Your encrypted iMessage chats may not be as secure as you think.
A research team from Johns Hopkins University discovered a flaw in Apple's iMessage service that could allow someone to intercept images and videos sent using the messaging platform. It would take a skilled hacker to undo Apple's security, according to a Monday report in the Washington Post, but with perseverance it can be done.
Apple's use of encryption, which scrambles information to shield it from prying eyes, is a contentious subject right now. The tech giant is locked in a high-stakes standoff with the US government over personal privacy versus national security, following the FBI's insistence that Apple provide it with special software to unlock an iPhone used by one of the shooters in the San Bernardino, California, terrorist attack last December. Apple and the feds are due face off in court on Tuesday.
A great many voices from within the tech community have spoken out in support of Apple, from Facebook Chief Executive Mark Zuckerberg to cryptographers like Matthew Green, one of the Johns Hopkins computer scientists who discovered the iMessage bug.
"It scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right," Green told the Washington Post. He added that the vulnerability he discovered would be of no use to the FBI in its quest to access the San Bernardino shooter's iPhone data.
After reading a report on Apple's encryption, Green guessed that he might be able to exploit iMessage. He and his fellow researchers were able to mimic Apple's servers and intercept iMessages sent between devices running older versions of Apple's iOS software, finding a link to a photo stored in iCloud.
A modified version of the attack could also be used to target more recent versions of iOS, Green said.
The problem was partially resolved with the release of iOS 9 near the end of last year, but Apple will issue a patch to fully address the bug with the release of iOS 9.3 on Monday.
"Apple works hard to make our software more secure with every release," the company said in a statement. "Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead."
The John Hopkins team plans to publish a blog post detailing the vulnerability after Apple issues its fix.
Apple takes on the FBI
A judge has ordered Apple to crack into an iPhone for law enforcement, but this could affect the future of cybersecurity for everyone.
Oct 3Tim Cook calls encryption 'inherently great' at Utah event
May 27Capitol Hill push for encryption back doors looks dead in the water
May 12FBI expects more legal actions over encrypted devices
Apr 29FBI paid less than $1M for iPhone hack -- and doesn't know how it works