iMessage Bug Allows Attackers to Decrypt Photos and Videos

Researchers at John Hopkins University have found a bug in the instant messaging client iMessage which, if exploited, could allow an attacker to decrypt photos and videos sent as secured messages. "Even Apple, with all their skills -- and they have terrific cryptographers -- wasn't able to quite get this right," said Matthew D. Green, whose team of graduate students at the aforementioned university found the bug. "So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right." Apple acknowledged the bug to The Washington Post, adding that it had "partially" fixed the glitch with iOS 9 software update last year. The company assures that it will be offering a complete patch for the bug with iOS 9.3, which will be released on Monday.

Tim Cook

Lock the barn doors!

Re: Tim Cook

I like how they found a flaw in the code all vulnerable after a year but yet still pats them on the back.

Any other company would have been crucified and practically insulted.

Besides, no company has cryptographers. There's no point - they just pass it through the OS's built in or prewritten stuff. See OpenSSL or dmcrypt.

Re: Tim Cook

Word salad.

Re: Tim Cook

[UnknowingFool]

Except that Apple deprecated OpenSSL in favor of open source CDSA in their own OS 3 years before HeartBleed was found. Also, Apple using standards is something you are against?

Re:Tim Cook

[flargleblarg]

Close the blast doors! Close the blast doors!

Re: Tim Cook

[laie_techie]

I like how they found a flaw in the code all vulnerable after a year but yet still pats them on the back.

Any other company would have been crucified and practically insulted.

Yes, the media always has bias.

Besides, no company has cryptographers. There's no point - they just pass it through the OS's built in or prewritten stuff. See OpenSSL or dmcrypt.

We're talking Apple, so they are kind of responsible for the OS, too (even if it's based on BSD).

So what was the actual flaw?

Short on details.

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

Was it -really- operating like the launch codes in Wargames? "The phone accepted it" is pretty ambiguous.

Re:So what was the actual flaw?

Came here to post this. I am sick of articles on encryption that talk "about" the flaw, instead of saying what it actually was. This is a tech site, so articles that say "Using high-speed computing, researchers were able to do some scary math and break the encryption." If it doesn't link to CERT, or say "A timing attack was used to guess digits of the key" then it doesn't belong on Slashdot.

That said, here is a guess, based on the limited information in the article:

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

So they got the network traffic, but without Apple's private keys all they could do is see the encrypted data. 64 hex digits = 256 bits. The whole part about mimicking an Apple server us unclear. It sounds like they did a MITM, which shouldn't be possible if Apple is checking the certificates. But if the MITM was successful, why didn't they get the key? No matter...

Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

So they used a timing attack against the phone to guess at the key, by changing one hex digit (or maybe one bit) at a time. Timing attacks are known to work this way, and many crypto libraries randomize the time it takes to decrypt to fix this.

To prevent the attack from working, users should update their devices to iOS 9.3.

So the bug is already known and fixed. I wonder if the fix was the certs to prevent the MITM, or the fix to the timing attack, or both.

Re: So what was the actual flaw?

Considering they recently updated the Windows update service to protect against MITM update servers, they probably did a little of both.

https://support.apple.com/en-us/HT206091

Re:So what was the actual flaw?

[phantomfive]

They haven't released the details yet. Responsible disclosure or something.
Looks like it requires a MITM and only works for intercepting pictures send over iMessage?

That's about all I can see, but I don't trust them until they release a metasploit module.

Re:So what was the actual flaw?

[plover]

I wonder if it's a variant of the CRIME attack, where the attacker iteratively observes the success or failure of compression based on fuzzing the inputs, tail first. But those attacks just recover the encrypted data, and don't reveal anything about the key. Don't know yet -- maybe the article is just poorly written, and they aren't actually decrypting the photos, they're just recovering them.

Spoofing the Apple servers is plausible if the iMessage app isn't using pinned certificates. That would be really lame, because they've learned that lesson before on their update servers, back when all the jailbreakers were intercepting the updates.

Encryption cannot save you

A phone is not a secure terminal. Whether implemented correctly or not, encryption cannot overcome this fundamental fact.

it's ok

Apple just hired an ex-Microsoft guy to fix their security situation. Feel safe Apple users!

FBI

[phorm]

OK. So can the FBI stop bugging Apple for iPhone decryption now. It sounds like they can probably get what they need already.

Re:FBI

[ColdWetDog]

Sure, if you can get a dead guy to unlock the phone and send a picture (previously stored on iCloud) through a WiFi AP that you control.

Easy Peasy.

(RTFA).

Re:FBI

It might just be easier for them to invent a time machine and go back to before they (FBI) locked the phone to begin with.

all devices, software, networks, etc.

[ole_timer]

are designed and built by humans - they have bugs in them...get over it.

Re:all devices, software, networks, etc.

[AchilleTalon]

But all bugs are not born equal.

Re:all devices, software, networks, etc.

[ole_timer]

sure, but all have bugs!

Something the FBI can use?

Obviously this won't satisfy their actual desire, but might this satisfy their stated desire to get into "just this one iPhone"?

Re:Something the FBI can use?

Nope. From the sound of it this could allow someone to decrepit your imessages sent over a network they can monitor (like the unsecured WiFi the setup).
It wouldn't allow access to stored information, juts eavesdropping.

The FBI's stated goal is accessing the stored information on a specific locked phone.

Oh sure

[U2xhc2hkb3QgU3Vja3M]

The company assures that it will be offering a complete patch for the bug with iOS 9.3, which will be released on Monday.

And to everybody else who are still user older devices: fuck you!

Seriously, can't they update the older iOS versions? Or are the FBI/CIA/NSA preventing them from doing so?

Re: Oh sure

[UnknowingFool]

Well if you read the article, the method of attack requires thousands of messages to be sent and the researchers stated it would require the resources of a nation state to implement. So for the average person, it is reasonably safe from hackers and criminals.

Re: Oh sure

[U2xhc2hkb3QgU3Vja3M]

Read the article? What is this, Soviet Slashdot?

sounds like a padding oracle ala POODLE

[raymorris]

One byte at a time and see if the other end "accepts" it sounds like a padding oracle attack. Those are in vogue now also.

The padding oracle works with cbc ciphers where there is a padding check before the actual decryption. You change on byte and see whether you get a padding error. If the byte is correct, you don't get the padding error. When you've found one byte, move on to the next byte.

So a bug in an application equals poor encryption?

[Tharkkun]

Sounds like this researcher only wants to make headlines. Encrypting your OS and device won't ever protect you from an application that has a security flaw. Encryption protects a user at the physical level. We all know the saying that if you can get console access you're compromised. Not the case with encryption. Nor is it the case with the imessage app. I'd like to see them break into a phone when they can't unlock it.