Messages sent through iMessage are not as secure as users previously thought. Researchers with John Hopkins University discovered a vulnerability in Apple's messaging system that allows an attacker to decrypt and view sent photos and videos. The Washington Post reports that the research group successfully tested their findings on phones that weren’t yet using the company's newest OS. Apple plans to patch the flaw later today with the release of iOS 9.3, at which point the researchers will release a paper on their findings.
The researchers, including computer science professor Matthew D. Green, exploited the bug through custom software that acted as an Apple server. They used it to target messages that included a link to a photo stored on Apple’s iCloud server along with a 64-digit key to decrypt the image. The researchers didn’t know those digits, but were able to keep guessing until they hit a combination of digits and letters that would let them download the photo.
the beta version of iOS 9.3 has additional security protections
Apple said in a comment to The Verge that security improvements in iOS 9.0 "blocked external attackers from performing the message intercept necessary to perform the attack identified in this report." The company also said "further targeted protections have been added in the beta version of iOS 9.3 and will be included in the public release for all users."
Green told The Washington Post that this exploit could be modified to work on later operating systems, but also stipulated that only sophisticated nation-state actors could likely pull off an attack. That being said, it’s feasible that law enforcement agencies could use the findings in active criminal investigations, he said.
law enforcement could use the findings for active criminal investigations
The discovery comes amid a broader national discussion about encryption on smartphones and iPhones in particular. The FBI and Apple are going to court tomorrow over an iPhone linked to the terrorist attack in San Bernardino, California. The FBI wants Apple to custom write software to help it endlessly brute force the device. Though this exploit couldn't help open that iPhone, law enforcement officials could use it to unknowingly obtain suspected criminals' photos and videos sent through the messaging system, which is why Green recommends updating devices' OS as soon as possible.
3/21, 11:35 AM ET: Updated to include Apple's comment.