Published in Mobiles

Encryption fault in Apple's imessage

by on15 August 2016


Flaws in the method

Cryptography researchers at John Hopkins University have found another flaw in the encryption used by Apple’s iMessage and while Jobs' Mob might have fixed it, the researchers say that the company's encryption methodology is borked.

Jobs' Mob has been slammed for not making the details of how it encrypts messages open source. iMessage encrypts messages, pictures, and videos end-to-end by default, but Apple refuses to open the code and make it reviewable. As a result security bugs are not spotted until someone finds a huge hole to exploit.

Google and Facebook recently adopted the open source Signal encryption protocol or some of their messaging products. By contrast, Apple cooks up its own method of encrypting messages that is kept largely secret.

The bug discovered by the researchers allowed a sophisticated attacker, say a nation state like the United States or China, to decrypt stored iMessage data. It was not an easy attack and requires hitting Apple’s servers or stealing authentication certificates. But once executed, the “chipertext attack” could fully decrypt some older iMessages.

Attacks from nation state hackers are going to become more  common and the attack vector more agressive. The paper says:

Despite its broad deployment, the encryption protocols used by iMessage have never been subjected to rigorous cryptanalysis. In this paper, we conduct a thorough analysis of iMessage to determine the security of the protocol against a variety of attacks. Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker.

The best way for you to protect yourself is by regularly updating your software so that you can get the latest and most relevant security updates. Apple, for instance, patched this bug before it was even widely known. This isn’t just true on iOS, but on all software that you use.

Last modified on 15 August 2016
Rate this item
(4 votes)

Read more about: