21 March 2016, California : A research team from Johns Hopkins University discovered a flaw in Apple’s iMessage service that could allow someone to intercept images and videos sent using the messaging platform. It would take a skilled hacker to undo Apple’s security, according to a Monday report in the Washington Post, but with perseverance it can be done.
With Apple ready to launch new iPhone SE, this has been setback for their team.
iMessage has been an encrypted messaging protocol from day one. When you send an iMessage, your device opens a secure connection with Apple’s servers. Messages are encrypted on your phone using a private key, sent to Apple’s servers, delivered to your recipient. Your recipient’s phone then decrypts the message.
In other words, Apple theoretically can’t read or decrypt your messages because it’s just encrypted gibberish and Apple doesn’t have the key to decrypt these messages.
And yet, Johns Hopkins University researchers found a bug. They weren’t able to decrypt messages, but they found a way to intercept photos, videos or files.
Files have been using a weak encryption method with a 64-bit encryption key. Researchers developed a server that mimics Apple’s own servers to intercept the encrypted files. They then attempted thousands of keys as Apple doesn’t throttle failed attempts. With this brute force method, researchers could decrypt files from Apple’s servers without anyone noticing.
Matthew Green, research team leader of Johns Hopkins University said, “If you put resources into it, you will come across something like this.”
Law enforcement officials have warned that such “warrant-proof” encryption shields criminals and terrorists from investigation. Apple, which like other companies has been steadily shoring up its security, has become the poster child for such warnings.
Apple said it partially fixed the problem last fall when it released its iOS 9 operating system, and it will fully address the problem through security improvements in its latest operating system, iOS 9.3, which will be released today.
(Image Credits: BusinessInsider)
