A team of Johns Hopkins University researchers headed by computer science professor Matthew Green have discovered a zero-day flaw in Apple’s iOS encryption, which could allow attackers to decrypt intercepted iMessages.
Not many details about the actual vulnerability have been shared, and won’t be until Apple patches the flaw. According to the Washington Post, the company said that the flaw has been partially fixed in iOS 9 (pushed out last fall), but will be completely removed in iOS 9.3, which is scheduled to be released on Monday (today).
The Johns Hopkins team managed to execute a successful attack by targeting iPhones that are still not using the latest version of the mobile OS.
They developed software that imitates an Apple server, and intercepted an encrypted iMessage that contained a link to the photo stored in Apple’s iCloud server, and a 64-digit key to decrypt the photo.
The digits and letters in the key weren’t visible, but the vulnerability allowed the researchers to repeatedly send test keys back to the phone, and it would accept the guessed digits or letters and reject those that weren’t the correct ones. After a great number of guesses, they discovered/compiled the entire key.
Professor Green noted that a modified version of the attack would also work on later operating systems, but that only highly skilled attackers backed by nation-states are likely to be able to execute it.
According to a tweet published by one of the researchers on the team, the discovered vulnerability is not in how Apple stores or encrypts attachments.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right,” Green noted, referring to the discussion brought to the public’s attention by the legal battle between the FBI and Apple in the case of the San Bernardino shooting.