While Apple is busy locking horns with the FBI against court orders to break open the security of its iOS operating system, researchers at Johns Hopkins University has found a serious security flaw in iMessage. At times when we are discussing the importance of encryption, this iMessage security flaw once again teach us not only the ‘need of encryption,’ but the ‘need of encryption done right.’
The research team lead by Professor Mathew Green found this critical bug which would allow a skilled attacker to decrypt photos and videos sent via iMessage. The loophole was reported to Apple and Apple has fixed it in the latest iOS version, iOS 9.3. It is strongly recommended to upgrade your device to iOS 9.3.
Thanking the team at Johns Hopkins University for its research and reporting the flaw to Apple, the tech-giant said it partially fixed the problem with the release of iOS 9 and iOS 9.3 now fully addresses the problem.
How the iMessage Security Flaw Works?
A blog entry and research papers explain how the iMessage security flaw works: Implementation of iMessage in versions of iOS prior to 9.3 and Mac OS X prior to 10.11.4 contains serious flaws in the encryption mechanism that could allow an attacker — who obtains iMessage ciphertexts — to decrypt the payload of certain attachment messages via a slow but remote and silent attack, provided that one sender or recipient device is online.
How the iMessage attack was executed?
The research team also explains how they managed to execute the iMessage attack.
To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.
Although the students could not see the key’s digits, they guessed a them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.
Green reported his concerns about the possibility of iMessage bug to Apple, but decided to showcase the attack along with his team when the flaw remained unpatched for a few months. The team decided to release details and papers of their research once Apple patched the bug in iOS 9.3 and released it to public yesterday.
Apple has credited the Johns Hopkins University research team in its iOS 9.3 security notes under CVE-2016-1788.
The iMessage security flaw is one of many examples which proves that “perfect security” is a myth. This is the reason why we need encryption and that we need to get encryption right.
What are your thoughts? Share with us in comments.