Tech

Researchers exploit weakness in Apple iMessage encryption

John Hopkins researchers were able to exploit a vulnerability in iOS 9.3 and decrypt media sent across the iMessage platform.

Written by Charlie Osborne, Contributing Writer March 21, 2016 at 1:38 a.m. PT

Researchers from John Hopkins University have discovered a flaw in Apple's iMessage service which allows images and videos sent and stored in iCloud to be decrypted.

The research team, led by computer science expert Matthew Green, came across a bug in the iPad and iPhone maker's encryption protocols which enabled skilled cyberattackers to compromise iMessage sessions and decrypt content which users believed were sent securely to participants in a conversation.

As reported by the Washington Post, the flaw lies within iMessage encryption, which struck Green as "weak" and piqued his interest.

Security

After several months of work, Green and his team of researchers developed software which mimicked an Apple server. This gave the team the opportunity to intercept iMessage transmissions, and through testing, they were able to target communication which contained a link to a photo stored in the Apple iCloud server.

This captured packet also included a 64-digit key required to decrypt the image.

While the security researchers were unable to see the key's individual digits, they were able to use brute force techniques -- repeating the process of testing letters and digits individually and sending these guesses back to the target phone -- which were then accepted by the mobile device when the correct digit was pinged.

Eventually, this led the team to the correct 64 digits and the ability to decrypt the image. Green said the attack, if levied against your average user, would not have raised any alarm bells.

"A modified version of the attack would also work on later operating systems," Green told the publication.

Apple has been notified of the researcher's findings. The flaw was partially mitigated in previous iOS updates, but the bug will be completely removed in iOS 9.3, which is due to be released Monday.

Once the update has been issued to iPhone users and they have a chance to protect themselves from such an attack, Green's team will release additional details concerning the iMessage vulnerability.

Users should update their devices as soon as possible.

This kind of security weakness would not have helped the FBI pull data from the iPhone belonging to a shooter involved in the San Bernardio attack which took place last year -- as the data must be in transit rather than stored in the iCloud for the attack to work -- but the situation does highlight that no matter how strong encryption is and how much investment is poured into protecting the privacy of users, no system is perfect.