Cryptography researchers at John Hopkins University have found another flaw in the encryption used by Apple’s iMessage. The good news? The flaw has already been patched; you just need to update iOS.
Apple has been criticised before by the computer security community for not making the details of how it encrypts messages open source. While iMessage does encrypt messages, pictures, and videos end-to-end by default, Apple’s critics have said that because the code isn’t open and easily reviewable, security bugs may go unnoticed. The John Hopkins researchers even went as far as to say that Apple should replace its encryption methodology.
Apple differs in a big way from the tech world here. Google and Facebook recently adopted the open source Signal encryption protocol — widely viewed as the gold standard for encrypted messaging — for some of their messaging products. By contrast, Apple cooks up its own method of encrypting messages that is kept largely secret.
The bug discovered by the researchers allowed a sophisticated attacker, say a nation state like the United States or China, to decrypt stored iMessage data. The attack wouldn’t be able to be executed by a 15-year-old in mum’s basement; rather, it would require advanced hacking skills that would probably involve breaching Apple’s servers or stealing authentication certificates. But once executed, the “chipertext attack” would be able to fully decrypt some older iMessages. This is particularly relevant as iMessage backs up to Apple’s iCloud.
Attacks from nation state hackers are going to become more and more prevalent. Previously, normal folks like you and me didn’t need to worry much. What would Russia or China want from me? But as we’ve seen in the leak of Democratic National Committee emails, private Americans can have their information released by nation state hackers. Sure, Russian hackers probably breached the DNC using unsophisticated methods like phishing, but more than ever, normal people are being targeted by high-profile hacks.
From the paper:
Despite its broad deployment, the encryption protocols used by iMessage have never been subjected to rigorous cryptanalysis. In this paper, we conduct a thorough analysis of iMessage to determine the security of the protocol against a variety of attacks. Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker.
The best way for you to protect yourself is by regularly updating your software so that you can get the latest and most relevant security updates. Apple, for instance, patched this bug before it was even widely known. This isn’t just true on iOS, but on all software that you use. [MacRumors]