Security researchers have uncovered a way of intercepting photos and videos sent using Apple’s encrypted iMessage service, highlighting the fact that the U.S. government may not need a backdoor to access Apple’s customer data.
Researchers at John’s Hopkins University, led by well-known cryptographer Matthew D. Green, first spotted the flaw last year, and after warning the company about the potential problem but hearing nothing back, set about proving it could work.
The flaw, which Apple is due to patch in an update to its iOS software on Monday, would allow an attacker to intercept the encrypted messages between two iPhone users and uncover the 64-digit key which is used to decrypt the messages.
The flaw would allow attackers to access photos and videos stored on Apple’s iCloud servers. While Apple has partially fixed the flaw in iOS 9, which was released last September, Green said a determined attacker could still exploit it even on phones running the latest software, though only a nation state would likely have the resources to carry out such an attack.
The details of exactly how the attack works will be published by the researchers only after Apple issues the iOS 9.3 update, the beta version of which has already rolled out to those enrolled in Apple’s testing program.
The revelation about the weakness in Apple’s encryption comes a day before the company is set to go head-to-head in court with the FBI over creating a backdoor in the company’s software to allow law enforcement access to password-protected iPhone used by San Bernardino shooter Syed Rizwan Farook.
Speaking to the Washington Post about the discovery, Green said the weakness his team of researchers discovered has highlighted that the FBI’s call for a backdoor made no sense when it was clear that bugs could already be exploited.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
However, the flaw Green’s researchers uncovered would not help the FBI in trying to access the contents of Farouk’s iPhone and the FBI’s director James Comey has already stated that his agency has sought the help from intelligence agencies to break into the phone but without success.
In a statement, Apple said it “appreciated” the work of the researchers so it could patch the vulnerability. “Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead,” the company said.