Apple iMessage Encryption Not Impregnable; Researchers Find Security Hole

As it turns out, Apple devices are not impregnable after all. A team of security researchers from John Hopkins University has discovered a security hole in Apple's native messaging app, iMessage, which allowed the researchers to view photos, videos and files that were sent using the application.

Apple has prided itself with the security of its devices, which is most prominent in iMessage. Since the app was unveiled back in 2011, iMessage was using an encrypted protocol to send and receive messages. Messages sent from one phone are encrypted using a private key, which, after passing through Apple's servers, get decrypted by the receiver's iPhone.

It's a pretty simple security model, and for the most part, it has worked quite well for Apple. However, as much as the messages themselves were encrypted quite thoroughly, it turns out that Apple has been utilizing a relatively basic 64-bit encryption key for videos, photos and files sent through the app.

In order to beat Apple's encryption, the security researchers simply developed a server that is designed to mimic Apple's servers to intercept the files sent through the messaging platform. Once intercepted, the researchers employed a classic brute-force attack, attempting thousands of possible decryption keys. Eventually, the photos, videos and files were successfully decrypted by the researchers.

Matthew D. Green, head of the security research team, stated that the presence of the flaw in Apple's security system is proof that the FBI does not need to force the tech giant to create a backdoor in order to break into its mobile devices.

"Even Apple, with all their skills, and they have terrific cryptographers, wasn't able to quite get this right. So it scares me that we're having this conversation about adding backdoors to encryption when we can't even get basic encryption right," he said.

Responding to the flaw, Apple has stated that it has already developed a fix for the flaw in iMessage's encryption. In fact, the release of iOS 9 fixed most of the weaknesses. With the upcoming release of iOS 9.3, Apple has pledged that the entire security hole has been fully patched up.

"Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability," Apple said in a statement.

Tags
Apple, IMessage, Encryption
Real Time Analytics