Experts Find Security Hole In Apple's iMessage Encryption: Here's What They Were Able To Do

Sumit Passary, Tech Times 21 March 2016, 09:03 am

Researchers have found a security flaw in Apple iMessage that can be used for intercepting data.

A team of researchers led by cryptography expert Matthew D. Green of Johns Hopkins University say that they have found a bug, which allows them to break the encryption of iMessages. Green suggests that the encryption vulnerability allows a skilled attacker to decrypt videos and photos sent as secure instant messages.

The researchers explain that their method of decrypting needs iMessage data to be in transit and not stored. The software made by the research team mimics an Apple server and intercepts an encrypted transmission, which contains a link to a video or photo on the iCloud server. The key used by the researchers was not visible; however, they were able to brute-force each digit.

The security flaw comes amid Apple's legal battle with the U.S. Federal Bureau of Investigation (FBI). A Federal court requires Apple's technical and software-related assistance for unlocking an iPhone 5c. The Apple smartphone is related to the shootings that took place in San Bernardino in 2015.

The iPhone 5c in question was used by Rizwan Farook, who was responsible for the San Bernardino shooting with his wife. It is worth noting that Farook was using the iPhone 5c, but the actual owner of the handset was Farook's employer. The shooting killed 14 people and wounded 22 more.

The latest vulnerability found by Green and his team cannot assist FBI in unlocking Farook's iPhone 5c.

Green believes that the U.S. government should not force Apple in unlocking the iPhone 5c. However, Green says that perfect encryption is very hard but it is not impossible to achieve.

"Even Apple, with all their skills - and they have terrific cryptographers - wasn't able to quite get this right," says Green. "So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right."

The news of the latest encryption vulnerability in iOS has led some people to believe that the flaw is not exclusive to iMessage. Other apps may be on the same boat but Apple will not reveal it.

The attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won't say what.

— Ian Miers (@secparam) 21 March 2016

The research team has notified Apple of the security flaw and the company will issue a fix for the problem in iOS 9.3. Green and his team will provide details of the encryption bug once Apple has issued a patch.