14 DAY TRIAL // A group of researchers from the Johns Hopkins University in the US have discovered a method of decrypting images and videos sent via iMessage on older versions of iOS.
The team made up of Christina Garman, Gabriel Kaptchuk, Michael Rushanan, Ian Miers, and led by professor Matthew Green, have informed Apple of their issue, and the company will be issuing an update later today to address the problem.
As Green told the Washington Post in an exclusive, the bug only affects older versions of iOS and is found in the company's encryption algorithm used to secure content sent through the iMessage app.
Research started based on a hunch
Green suspected that something might be off in Apple's encryption algorithm while reading the company's security guide that described the encryption process. He says that he alerted Apple to the problem, but was surprised that the issue wasn't addressed in later patches.
He then put together a team of students and proceeded in creating an exploit for the "theoretical" flaw he spotted.
As the team explains, the flaw resides in how iMessage stores images and video content shared inside a conversation on Apple's iCloud servers, securing it with a 64-bit key.
Researchers said that they could query Apple's iCloud server about the encryption key one character at a time until they've reconstructed the entire key, allowing them to retrieve the original content.
Ian Miers, one of the researchers, said on Twitter that the bug also affected other apps, not just iMessage, but he declined to name them.
Issue was partially fixed in iOS 9
Green says that Apple partially fixed this flaw with the release of iOS 9 last year, meaning his attack will only work on Apple devices running older versions of iOS. The researcher also said that with a few modifications, in theory, the attack could work on newer iOS versions as well.
The researcher team informed Apple in advance of the encryption flaw, and the company will be releasing a new iOS version today to fix the problem entirely. Green and his students said they'll also be publishing an in-depth overview in a research paper after Apple has released its patch.
With the FBiOS scandal in full throttle, Green stated that this flaw cannot be used in the San Bernardino shooter investigation, but can be effective in sustained surveillance against Apple users that haven't updated their iOS.
Details, blog post, paper, etc to come after Apple ships the patch. — Ian Miers (@secparam) March 21, 2016
And now you have 14 hours to guess what the attack is. As a hint, no, its not a bug in how Apple stores or encrypts attachments. — Ian Miers (@secparam) March 21, 2016
The attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won't say what. — Ian Miers (@secparam) March 21, 2016