Cryptography researchers at John Hopkins University have found another flaw in the encryption used by Apple’s iMessage.
Advertisement
Apple has implemented a series of short- and long-term defenses to its iMessage protocol after several issues were discovered by a team of researchers at Johns Hopkins University, according to a report published today (via PatentlyApple). They claim that the platform is vulnerable to a ciphertext attack that allows the decryption of certain types of payloads and attachments, regardless of whether the sender/receiver is online. “The practical implication of these attacks is that any party who gains access to iMessage ciphertexts may potentially decrypt them remotely and after the fact”, the researchers wrote in a paper delivered at the USENIX Security Symposium last week.
The team says that the attack requires a great deal of sophistication which makes state sponsored attackers a possibility.
The team’s research was based on a “chosen cipher text attack” on the iMessage protocol’s encryption. But once executed, the “chipertext attack” could fully decrypt some older iMessages. The researchers pointed out how Apple doesn’t rotate encryption keys at regular intervals.
This is the same research that fueled a series of articles in the worldwide press last March, about a zero-day in the iMessage protocol that allowed attackers to decrypt images and videos sent through iMessage apps.
As MacRumors notes, law enforcement would be able to retrieve data from encrypted messages using this flaw by simply issuing a court order to force Apple to provide access to their servers. Although, it only worked on cipher texts containing gzip compressed data. Because of this, the researchers named their attack the Gzip Format Oracle Attack.
Advertisement
One of them is the Handoff service used to exchange data between Apple devices via Bluetooth LE, which Apple describes as using encryption “in a similar fashion to iMessage”. For example WhatsApp promises end-to-end encryption. You just have to run the latest versions of iOS and OS X. However, the researchers recommend that Apple should replace its iMessage encryption with one that eliminates potential weaknesses. They also stated that while Apple has made improvements in the security of their messaging system, it is not enough. Most of the repairs were included in iOS 9.3 and OS X 10.11.4, which shipped in March 2016.
