CybersecurityHackers could decrypt iMessage photos, videos

Published 22 March 2016

A team of researchers has poked a hole in Apple’s iMessage encryption software. The bug would enable a skilled hacker to decrypt photos and videos sent as secure instant messages. The details of the vulnerability will be published after Apple has issued an update that corrects the flaw.

A team of researchers led by Johns Hopkins University computer scientist Matthew Green has poked a hole in Apple’s iMessage encryption software, theWashington Post reports. The bug would enable a skilled hacker to decrypt photos and videos sent as secure instant messages. The details of the vulnerability will be published after Apple has issued an update that corrects the flaw.

Johns Hopkins notes that this discovery comes at a time of intense scrutiny of Apple’s encryption software and its role in national security. The FBI is locked in a legal battle with the technology giant over access to data that may be stored on the phone of one of the San Bernardino shooters, Syed Rizwan Farouk, whose attack killed fourteen people. The Justice Department wants the court to compel Apple to lift the 10-attempt limit on attempts to crack the password of the shooter’s phone.

According to thePost, cryptographers such as Green claim that it makes no sense for a company to create software that compromises its own security features, especially “when there may already be bugs that can be exploited.” These experts argue that creating a “back door” to enable access would damage security for more than just the targeted device.

Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” Green told thePost. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Apple’s iMessage is one of the most-used end-to-end encrypted messaging systems, but Green said that his team’s discovery of the bug “underscores how hard it is to get basic encryption right. Vulnerabilities in these systems do exist.”

More from the Post:

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

And we kept doing that,” Green said, “until we had the key.”