Research done by researchers at Johns Hopkins University has found a bug that enables hackers to see photos and videos sent via Apple’s messaging service iMessage.
Last fall, an exploit of a similar nature, which affected versions of iMessage before iOS 9 was found and immediately solved by Apple. It was done during the release of iOS 9.
One of the researchers from John Hopkins University, Professor Matthew D Green, revealed to the Washington Post, that they had suspicions that the encryption processing Apple’s encryption process was flawed for a long time. As the leader of his fellow graduate students, they managed to break the encryption which is supposed to protect all photos and videos sent via iMessage.
The hacking exploit is very simple according to the Professor. It involves creating software that can emulate an Apple server which can then be used to intercept files that are sent. The encrypted transmission that the team targeted had a link to a photo that was stored on Apple’s iCloud server, and they also had a 64-digit encryption key that was required to decrypt the photo. The students were not able to see the code but a mere guess of the decryption code by using brute force technique, allowed them to change repeatedly a digit or letter of the key before sending it back to the targeted phone. Whenever a correct code was guessed the phone accepted it. After countless times of repeated attempts, that was achieved by using brute force on a modern computer; the key was obtained.
Armed with the key, the group was then able to retrieve the photo from Apple’s server. Professor Green noted that if the exploit were modified, it could probably work on later versions of the iOS also. He also added that the resources and hacking skills required for this kind of exploit would, however, require a nation state pulling the strings.
Apple has however released a patch for this exploit with the iOS 9.3 which is due to be released today. The release is part of a wider event where further updates to software and even hardware releases such as new versions of iPhone are also to be announced. With exploits like this lurking around it is recommended that iPhone users update to the latest iOS version as soon as possible.
The flaw that was discovered by Professor Green has nothing to do with the ongoing court battle between Apple and the FBI. FBI wants a backdoor pass to one of the phones that it has in its possession because they believe it contains valuable information. Apple says the creation of a backdoor would set a dangerous precedent.