A newly released study from a Johns Hopkins University (JHU) research team brought to light how Apple’s iMessage system has serious risks that could lead to the loss of their users’ privacy.
The research showed that the encryption implementation methods applied by Apple to iMessage are prone to retrospective decryption attacks – in effect, exposing supposedly private messages.
The messaging program’s workings, much like a majority of Apple’s technologies, are not available to anyone outside the company.
Apple has said in the past that they do not have the capability to decrypt any user’s messages, and that their system encrypts messages from end to end – meaning messages cannot be viewed by anyone except for the sender and intended recipient.
However, the JHU research team, led by computer science professor Matthew Green, discovered errors after reverse-engineering the iMessage protocol.
Apple’s iMessage system has serious risks that could lead to the loss of their users’ privacy.
The implementation of the encryption processes could allow a hacker to access the messages and decrypt them – posing a huge threat to iMessage users’ privacy.
JHU’s research team stressed that their analysis indicated how iMessage’s vulnerabilities could certainly be broken by a sophisticated hacker. They outlined a chosen cipher text attack on compressed data which allowed retrospective decryption of some iMessage payloads.
“The practical implication of these attacks is that any party who gains access to iMessage cipher texts may potentially decrypt them remotely and after the fact,” said the JHU research team in their study released a week ago.
The research team also added that the bugs they discovered in the program basically diminish the security level comparable to the encryption used to secure communications exchanged by users’ devices and Apple’s servers.
The JHU researchers were also able to apply a cipher text attack on encrypted iMessages that had compressed information. They also discovered that by applying the same methods, they could decrypt older text messages, too.
Apple was actually informed by the JHU team in private back in November of last year. They were able to release fixes through the more recent iOS updates; older iOS versions didn’t use “certificate pinning” – making them more prone to attackers.
According to the JHU paper, the Apple fixes included enforcing certificate pinning across all channels used by iMessage; removing compression from the iMessage composition (for attachment messages); and developing a fix based on JHU’s proposed “duplicate cipher text detection” mitigation.
Apple also applied fixes to the inter-device communications of iMessage (e.g. Handoff), but they did not disclose any details to the JHU research team.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.