iMessage Security Flaw Allows Researchers to Decrypt Images

by

IMessage_IconA flaw in Apple's encryption systems has been found that enables an attacker to decrypt photos and videos sent over its iMessage instant messenger service.

According to The Washington Post, the security hole in Apple's code was exploited by a group of Johns Hopkins University researchers, led by computer science professor Matthew D. Green.

Green reportedly alerted Apple to the problem last year after he read an Apple security guide describing an encryption process that struck him as weak. When a few months passed and the flaw remained, Green and his graduate students decided to mount an attack to show that they could break the encryption of photos and videos sent over iMessage.

The team succeeded by writing software that mimicked an Apple server and hijacked the encrypted transmission of the targeted phone. The transmission contained a link to a photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

While the students could not see the key's digits, they guessed them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. The phone was probed in this way thousands of times until the team guessed the correct key and was able to retrieve the photo from Apple's server.

Apple said that it partially fixed the problem last fall when it released iOS 9, and will fully address the issue through security improvements in iOS 9.3, which is expected to be released this week. The company's statement read:

Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead.

The news comes amid Apple's ongoing legal battle with the FBI in connection with the iPhone at the center of the San Bernadino shooter investigation. The FBI has requested help from Apple to unlock the phone, but the company has so far refused.

The FBI wants to access data stored on the iPhone in question, whereas the Johns Hopkins research focused on the interception of data transmitted between devices. However, Green believes that his team's work highlights the inherent security risks of the FBI's demands in the California case.

"Even Apple, with all their skills — and they have terrific cryptographers — wasn't able to quite get this right," Green told the newspaper. "So it scares me that we're having this conversation about adding backdoors to encryption when we can't even get basic encryption right."

Apple will face off against the FBI in court on Tuesday, one day after the company's March 21 event that will see the debut of the 4-inch iPhone SE and the 9.7-inch iPad Pro. MacRumors will post a direct link to Apple's media event once it becomes available.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

(View all)
Avatar
60 months ago

2016: The year of Apple security flaws.

Any year is the year of security flaws in pretty much any OS.
Score: 2 Votes (Like | Disagree)
Avatar
60 months ago
Good on Green for pointing this out. If Apple has partially fixed it in 9.0 and fully addressing it with 9.3 I wonder if they did so based on Green notifying them last year.
Score: 2 Votes (Like | Disagree)
Avatar
60 months ago

but Apple's selling point has very long been "our walled garden has no security flaws"

No, no it has not. Apple have never said that.

Fanboys, fools and kids on the internet? Yes I've seen them claiming that.

You've got to separate what Apple actually say and what gets posted on the internet.
Score: 2 Votes (Like | Disagree)
Avatar
60 months ago
There's your "back door" FBI.
Score: 1 Votes (Like | Disagree)
Avatar
60 months ago

It looks they are not as terrific as Mr. Green is.
I don't understand why after getting a warning about a security issue Apple always waits until someone actually makes a successful attack.

Successful encryption application is challenging task and often finding the flaw is easier than making the system to begin with.

Regarding disclosure, the current etiquette is to disclose at time of fix rather than announce a list of attack vectors for exploitation. Researchers generally disclose to vendors privately, then publicly sometime later if a response is not received in a timely (somewhat subjective) manner. Apple doesn't always wait until there's a successful attack. Join their security announcements mailing list. Every update they release has a series of vulnerabilities fixed and disclosed. Many (I'd probably characterize it as most) of them have no successful attacks in the wild.
Score: 1 Votes (Like | Disagree)
Avatar
60 months ago
2016: The year of Apple security flaws.
Score: 1 Votes (Like | Disagree)

Top Stories

First Impressions From New iPhone 12 and 12 Pro Owners

Thursday October 22, 2020 4:20 pm PDT by
It's already Friday, October 23, in Australia and New Zealand, which means some customers who purchased an iPhone 12 or 12 Pro already have their new devices in hand. We've seen dozens of reviews of the iPhone 12 and iPhone 12 Pro from media sites, but now first impressions from regular Apple customers are available. Image via MacRumors reader Boardiesboi New iPhone 12 and 12 Pro owners are...

Early iPhone 12 Tests Show Ceramic Shield is Stronger and More Scratch Resistant Than iPhone 11 Glass

Friday October 23, 2020 1:21 pm PDT by
Apple's new iPhone 12 models are protected by a Ceramic Shield cover glass that has nano-ceramic crystals infused right into the glass to improve durability. According to Apple, Ceramic Shield offers four times better drop protection than the glass used for the iPhone 11 models. YouTube channel MobileReviewsEh conducted some tests on the iPhone 12 using a force meter to compare its performance ...

Apple Distributing New Heated Display Removal Machine for iPhone 12 Repairs

Thursday October 22, 2020 6:20 pm PDT by
Apple is providing Genius Bars and Apple Authorized Service Providers with a new heated display removal fixture for iPhone 12 and iPhone 12 Pro repairs, according to information obtained by MacRumors from a reliable source. To open iPhone 12 models, technicians will be required to slide the device into a specialized tray, and then place the tray into the high-temperature fixture for two...

Apple VP Kaiann Drance Interview Addresses Battery Life, MagSafe, and Power Adapter Concerns

Friday October 23, 2020 3:37 am PDT by
Apple's Vice President of iPhone Marketing, Kaiann Drance, has provided a new interview to Rich DeMuro on the Rich on Tech Podcast, to discuss the iPhone 12 and iPhone 12 Pro. Although much of the interview repeated points from Apple's "Hi, Speed" event, there were a number of interesting tidbits regarding the affect of 5G on battery life, MagSafe concerns, and the lack of a power adapter in...

Teardown Video Confirms iPhone 12 and iPhone 12 Pro Use Same 2,815mAh Battery

Thursday October 22, 2020 9:47 am PDT by
With the iPhone 12 launching on Friday and in just a few hours to Australia and New Zealand, hands-on videos, teardowns, reviews, and other iPhone-related content has been coming out. A new teardown video delves into both the iPhone 12 and the 12 Pro, confirming battery life for both models and giving us a closer look at their internals. The video from Io Technology is in Chinese, but ...

Images of Supposed AirPods Diagnosis Tool Shared Online

Thursday October 22, 2020 5:24 am PDT by
Apple is reportedly rolling out a new tool to Apple service providers for testing AirPods, according to leaker known as "Fudge," who shared images of the tool on Twitter. Apple appears to be seeking to reduce unnecessary AirPods services by more accurately diagnosing the cause of a fault. Instances of a dirt-blockage, which may be difficult to ascertain visually, can apparently be...

New Photos Offer Better Look at iPhone 12 Color Options

Tuesday October 20, 2020 2:34 am PDT by
As we wait for the iPhone 12 review embargo to lift later today, more pictures are circulating of the devices in real-world lighting conditions, providing a better look at the different colors available. Leaker DuanRui has shared images on Twitter of the iPhone 12 in white, black, blue, green, and (PRODUCT)RED. The black and white colors are similar to the iPhone 11 colors, but the other...

Apple's AirTags Revealed in Newly Published Patent Applications

Thursday October 22, 2020 9:13 am PDT by
Two patent applications filed by Apple appear to depict the company's widely expected AirTags item trackers (via Patently Apple). The filings, which include a large number of images, are titled "Mounting Base for a Wirelessly Locatable Tag" and "Fastener with a Constrained Retention Ring," and describe a wirelessly locatable tag that can be used to determine the absolute location of an...

iPhone 11 Pro Outlasts iPhone 12 and 12 Pro in Extensive Battery Life Test

Friday October 23, 2020 8:36 am PDT by
Arun Maini today shared a new side-by-side iPhone battery life video test on his YouTube channel Mrwhosetheboss, timing how long the new iPhone 12 and iPhone 12 Pro models last on a single charge compared to older models, with equal brightness, settings, battery health, and usage. All of the devices are running iOS 14 without a SIM card inserted. In the test, the iPhone 11 Pro outlasted both ...

Apple Warns MagSafe Charger Can Leave Circular Imprints on Leather Cases

Friday October 23, 2020 3:23 pm PDT by
If you keep your iPhone in a leather case while charging with Apple's new MagSafe Charger, the case might show circular imprints from contact with the accessory, according to a new Apple support document published today. Apple's leather cases for the iPhone 12 and iPhone 12 Pro are not available until November 6, but a MacRumors reader has already shared a photo of a circular imprint on...