Encryption is a cat-and-mouse game, and Johns Hopkins University researchers have found a great way to prove it. In a new research that they shared with the Washington Post, the research team has found a serious security hole that lets you see photos, videos and files sent using iMessage.
iMessage has been an encrypted messaging protocol from day one. When you send an iMessage, your device opens a secure connection with Apple’s servers. Messages are encrypted on your phone using a private key, sent to Apple’s servers, delivered to your recipient. Your recipient’s phone then decrypts the message.
In other words, Apple theoretically can’t read or decrypt your messages because it’s just encrypted gibberish and Apple doesn’t have the key to decrypt these messages.
And yet, Johns Hopkins University researchers found a hole. They weren’t able to decrypt messages, but they found a way to intercept photos, videos or files.
Files have been using a weak encryption method with a 64-bit encryption key. Researchers developed a server that mimics Apple’s own servers to intercept the encrypted files. They then attempted thousands of keys as Apple doesn’t throttle failed attempts. With this brute force method, researchers could decrypt files from Apple’s servers without anyone noticing.
According to the Washington Post, this is already harder to decrypt files coming from devices running iOS 9 or later. But it is still possible if you’re the NSA for example. It’s unclear if government agencies or hackers have been using this method.
The good news is that Apple has already developed a fix and it’s coming later today with the release of iOS 9.3. The hacking process is not public yet and the research team will share a white paper once Apple has fixed the security hole.
This hack proves once again that encryption is never perfect. There will always be security holes and hackers to find them, and big software makers like Apple will play catch-up to fix these holes. That’s why it’s important to download and install patches for your devices.