Flaw in Apple’s iMessage encryption puts your photos, videos at risk

Johns Hopkins University researchers found a flaw in the encryption used in Apple‘s iMessage that could allow attackers to intercept and decrypt photos and videos sent over the service. 

That’s the bad news. The good news is, Apple’s latest version of their operating system, iOS 9.3, which will be released today, patches the bug. 

The team of John Hopkins researchers notified Apple of the flaw on Nov. 13, 2015, lead researcher Matthew Green told the Daily Dot via email. “Given the number of devices they support,” said Green, “[the patch] was fairly quick.”

“The fix was somewhat involved and affected more than just iMessage, so it took them some time to work out and test,” co-researcher Ian Miers told the Daily Dot via email. 

Miers did not have a list of other Apple services effected by the security flaw, but he noted that the encryption protocol for iMessage is used several other places within Apple’s operating system. Miers said Apple wouldn’t comment on what other applications were effected. 

Encryption is a mathematical algorithm that scrambles the contents of computer data so that only someone with the correct key can decrypt and read it. It is use to protect banking transactions, instant messages, Web searches, and in many other areas of technology and the Internet. 

“Apple works hard to make our software more secure with every release,” Apple said in a statement to the Washington Post, which first reported the researchers’ findings. “We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. … Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”

In a statement to the Post, Green invoked the current high-stakes legal battle between Apple and the Federal Bureau of Investigation, which obtained a court order compelling Apple to create specialized software to bypass security measures on the iPhone of San Bernardino shooter Syed Farook. 

“Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right,” Green told the Post. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Apple, civil-society groups, and the academic encryption community fear that compelling a software company to introduce a “backdoor” into their encryption or to write and develop software that would circumvent security features on the phone undermines the security and privacy of all iPhone users and could set a dangerous legal precedent.

Apple is fighting the court order on the grounds that it relies on a law, the All Writs Act, that does not give the government the authority to require it to write custom software and violates the company’s rights.

The FBI and the Justice Department originally contended the motion only concerns one phone, but judges from different states have said they would use a victory in order to unlock other iPhone’s currently in the court’s possession. 

Green said there may be a bug in Apple’s encryption after reading technical details of the encryption process as described in the Apple security guide. 

Apple and the FBI will appear in court to argue the iPhone order on Tuesday, March 22.

H/T Washington Post | Photo via Ruiwen Chua / Flickr (CC by 2.0) | Remix by Max Fleishman

William Turton

William Turton

Once named one of Forbes’ 20 Under 20 and hired as a staff writer for the Daily Dot when he was still a senior in high school, William Turton is a rising tech reporter focusing on information security, hacking culture, and politics. Since leaving the Daily Dot in April 2016, his work has appeared on Gizmodo, the Outline, and Vice News Tonight on HBO.