Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apple Patches Serious Encryption Flaws in iMessage

Updates released by Apple on Monday for its iOS and Mac OS X operating systems address serious encryption flaws affecting the company’s iMessage messaging protocol, which is reportedly used to send as many as 200,000 messages every second.

Updates released by Apple on Monday for its iOS and Mac OS X operating systems address serious encryption flaws affecting the company’s iMessage messaging protocol, which is reportedly used to send as many as 200,000 messages every second.

A research team from Johns Hopkins University, led by cryptography expert Matthew Green, discovered new attack methods which, under very specific circumstances, can be leveraged to decrypt iMessage attachments such as videos and photos.

In a blog post and research paper published on Monday after Apple released fixes for the issue, experts explained that a remote attacker who can obtain iMessage ciphertexts can silently decrypt message attachments as long as the device of the sender or recipient is online.

The attack is made difficult by certificate pinning, a security mechanism designed to prevent the use of fraudulent certificates, but a well-resourced attacker, such as a nation state actor, or a hacker with access to Apple’s servers can still pull it off.

In its advisory on the flaw, for which it assigned the identifier CVE-2016-1788, Apple noted that an attacker needs to bypass certificate pinning, intercept TLS connections, inject messages, and record encrypted attachments for the attack to work.

Apple was informed about the vulnerabilities in November 2015, but the company had already started deploying aggressive certificate pinning in iOS applications, making a potential attack more difficult. A short-term mitigation proposed by one of the students involved in the research was implemented in iOS 9.3 and Mac OS X El Capitan 10.11.4 — both released on Monday.

In the long term, Green believes Apple should move from iMessage to something more secure, such as Open Whisper Systems’ open-source encrypted messaging application Signal, which relies on the Axolotl cryptographic key management protocol.

While this attack is not easy to pull off, it does put a dent in Apple’s encryption, which is advertised as being highly secure.

“While these flaws do not render iMessage completely insecure, some flaws reduce the level of security to that of the TLS encryption used to secure communications between end- user devices and Apple’s servers. This finding is surprising given the protection claims advertised by Apple,” researchers said in their paper.

In addition to the iMessage vulnerability, Apple addressed tens of other security issues in many of its software products, including iOS, OS X, watchOS, tvOS, Xcode, OS X Server and Safari.

Apple’s encryption has made a lot of headlines over the past weeks after the FBI asked the company to create a backdoor that would allow investigators to access information stored on the iPhone belonging to the man behind the December terrorist attacks in San Bernardino.

Apple and the government have been preparing to go against each other in court, but the government announced on Monday that it may have found a way to crack the San Bernardino shooter’s iPhone without Apple’s help.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...