Apple encryption flaw exposes iMessage pictures and videos

In a software update Monday, the iPhone maker will issue a fix for the vulnerability, discovered by security researchers.

© Tim Clayton/Corbis

iMessage is commonly used by Apple device owners to exchange pictures and videos.

Apple

Your encrypted iMessage chats may not be as secure as you think.

A research team from Johns Hopkins University discovered a flaw in Apple's iMessage service that could allow someone to intercept images and videos sent using the messaging platform. It would take a skilled hacker to undo Apple's security, according to a Monday report in the Washington Post, but with perseverance it can be done.

Apple's use of encryption, which scrambles information to shield it from prying eyes, is a contentious subject right now. The tech giant is locked in a high-stakes standoff with the US government over personal privacy versus national security, following the FBI's insistence that Apple provide it with special software to unlock an iPhone used by one of the shooters in the San Bernardino, California, terrorist attack last December. Apple and the feds are due face off in court on Tuesday.

A great many voices from within the tech community have spoken out in support of Apple, from Facebook Chief Executive Mark Zuckerberg to cryptographers like Matthew Green, one of the Johns Hopkins computer scientists who discovered the iMessage bug.

"It scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right," Green told the Washington Post. He added that the vulnerability he discovered would be of no use to the FBI in its quest to access the San Bernardino shooter's iPhone data.

After reading a report on Apple's encryption, Green guessed that he might be able to exploit iMessage. He and his fellow researchers were able to mimic Apple's servers and intercept iMessages sent between devices running older versions of Apple's iOS software, finding a link to a photo stored in iCloud.

A modified version of the attack could also be used to target more recent versions of iOS, Green said.

The problem was partially resolved with the release of iOS 9 near the end of last year, but Apple will issue a patch to fully address the bug with the release of iOS 9.3 on Monday.

"Apple works hard to make our software more secure with every release," the company said in a statement. "Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead."

The John Hopkins team plans to publish a blog post detailing the vulnerability after Apple issues its fix.

Featured Video