Researchers break Apple's iMessage encryption, will be fixed in iOS 9.3
The vulnerability will be fully fixed when Apple releases iOS 9.3 on Monday, but it just goes to show: even strong encryption can have its weak points.
The way the FBI tells it, the encryption on Apple’s iOS is so secure, nothing can break it. Well, not so fast. As reported by the Washington Post, researchers at Johns Hopkins University say they’ve found a bug that allows them to break the encryption of iMessages, decoding photos and videos.
The method requires the data to be in transit, not stored, so it wouldn’t actually help in the case of the San Bernardino shooter’s locked iPhone. By writing software to mimic an Apple server, researchers were able to intercept an encrypted transmission that contained a link to a photo on an iCloud server, as well as a 64-digit key that decrypts it. The key wasn’t visible, but the researchers were able to brute-force each digit. The team notified Apple, who says it paritally fixed the flaw in iOS 9, and will release the full fix on Monday in iOS 9.3.
The Johns Hopkins team is led by computer science professor Matthew Green, who says that the government shouldn’t force Apple to intentionally weaken the security of its own software, when the reality is that perfect encryption is incredibly hard if not impossible to achieve. Apple’s job should be plugging holes, not poking new ones.
“Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right,” said Green, whose team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
The researchers’ full paper will be out Monday, once iOS 9.3 is released, and we’ll have more analysis from our “Private I” columnist Glenn Fleishman. Again, users don’t have to do anything but upgrade to be fully protected from this particular flaw. Let’s hope the same is true next time.