Install iOS 9.3 to fix serious iMessages encryption flaw

For some time, Apple has forcefully pushed a message to consumers that it takes privacy seriously.

Here, for instance, is what Apple’s website says about its approach to privacy when it comes to iMessages:

Your iMessages and FaceTime calls are your business, not ours. Your communications are protected by end-to-end encryption across all your devices when you use iMessage and FaceTime, and with iOS and watchOS, your iMessages are also encrypted on your device in such a way that they can’t be accessed without your passcode. Apple has no way to decrypt iMessage and FaceTime data when it’s in transit between devices.

Many find that attitude admirable, but the stance has taken a knock today with the news that a research team from John Hopkins University has discovered a way to break the encryption used by iMessages, opening up the opportunity to spy upon photos and videos being transmitted between iPhones, iPads and Apple Macs.

Sign up to our free newsletter.
Security news, advice, and tips.

As the Washington Post reports, the researchers – headed by computer science professor Matthew Green – intercepted messages by writing software that mimicked an Apple server, and then used a brute-force approach to reveal links to supposedly secure photos and videos:

The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.”

The discovery of this iOS privacy flaw comes, of course, at a time when the world is watching a very public legal battle between Apple and the FBI over whether the technology company should be building what some have described as a backdoor in its operating system to grant access to the iPhone recovered after the attack in San Bernardino.

As it happens, the flaw discovered by Matthew Green and the team from John Hopkins University doesn’t help with that iPhone, as the vulnerability only exists as data is in-transit rather than stored at-rest on a device.

For his part, Green told the Washington Post says he is worried by the thought that courts could compel technology companies to build weaknesses into their products’ security:

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Apple is expected to release iOS 9.3 today, fixing the vulnerability – after which the researchers will release more details of the vulnerability they discovered.

It should go without saying that if you own an iOS device, it will make sense to update as soon as possible.

It remains unclear whether any intelligence agency was already aware of the flaw in iOS, and was exploiting it for surveillance purposes, without informing Apple of the problem.

This article originally appeared on the HEAT Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.