iMessage Security Flaw Allows Researchers to Decrypt Images

Discussion in 'Politics, Religion, Social Issues' started by MacRumors, Mar 21, 2016.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A flaw in Apple's encryption systems has been found that enables an attacker to decrypt photos and videos sent over its iMessage instant messenger service.

    According to The Washington Post, the security hole in Apple's code was exploited by a group of Johns Hopkins University researchers, led by computer science professor Matthew D. Green.

    Green reportedly alerted Apple to the problem last year after he read an Apple security guide describing an encryption process that struck him as weak. When a few months passed and the flaw remained, Green and his graduate students decided to mount an attack to show that they could break the encryption of photos and videos sent over iMessage.

    The team succeeded by writing software that mimicked an Apple server and hijacked the encrypted transmission of the targeted phone. The transmission contained a link to a photo stored in Apple's iCloud server as well as a 64-digit key to decrypt the photo.

    While the students could not see the key's digits, they guessed them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. The phone was probed in this way thousands of times until the team guessed the correct key and was able to retrieve the photo from Apple's server.

    Apple said that it partially fixed the problem last fall when it released iOS 9, and will fully address the issue through security improvements in iOS 9.3, which is expected to be released this week. The company's statement read:
    The news comes amid Apple's ongoing legal battle with the FBI in connection with the iPhone at the center of the San Bernadino shooter investigation. The FBI has requested help from Apple to unlock the phone, but the company has so far refused.

    The FBI wants to access data stored on the iPhone in question, whereas the Johns Hopkins research focused on the interception of data transmitted between devices. However, Green believes that his team's work highlights the inherent security risks of the FBI's demands in the California case.

    "Even Apple, with all their skills -- and they have terrific cryptographers -- wasn't able to quite get this right," Green told the newspaper. "So it scares me that we're having this conversation about adding backdoors to encryption when we can't even get basic encryption right."

    Apple will face off against the FBI in court on Tuesday, one day after the company's March 21 event that will see the debut of the 4-inch iPhone SE and the 9.7-inch iPad Pro. MacRumors will post a direct link to Apple's media event once it becomes available.

    Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

    Article Link: iMessage Security Flaw Allows Researchers to Decrypt Images
  2. profets macrumors 601

    Mar 18, 2009
    Good on Green for pointing this out. If Apple has partially fixed it in 9.0 and fully addressing it with 9.3 I wonder if they did so based on Green notifying them last year.
  3. Jimmy James macrumors 601

    Jimmy James

    Oct 26, 2008
  4. unlinked macrumors 6502a

    Jul 12, 2010
    Seems strange they can mimic Apples servers. Surely all communication is protected by certs.
  5. RightMACatU macrumors 65816


    Jul 12, 2012
    Celebrity cat photos exposed for world to see!!! :D
  6. ArtOfWarfare macrumors G3


    Nov 26, 2007
    They didn't say what they did or didn't do with the iPhone. It's possible that they jailbroke it and swapped out the certificates on it so it would accept communication with their server.
  7. navaira macrumors 68040


    May 28, 2015
    Amsterdam, Netherlands
    2016: The year of Apple security flaws.
  8. 2457282 Suspended

    Dec 6, 2012
    It is amazing that there are now several flaws in the wild with Apple and the FBI cant figure this out. Instead they want the "easy" way of making security weak so they don't have to work hard.
  9. DaveN macrumors 6502a


    May 1, 2010
    No. Alphabet owns that crown with Android.
  10. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Any year is the year of security flaws in pretty much any OS.
  11. maxsix Suspended


    Jun 28, 2015
    Western Hemisphere
    I resent this claim.

    Apple has spent years successfully brainwashing me... to believe they've got my back. If your claim is true I'd have a major meltdown. My entire world turned upside down.

    Do you really want to cause that?

  12. navaira macrumors 68040


    May 28, 2015
    Amsterdam, Netherlands
    Oh every year is security flaw year for Android (said a person who owns three Android devices) but Apple's selling point has very long been "our walled garden has no security flaws" and somehow in the last months I'm reading about hostile apps in App Store, security flaws, iCloud security problems, iMessage security problems... Maybe Alphabet have a special division devoted only to breaking into Apple's products.
  13. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Has that actually really been the case, or was it that with the "walled garden" approach the security is that much higher/better even just by its limiting nature, and not that it's just completely perfect and hasn't or can never have flaws?
  14. Keane16 macrumors 6502a


    Dec 8, 2007
    No, no it has not. Apple have never said that.

    Fanboys, fools and kids on the internet? Yes I've seen them claiming that.

    You've got to separate what Apple actually say and what gets posted on the internet.
  15. Mactendo macrumors 68000

    Oct 3, 2012
    It looks they are not as terrific as Mr. Green is.
    I don't understand why after getting a warning about a security issue Apple always waits until someone actually makes a successful attack.
  16. d00d macrumors regular

    Jul 22, 2002
    Successful encryption application is challenging task and often finding the flaw is easier than making the system to begin with.

    Regarding disclosure, the current etiquette is to disclose at time of fix rather than announce a list of attack vectors for exploitation. Researchers generally disclose to vendors privately, then publicly sometime later if a response is not received in a timely (somewhat subjective) manner. Apple doesn't always wait until there's a successful attack. Join their security announcements mailing list. Every update they release has a series of vulnerabilities fixed and disclosed. Many (I'd probably characterize it as most) of them have no successful attacks in the wild.

Share This Page