IMessage_IconA flaw in Apple's encryption systems has been found that enables an attacker to decrypt photos and videos sent over its iMessage instant messenger service.

According to The Washington Post, the security hole in Apple's code was exploited by a group of Johns Hopkins University researchers, led by computer science professor Matthew D. Green.

Green reportedly alerted Apple to the problem last year after he read an Apple security guide describing an encryption process that struck him as weak. When a few months passed and the flaw remained, Green and his graduate students decided to mount an attack to show that they could break the encryption of photos and videos sent over iMessage.

The team succeeded by writing software that mimicked an Apple server and hijacked the encrypted transmission of the targeted phone. The transmission contained a link to a photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

While the students could not see the key's digits, they guessed them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. The phone was probed in this way thousands of times until the team guessed the correct key and was able to retrieve the photo from Apple's server.

Apple said that it partially fixed the problem last fall when it released iOS 9, and will fully address the issue through security improvements in iOS 9.3, which is expected to be released this week. The company's statement read:

Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead.

The news comes amid Apple's ongoing legal battle with the FBI in connection with the iPhone at the center of the San Bernadino shooter investigation. The FBI has requested help from Apple to unlock the phone, but the company has so far refused.

The FBI wants to access data stored on the iPhone in question, whereas the Johns Hopkins research focused on the interception of data transmitted between devices. However, Green believes that his team's work highlights the inherent security risks of the FBI's demands in the California case.

"Even Apple, with all their skills — and they have terrific cryptographers — wasn't able to quite get this right," Green told the newspaper. "So it scares me that we're having this conversation about adding backdoors to encryption when we can't even get basic encryption right."

Apple will face off against the FBI in court on Tuesday, one day after the company's March 21 event that will see the debut of the 4-inch iPhone SE and the 9.7-inch iPad Pro. MacRumors will post a direct link to Apple's media event once it becomes available.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

C DM Avatar
73 months ago
2016: The year of Apple security flaws.
Any year is the year of security flaws in pretty much any OS.
Score: 2 Votes (Like | Disagree)
profets Avatar
73 months ago
Good on Green for pointing this out. If Apple has partially fixed it in 9.0 and fully addressing it with 9.3 I wonder if they did so based on Green notifying them last year.
Score: 2 Votes (Like | Disagree)
Keane16 Avatar
73 months ago
but Apple's selling point has very long been "our walled garden has no security flaws"
No, no it has not. Apple have never said that.

Fanboys, fools and kids on the internet? Yes I've seen them claiming that.

You've got to separate what Apple actually say and what gets posted on the internet.
Score: 2 Votes (Like | Disagree)
Jimmy James Avatar
73 months ago
There's your "back door" FBI.
Score: 1 Votes (Like | Disagree)
d00d Avatar
73 months ago
It looks they are not as terrific as Mr. Green is.
I don't understand why after getting a warning about a security issue Apple always waits until someone actually makes a successful attack.
Successful encryption application is challenging task and often finding the flaw is easier than making the system to begin with.

Regarding disclosure, the current etiquette is to disclose at time of fix rather than announce a list of attack vectors for exploitation. Researchers generally disclose to vendors privately, then publicly sometime later if a response is not received in a timely (somewhat subjective) manner. Apple doesn't always wait until there's a successful attack. Join their security announcements mailing list. Every update they release has a series of vulnerabilities fixed and disclosed. Many (I'd probably characterize it as most) of them have no successful attacks in the wild.
Score: 1 Votes (Like | Disagree)
navaira Avatar
73 months ago
2016: The year of Apple security flaws.
Score: 1 Votes (Like | Disagree)

Related Stories

General Apps Messages

Android iMessage Competitor Puts Pressure on Apple

Friday July 30, 2021 3:15 am PDT by
Google and the three major U.S. carriers, including Verizon, AT&T, and T-Mobile, will all support a new communications protocol on Android smartphones starting in 2022, a move that puts pressure on Apple to adopt a new cross-platform messaging standard and may present a challenge to iMessage. Verizon recently announced that it is planning to adopt Messages by Google as its default messaging...
iphone 13 teal with text

Apple Begins Preparation for iPhone 13 Production Ahead of Fall Launch

Monday June 28, 2021 3:29 am PDT by
We're just a few months away from when Apple is expected to reveal the 2021 iPhone, dubbed the "iPhone 13." In preparation for its launch, it has been pulling in shipments of different components needed to produce the new iPhones, according to a report from DigiTimes. In years past, Apple released its latest iPhone lineup, alongside a new Apple Watch, during a September event at Apple Park....
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
bluetti eb70 main

MacRumors Giveaway: Win a Bluetti EB70 Portable Power Station and 200W Solar Panel

Friday September 3, 2021 11:13 am PDT by
For this week's giveaway, we've teamed up with MAXOAK to offer MacRumors readers a chance to win a Bluetti portable power station and an accompanying solar panel. Bluetti makes a range of portable power station options that are useful for camping, emergencies, power outages, off-grid living, and similar situations. The Bluetti EB70 is a solid middle of the road option that offers 716Wh and...
apple privacy

Apple Publishes FAQ to Address Concerns About CSAM Detection and Messages Scanning

Monday August 9, 2021 1:50 am PDT by
Apple has published a FAQ titled "Expanded Protections for Children" which aims to allay users' privacy concerns about the new CSAM detection in iCloud Photos and communication safety for Messages features that the company announced last week. "Since we announced these features, many stakeholders including privacy organizations and child safety organizations have expressed their support of...
macos catalina legacy system extension alert

Apple Begins Warning Users That 'Legacy System Extensions' Won't Work With a Future Version of macOS

Wednesday March 25, 2020 9:53 am PDT by
Apple has shared a new support document that indicates kernel extensions — which it calls "legacy system extensions" — will not be compatible with a future version of macOS because they "aren't as secure or reliable as modern alternatives."System extensions are a category of software that works in the background to extend the functionality of your Mac. Some apps install kernel extensions, which...
General Spotify Feature

Spotify Pauses Plans to Add AirPlay 2 Support to iOS App [Update: Spotify Clarifies]

Friday August 6, 2021 9:07 am PDT by
See update at bottom of article Spotify this week confirmed that its plans to add AirPlay 2 support to its iOS app have been placed on indefinite hiatus. In an online discussion forum post, a Spotify representative said the streaming music service had been working on supporting AirPlay 2, but the company has paused the efforts "for now" due to "audio driver compatibility issues." The...
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
os x mountain lion macs 16x9 2

Apple Makes OS X Lion and Mountain Lion Free to Download

Wednesday June 30, 2021 12:19 pm PDT by
Apple recently dropped the $19.99 fee for OS X Lion and Mountain Lion, making the older Mac updates free to download, reports Macworld. Apple has kept OS X 10.7 Lion and OS X 10.8 Mountain Lion available for customers who have machines limited to the older software, but until recently, Apple was charging $19.99 to get download codes for the updates. As of last week, these updates no...
Pixel Stand 23W 668x445

Google Pixel 6 Rumored to Support 23W Wireless Charging, Beating iPhone 12's MagSafe

Wednesday September 1, 2021 1:54 am PDT by
Google is rumored to be working on a new wireless charging stand that could deliver 23W of charging power to its upcoming Pixel 6 and Pixel 6 Pro phones, according to a leaked inventory image published by Android Police. Image via Android Police. If true, that would beat the iPhone 12's maximum 15W wireless charging speed (or 12W on ‌iPhone 12 mini‌) using Apple's MagSafe charger, and...