iOS 9.3 Fixes Critical Security Flaw In iMessage, Here Are The Details
A number of researchers have discovered a vulnerability in Apple’s iMessage platform, which is a particularly relevant discovery giving the current emphasis being placed on encryption within mobile devices. The research team from John Hopkins University have discovered a loophole in the iMessage protocols that allows them to decrypt videos and photos that have been sent via Apple’s proprietary messaging platform. The vulnerability has been reported to Apple and has been fixed as of iOS 9.3, which is slated for public release later today.
It appears that the issue has been partially resolved within earlier versions of iOS 9, but will be entirely fixed with the public launch of iOS 9.3 later today. The research team behind the discovery has taken the moral high ground of reporting the full issue to Apple and allowing a fix to be in place prior to releasing a white paper on the topic after iOS 9.3 has been released.
The team has taken the opportunity to release a small amount of information pertaining to how they actually managed to execute the attack on the iMessage platform.
To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.
Although the students could not see the key’s digits, they guessed a them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.
The investigation into the potential iMessage vulnerability came off the back of computer science professor Matthew D. Green reading an Apple security guide on the encryption process. Green had initially alerted Apple to his thoughts and that a vulnerability may exist, but when it was left untouched by Apple it was decided to dig a little deeper and highlight the problem with real empirical evidence.
Of course, the topic of encryption within iOS and iMessage is highly topical at the moment as Apple prepares for its battle against the FBI in a Californian court tomorrow. Professor Green believes that this discovery could work in Apple’s favor:
Even Apple, with all their skills – and they have terrific cryptographers – wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.
This issue should be officially fixed on all iOS devices with the expected public launch of iOS 9.3 during Apple’s “Let us loop you in” media event later today.