Researchers find gaping hole in Apple’s iMessage encryption


Federal judge shoots down down group iMessage lawsuit.
iMessage contains a critical encryption flaw.
Photo: Apple

Encryption researchers at John Hopkins University have found a serious flaw in the encryption of Apple’s iMessage platform that shatters the FBI’s stance that encryption on devices like the iPhone is unhackable.

The group of researchers discovered a bug that would allow attackers to decrypt pictures and video sent over iMessage. The flaw wouldn’t help the FBI in its investigation of the San Bernardino shooter’s iPhone, but it shows just how hard it is to get air-tight encryption right, even for a company with as much talent and resources as Apple.

Apple told the Washington Post that it partially fixed the bug with the release of iOS 9, and that it will be completely patched with iOS 9.3, which will be released today.

John Hopkins University computer science Matthew D. Green led the team that found the encryption flaw. Greens says he was suspicious that iMessage contained a critical flaw after reading Apple’s security process. The researchers alerted Apple engineers that their encryption processes was weak, but months passed and a fix wasn’t released, so the team mounted an attack to prove the encryption’s weakness.

The company released a statement today expressing its appreciation for the efforts of the team at John Hopkins University. The group said it will reveal the bug once Apple has properly patched it.

“Apple works hard to make our software more secure with every release,” a company spokesperson said. “We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. . . . Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”