Apple iMessage Encryption Flaw May Not Affect FBI Case

Senior Writer
Updated

While the data stored on iPhones may be too well-secured for the FBI to access, cryptography researchers at Johns Hopkins University have discovered an apparently unrelated security flaw in Apple's encrypted messaging service.

The outlines of the vulnerability were revealed in a Washington Post story posted online late yesterday (March 20); the flaw lets highly skilled attackers steal photos and videos sent between iOS devices via the iMessage service, but will be fixed in Apple's iOS 9.3 update, due later today (March 21).

Credit: Tsyhun/ShutterstockCredit: Tsyhun/Shutterstock

Messages sent via iMessage are vulnerable to interception by a fake Apple server. Using such a server, the researchers repeatedly sent a single photo between iOS devices, subtly making minor changes to the photo each time and checking to see how that affected the encrypted version. After thousands of tries, they finally deduced the 128-bit encryption key.

MORE: Mobile Security Guide: Everything You Need to Know

The team's original attack require targeted devices to not be updated to the most recent version of iOS (by implication, any version of iOS 9), but a modified version of the attack could affect even iPhones fully patched through yesterday.

The research team's leader, cryptography professor Matthew D. Green, told The Washington Post that it would take a skilled hacking team, backed by the resources of a nation-state, to use the Johns Hopkins method to steal images and photos sent between completely updated devices.

Worried Apple users should note that this method appears to be very difficult and will work only against targeted individuals. The research paper detailing the attack hasn't been publicly shared yet.

Johns Hopkins researcher Ian Miers, who worked on the attack, tweeted early today that the team would release their paper only after Apple fixes the flaw, which Miers and Green both hinted will come today in an update to iOS 9.3. On Friday (March 18), Green had tweeted that he was "really looking forward to iOS 9.3" and advised all eligible users to install it.

This attack may imply that Apple's encryption is easier to crack than the FBI claims, but it may apply only to secure communications, not to the different kind of encryption used to secure the data stored on an iPhone. That data should still be as secure as it ever was, whether it's on your iPhone or on the iPhone 5c used by San Bernardino shooter Syed Rizwan Farook.

However, Miers dropped another hint via Twitter earlier today: "The attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won't say what."

Stay tuned to Tom's Guide today for news from Apple's iPhone SE event, where we expect the company to announce that iOS 9.3 will be available to download.