Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apple Patches Serious Encryption Flaws in iMessage

Updates released by Apple on Monday for its iOS and Mac OS X operating systems address serious encryption flaws affecting the company’s iMessage messaging protocol, which is reportedly used to send as many as 200,000 messages every second.

Updates released by Apple on Monday for its iOS and Mac OS X operating systems address serious encryption flaws affecting the company’s iMessage messaging protocol, which is reportedly used to send as many as 200,000 messages every second.

A research team from Johns Hopkins University, led by cryptography expert Matthew Green, discovered new attack methods which, under very specific circumstances, can be leveraged to decrypt iMessage attachments such as videos and photos.

In a blog post and research paper published on Monday after Apple released fixes for the issue, experts explained that a remote attacker who can obtain iMessage ciphertexts can silently decrypt message attachments as long as the device of the sender or recipient is online.

The attack is made difficult by certificate pinning, a security mechanism designed to prevent the use of fraudulent certificates, but a well-resourced attacker, such as a nation state actor, or a hacker with access to Apple’s servers can still pull it off.

In its advisory on the flaw, for which it assigned the identifier CVE-2016-1788, Apple noted that an attacker needs to bypass certificate pinning, intercept TLS connections, inject messages, and record encrypted attachments for the attack to work.

Apple was informed about the vulnerabilities in November 2015, but the company had already started deploying aggressive certificate pinning in iOS applications, making a potential attack more difficult. A short-term mitigation proposed by one of the students involved in the research was implemented in iOS 9.3 and Mac OS X El Capitan 10.11.4 — both released on Monday.

In the long term, Green believes Apple should move from iMessage to something more secure, such as Open Whisper Systems’ open-source encrypted messaging application Signal, which relies on the Axolotl cryptographic key management protocol.

While this attack is not easy to pull off, it does put a dent in Apple’s encryption, which is advertised as being highly secure.

Advertisement. Scroll to continue reading.

“While these flaws do not render iMessage completely insecure, some flaws reduce the level of security to that of the TLS encryption used to secure communications between end- user devices and Apple’s servers. This finding is surprising given the protection claims advertised by Apple,” researchers said in their paper.

In addition to the iMessage vulnerability, Apple addressed tens of other security issues in many of its software products, including iOS, OS X, watchOS, tvOS, Xcode, OS X Server and Safari.

Apple’s encryption has made a lot of headlines over the past weeks after the FBI asked the company to create a backdoor that would allow investigators to access information stored on the iPhone belonging to the man behind the December terrorist attacks in San Bernardino.

Apple and the government have been preparing to go against each other in court, but the government announced on Monday that it may have found a way to crack the San Bernardino shooter’s iPhone without Apple’s help.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...