Slashdot Mirror

← Back to Stories (view on slashdot.org)

iMessage Bug Allows Attackers to Decrypt Photos and Videos

Posted by msmash on from the leaking-messages dept.

Researchers at John Hopkins University have found a bug in the instant messaging client iMessage which, if exploited, could allow an attacker to decrypt photos and videos sent as secured messages. "Even Apple, with all their skills -- and they have terrific cryptographers -- wasn't able to quite get this right," said Matthew D. Green, whose team of graduate students at the aforementioned university found the bug. "So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right." Apple acknowledged the bug to The Washington Post, adding that it had "partially" fixed the glitch with iOS 9 software update last year. The company assures that it will be offering a complete patch for the bug with iOS 9.3, which will be released on Monday.

16 of 27 comments (clear)

  1. So what was the actual flaw? by Anonymous Coward · · Score: 1

    Short on details.

    Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

    Was it -really- operating like the launch codes in Wargames? "The phone accepted it" is pretty ambiguous.

    1. Re:So what was the actual flaw? by Anonymous Coward · · Score: 4, Interesting

      Came here to post this. I am sick of articles on encryption that talk "about" the flaw, instead of saying what it actually was. This is a tech site, so articles that say "Using high-speed computing, researchers were able to do some scary math and break the encryption." If it doesn't link to CERT, or say "A timing attack was used to guess digits of the key" then it doesn't belong on Slashdot.

      That said, here is a guess, based on the limited information in the article:

      To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

      So they got the network traffic, but without Apple's private keys all they could do is see the encrypted data. 64 hex digits = 256 bits. The whole part about mimicking an Apple server us unclear. It sounds like they did a MITM, which shouldn't be possible if Apple is checking the certificates. But if the MITM was successful, why didn't they get the key? No matter...

      Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

      So they used a timing attack against the phone to guess at the key, by changing one hex digit (or maybe one bit) at a time. Timing attacks are known to work this way, and many crypto libraries randomize the time it takes to decrypt to fix this.

      To prevent the attack from working, users should update their devices to iOS 9.3.

      So the bug is already known and fixed. I wonder if the fix was the certs to prevent the MITM, or the fix to the timing attack, or both.

    2. Re:So what was the actual flaw? by phantomfive · · Score: 1

      They haven't released the details yet. Responsible disclosure or something.
      Looks like it requires a MITM and only works for intercepting pictures send over iMessage?

      That's about all I can see, but I don't trust them until they release a metasploit module.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:So what was the actual flaw? by plover · · Score: 1

      I wonder if it's a variant of the CRIME attack, where the attacker iteratively observes the success or failure of compression based on fuzzing the inputs, tail first. But those attacks just recover the encrypted data, and don't reveal anything about the key. Don't know yet -- maybe the article is just poorly written, and they aren't actually decrypting the photos, they're just recovering them.

      Spoofing the Apple servers is plausible if the iMessage app isn't using pinned certificates. That would be really lame, because they've learned that lesson before on their update servers, back when all the jailbreakers were intercepting the updates.

      --
      John
  2. Re: Tim Cook by UnknowingFool · · Score: 4, Interesting

    Except that Apple deprecated OpenSSL in favor of open source CDSA in their own OS 3 years before HeartBleed was found. Also, Apple using standards is something you are against?

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  3. Re:Tim Cook by flargleblarg · · Score: 1

    Close the blast doors! Close the blast doors!

  4. all devices, software, networks, etc. by ole_timer · · Score: 1

    are designed and built by humans - they have bugs in them...get over it.

    --
    nothing to see here - move along
    1. Re:all devices, software, networks, etc. by AchilleTalon · · Score: 2

      But all bugs are not born equal.

      --
      Achille Talon
      Hop!
    2. Re:all devices, software, networks, etc. by ole_timer · · Score: 1

      sure, but all have bugs!

      --
      nothing to see here - move along
  5. Re:FBI by ColdWetDog · · Score: 1

    Sure, if you can get a dead guy to unlock the phone and send a picture (previously stored on iCloud) through a WiFi AP that you control.

    Easy Peasy.

    (RTFA).

    --
    Faster! Faster! Faster would be better!
  6. Re: Tim Cook by laie_techie · · Score: 1

    I like how they found a flaw in the code all vulnerable after a year but yet still pats them on the back.

    Any other company would have been crucified and practically insulted.

    Yes, the media always has bias.

    Besides, no company has cryptographers. There's no point - they just pass it through the OS's built in or prewritten stuff. See OpenSSL or dmcrypt.

    We're talking Apple, so they are kind of responsible for the OS, too (even if it's based on BSD).

  7. Oh sure by U2xhc2hkb3QgU3Vja3M · · Score: 1

    The company assures that it will be offering a complete patch for the bug with iOS 9.3, which will be released on Monday.

    And to everybody else who are still user older devices: fuck you!

    Seriously, can't they update the older iOS versions? Or are the FBI/CIA/NSA preventing them from doing so?

    1. Re: Oh sure by UnknowingFool · · Score: 3, Insightful

      Well if you read the article, the method of attack requires thousands of messages to be sent and the researchers stated it would require the resources of a nation state to implement. So for the average person, it is reasonably safe from hackers and criminals.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    2. Re: Oh sure by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Read the article? What is this, Soviet Slashdot?

  8. sounds like a padding oracle ala POODLE by raymorris · · Score: 2

    One byte at a time and see if the other end "accepts" it sounds like a padding oracle attack. Those are in vogue now also.

    The padding oracle works with cbc ciphers where there is a padding check before the actual decryption. You change on byte and see whether you get a padding error. If the byte is correct, you don't get the padding error. When you've found one byte, move on to the next byte.

  9. So a bug in an application equals poor encryption? by Tharkkun · · Score: 1

    Sounds like this researcher only wants to make headlines. Encrypting your OS and device won't ever protect you from an application that has a security flaw. Encryption protects a user at the physical level. We all know the saying that if you can get console access you're compromised. Not the case with encryption. Nor is it the case with the imessage app. I'd like to see them break into a phone when they can't unlock it.