In a new study from a team at John Hopkins University, it shows that there are serious problems pertaining to how Apple implemented encryption on the company’s iMessage system. The flaws leave the system open to retrospective attacks towards decryption in which these can reveal the contents of all the victim’s previous text messages within the application.
Researchers Find Flaw in iMessage Encryption
With regards to the iMessage system, just like much of the Cupertino, California-based tech firm does, is opaque. Furthermore, its inner machinations have not been made available towards outsiders. Still, one of the key things to note is that the system’s messages are encrypted from end-to-end. Apple even said that it does not have the ability to decrypt the messages being sent and received by its users.
As for the researchers at John Hopkins University, in which the team is being led by Matthew Green, a professor of computer science within the school, used reverse engineering within the iMessage system protocol. The team discovered that Apple did make some mistakes with regards to the implementation of the encryption. Because of this, it could allow an attacker who has been granted access to the encrypted messages to decrypt them.
According to a paper written by the researches that has been delivered at the USENIX Security Symposium during the previous week, it states the following: “Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker. In particular, we outline a novel chosen ciphertext attack on Huffman compressed data, which allows retrospective decryption of some iMessage payloads in less than 2^18 queries. The practical implication of these attacks is that any party who gains access to iMessage ciphertexts may potentially decrypt them remotely and after the fact.”
The researchers stated that the bugs they were able to identify in the system essentially “reduce the level of security to that of the TLS encryption used to secure communications between enduser devices and Apple’s servers.” For those who are wondering, this is not a compliment. Specifically speaking, the research team was able to do a chosen cipher text attack on an encrypted message that did result them in decrypting said text.
It should be noted that Apple has already been aware of the vulnerabilities in iMessage ever since November of last year. This was then the research team had reported the findings to the company in a private manner instead of divulging the results of their efforts in a public display.
Share This on Facebook