröffentlicht in Vulnerabilities & Exploits, Mobile