News  Apple
Apples iMessage security busted

Keys cracked

Using brute force with a little extra know-how, a team from Johns Hopkins University led by professor Matthew Green has cracked an iOS flaw and retrieved the encryption key used.

iOS 9.3 beta is not affected, which is great news for users as the stable version is due for release any time now. Green quietly tipped off Apple in good time for this release, and although the current version is vulnerable, it's only with the use of a "nation-grade" level of cryptographers and equipment.

Green said "Even Apple, with all their skills - and they have terrific cryptographers - wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding backdoors to encryption when we can’t even get basic encryption right."

The solution the FBI want?

Apple is currently in the middle of a battle with the FBI regarding an encrypted iPhone. They are under pressure to decrypt it, and even sent an open letter to their customers arguing the case against this.

However, the Justice Department recently said it might be possible to unlock the handset following the way an "outside party" had demonstrated something of interest. The situation regarding this specific hack being the solution to cracking the particular iPhone in question is unclear, however, with reports suggesting it probably would not have helped.

imessage 700x400

Old fashioned brute force with extras

The technique the team used concentrated on the data flowing between the devices, such as iMessages, which are encrypted using a process Green became suspicious of after reading an Apple security guide describing it. He set his team the challenge of implementing the hack by writing software which mimicked Apples servers. By repeatedly sending a test key, they were able to figure out each digit turn-by-turn by altering the sequence slightly. They then proved it worked by retrieving a photo from iCloud in a way a user would never have known about.

imessage cracked tweet 550x223

Greens team took a few months but eventually succeeded. With his team, Ian Miers, Christina Garman, Michael Rushanan, and Gabriel Kaptchuk, he said he would publish the paper with all the details of the attack after Apple releases a patch to resolve the problem. 

john hopkins university 700x239

Apple released the following statement: "Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. . . . Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead."

The full details of the hack have been published here.