Skip to main content

Johns Hopkins team uncovers bug in Apple's iMessage encryption

Flaw would enable skilled hacker to decrypt iMessage photos, videos

Image credit: Getty Images

A team of researchers led by Johns Hopkins University computer scientist Matthew Green has poked a hole in Apple's iMessage encryption software, The Washington Post reports. The bug would enable a skilled hacker to decrypt photos and videos sent as secure instant messages. The details of the vulnerability will be published after Apple has issued an update that corrects the flaw.

Matthew Green

Image caption: Matthew Green

This discovery comes at a time of intense scrutiny of Apple's encryption software and its role in national security. The FBI is locked in a legal battle with the technology giant over access to data that may be stored on the phone of one of the San Bernardino shooters, Syed Rizwan Farouk, whose attack killed 14 people. The Justice Department aims to compel Apple to develop an update targeting the shooter's phone that will weaken its password security feature.

According to The Post, cryptographers such as Green claim that it makes no sense for a company to create software that compromises its own security features, especially "when there may already be bugs that can be exploited." These experts argue that creating a "back door" to enable access would damage security for more than just the targeted device.

"Even Apple, with all their skills—and they have terrific cryptographers—wasn't able to quite get this right," Green told The Post. "So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right."

Apple's iMessage is one of the most-used end-to-end encrypted messaging systems, but Green said that his team's discovery of the bug "underscores how hard it is to get basic encryption right. Vulnerabilities in these systems do exist."

More from The Washington Post:

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple's iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key's digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

"And we kept doing that," Green said, "until we had the key."

Read more from The Washington Post