Apple’s iMessage Encryption Can Be Broken They Say

Hi guys,

A zero-day vulnerability in Apple’s iOS encryption has been discovered by a team of researchers headed by  professor Matthew Green  at the Johns Hopkins University.

This flaw could allow attackers to decrypt intercepted iMessages. But a lot of details about the flaw has not been shared yet. The company has said that in iOS9 the flaw has been partially fixed but will be completely removed in iOS 9.3 on Monday (today).

The researchers  managed to successfully execute an attack targeting iPhones that are still not using the latest version of the mobile OS. For the attack, a software that imitates the Apple server has been developed. Then they have intercepted an encrypted iMessage that contained a link to the photo stored in Apple’s iCloud server, and a 64-digit key to decrypt the photo.

The visibility of the digits and letters in the key was low, but researchers were able to repeatedly send  test keys back to the phone. These keys would accept the guessed digits or letters and reject those that weren’t the correct ones. It would compile the entire key after very many guesses.

Accroding to Professor Green, later operating systems would be suseptible to modified version of the attack, but only would be exploitable by highly skilled attackers backed by nation-states.

One of the researchers published a  tweet noting that the discovered vulnerability is not related to how Apple stores or encrypts attachments.

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right,” Green noted, referring to the discussion brought to the public’s attention by the legal battle between the FBI and Apple in the case of the San Bernardino shooting.

Source: Akati

Comments are closed.