Install iOS 9.3 to fix serious iMessages encryption flaw

Graham Cluley

iOS 9.3 to fix serious iMessages encryption flaw

For some time, Apple has forcefully pushed a message to consumers that it takes privacy seriously.

Here, for instance, is what Apple’s website says about its approach to privacy when it comes to iMessages:

Your iMessages and FaceTime calls are your business, not ours. Your communications are protected by end-to-end encryption across all your devices when you use iMessage and FaceTime, and with iOS and watchOS, your iMessages are also encrypted on your device in such a way that they can’t be accessed without your passcode. Apple has no way to decrypt iMessage and FaceTime data when it’s in transit between devices.

Many find that attitude admirable, but the stance has taken a knock today with the news that a research team from John Hopkins University has discovered a way to break the encryption used by iMessages, opening up the opportunity to spy upon photos and videos being transmitted between iPhones, iPads and Apple Macs.

As the Washington Post reports, the researchers – headed by computer science professor Matthew Green – intercepted messages by writing software that mimicked an Apple server, and then used a brute-force approach to reveal links to supposedly secure photos and videos:

The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.”

The discovery of this iOS privacy flaw comes, of course, at a time when the world is watching a very public legal battle between Apple and the FBI over whether the technology company should be building what some have described as a backdoor in its operating system to grant access to the iPhone recovered after the attack in San Bernardino.

As it happens, the flaw discovered by Matthew Green and the team from John Hopkins University doesn’t help with that iPhone, as the vulnerability only exists as data is in-transit rather than stored at-rest on a device.

For his part, Green told the Washington Post says he is worried by the thought that courts could compel technology companies to build weaknesses into their products’ security:

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Apple is expected to release iOS 9.3 today, fixing the vulnerability – after which the researchers will release more details of the vulnerability they discovered.

It should go without saying that if you own an iOS device, it will make sense to update as soon as possible.

It remains unclear whether any intelligence agency was already aware of the flaw in iOS, and was exploiting it for surveillance purposes, without informing Apple of the problem.

This article originally appeared on the HEAT Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.