Apple’s squeaky clean security image seems to be unravelling more and more these days, especially since news was released recently of their Apple Macs being victims of ransomware for the first time ever.
Yet again, another security hole has been uncovered by a group of John Hopkins University researchers in Baltimore, Maryland; led by cryptographer and computer science professor Matthew D. Green. Green and his team of graduate students have found a bug in Apple’s iMessage encryption and Green spotted the potential weakness when he read an Apple security guide. The team mounted a staged attack on iMessage after alerting the company to the issue, an attack which would enable an attacker to decrypt photos and videos sent on iMessage running off iPhones and iPads versions prior to iOS 9.
The research team; Gabe Kaptchuk, Mike Rushanan, Ian Miers, Christina Garman.
Apple’s encryption on its iMessage serves to protect its users’ messages by scrambling them using advanced mathematics, so that they can only be read by the sender and recipient. When a user sends an iMessage, their device opens a secure connection with Apple’s servers. Messages are encrypted on the phone using a private key, sent to Apple’s servers which is then delivered to the recipient. The recipient’s phone will then decrypt the message.
Thus, after reading a report on Apple’s encryption, Green guessed that he might be able to exploit iMessage by mimicking Apple’s servers and intercepting iMessages sent between devices running older versions of Apple’s iOS software, finding a link to a photo stored in iCloud. The Washington Post reported that the security researchers successfully targeted phones using pre-2011 versions of iMessage and were able to download a photo from Apple’s servers after a few months. However, Green warned that a modified version of the attack could also be used to target more recent versions of the operating system, given an attacker with nation-state level hacking skills and resources.
“Apple works hard to make our software more secure with every release,” the company said in a statement. “Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”
Green emphasizes that this is the exact reason why the government should not be forcing Apple to intentionally weaken the security of its own software, when the reality is that perfect encryption is incredibly hard if not impossible to achieve. As Green stated:
“Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right… So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
According to RT, to intercept a file in an encrypted transmission, the team first designed a special software to emulate an Apple server. The scientists then chose the encrypted transmission they wanted to decrypt: each containing a link to the photo in iCloud, as well as a 64-digit key to decrypt the photo or video. Nevertheless, the team discovered that while the keys were not visible, they were able to take as many guesses as they wanted, by changing a digit or a letter in the key and sending it back to the device they were targeting because iMessage does not lock out invaders after multiple attempts to decrypt. By way of brute-force, each time a guess was correct, the targeted phone accepted the digit, so they only had to keep guessing a few thousand times before they had the key and were able to decrypt the media file. (Wired says roughly about 130,000 attempts). Additionally, because the server gives the phone an invalid download location of the target file that causes it to ultimately ignore every request, that entire interaction with the intended recipient’s phone will not be shown in any notifications popping up on his or her screen.
The controlled hack clearly outlines how important it is to download and install patches for your devices, as encryption may not always be perfect. There will always be security holes and hackers to find them. While Apple said it partially fixed the problem when it released its iOS 9 operating system, it aims to fully address the problem through security improvements in its latest operating system (iOS 9.3) which users should update as soon as possible to fix the major flaw.
The good news is that the iOS 9.3 released by Apple today along with a parallel update Apple is releasing for the desktop version of iMessage, fixes the flaw which was allowing encrypted content to be unscrambled. On the other hand, the bad news is that for those who did not install the update to both their iPhone and their OSX iMessage client could still potentially have files that are sent to them decrypted using the technique.
FYI note: The recipient (not the sender), is the one whose devices must be patched to fully prevent the attack.
If you have yet to be notified of the new software, you can get the update now through the “Settings > General menu”, and read more on the John Hopkin’s research team’s blog detailing their attack on Apple’s iMessage.
 Washington Post
 Sky News
 Tech Crunch