A new report today notes that "Apple's growing arsenal of encryption techniques — shielding data on devices as well as real-time video calls and instant messages — has spurred the U.S. government to sound the alarm that such tools are putting the communications of terrorists and criminals out of the reach of law enforcement.
But a group of Johns Hopkins University researchers has found a bug in the company's vaunted encryption, one that would enable a skilled attacker to decrypt photos and videos sent as secure instant messages.
This specific flaw in Apple's iMessage platform likely would not have helped the FBI pull data from an iPhone recovered in December's San Bernardino, Calif., terrorist attack, but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers, said Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team.
Green suspected there might be a flaw in iMessage last year after he read an Apple security guide describing the encryption process and it struck him as weak. He said he alerted the firm's engineers to his concern. When a few months passed and the flaw remained, he and his graduate students decided to mount an attack to show that they could pierce the encryption on photos or videos sent through iMessage.
Green stated that "Even Apple, with all their skills — and they have terrific cryptographers — wasn't able to quite get this right." Green's team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. Green added that "it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right."
Christopher Soghoian, principal technologist at the American Civil Liberties Union, said that Green's attack highlights the danger of companies building their own encryption without independent review. "The cryptographic history books are filled with examples of crypto-algorithms designed behind closed doors that failed spectacularly," he said. For more on this, read the full Washington Post report here.
Apple said it partially fixed the problem last fall when it released its iOS 9 operating system, and it will fully address the problem through security improvements in its latest operating system, iOS 9.3, which will be released later today.