Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apple Patches Serious Encryption Flaws in iMessage

Updates released by Apple on Monday for its iOS and Mac OS X operating systems address serious encryption flaws affecting the company’s iMessage messaging protocol, which is reportedly used to send as many as 200,000 messages every second.

Updates released by Apple on Monday for its iOS and Mac OS X operating systems address serious encryption flaws affecting the company’s iMessage messaging protocol, which is reportedly used to send as many as 200,000 messages every second.

A research team from Johns Hopkins University, led by cryptography expert Matthew Green, discovered new attack methods which, under very specific circumstances, can be leveraged to decrypt iMessage attachments such as videos and photos.

In a blog post and research paper published on Monday after Apple released fixes for the issue, experts explained that a remote attacker who can obtain iMessage ciphertexts can silently decrypt message attachments as long as the device of the sender or recipient is online.

The attack is made difficult by certificate pinning, a security mechanism designed to prevent the use of fraudulent certificates, but a well-resourced attacker, such as a nation state actor, or a hacker with access to Apple’s servers can still pull it off.

In its advisory on the flaw, for which it assigned the identifier CVE-2016-1788, Apple noted that an attacker needs to bypass certificate pinning, intercept TLS connections, inject messages, and record encrypted attachments for the attack to work.

Apple was informed about the vulnerabilities in November 2015, but the company had already started deploying aggressive certificate pinning in iOS applications, making a potential attack more difficult. A short-term mitigation proposed by one of the students involved in the research was implemented in iOS 9.3 and Mac OS X El Capitan 10.11.4 — both released on Monday.

In the long term, Green believes Apple should move from iMessage to something more secure, such as Open Whisper Systems’ open-source encrypted messaging application Signal, which relies on the Axolotl cryptographic key management protocol.

While this attack is not easy to pull off, it does put a dent in Apple’s encryption, which is advertised as being highly secure.

Advertisement. Scroll to continue reading.

“While these flaws do not render iMessage completely insecure, some flaws reduce the level of security to that of the TLS encryption used to secure communications between end- user devices and Apple’s servers. This finding is surprising given the protection claims advertised by Apple,” researchers said in their paper.

In addition to the iMessage vulnerability, Apple addressed tens of other security issues in many of its software products, including iOS, OS X, watchOS, tvOS, Xcode, OS X Server and Safari.

Apple’s encryption has made a lot of headlines over the past weeks after the FBI asked the company to create a backdoor that would allow investigators to access information stored on the iPhone belonging to the man behind the December terrorist attacks in San Bernardino.

Apple and the government have been preparing to go against each other in court, but the government announced on Monday that it may have found a way to crack the San Bernardino shooter’s iPhone without Apple’s help.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights