Everything you need to know about the iMessage security flaw patched by iOS 9.3 – Macworld

7 months ago Comments Off on Everything you need to know about the iMessage security flaw patched by iOS 9.3 – Macworld

iMessage has flaws in how it protects messages, researchers at Johns Hopkins University explain in a paper released today (not yet available online), which can lead to effective, offline decryption of some intercepted messages.

The researchers disclosed their work to Apple in November, and today’s release of iOS 9.3 and OS X 10.11.4 remove some exploits and make others dramatically harder to take advantage of. The paper’s authors include Matthew D. Green, a cryptographer known for his research on privacy-preserving cryptographic protocols, including Bitcoin.

A story by the Washington Post appeared early on Sunday night, leading to inadvertent disclosure ahead of time. The story was quickly pulled but later republished after that became clear. We held some technical details for the initial version of this story at the request of the researchers, until Apple’s updates were out.

Here’s what you need to know.

Did they break iMessage encryption?

Yes and no. iMessage is Apple’s product name for a bundle of different kinds of message-and-file transfer that uses a variety of interlinked and layered encryption methods. Apple doesn’t disclose more than a surface description of its system, and has been criticized for years about not providing more detail, which would allow “white hat” hackers—like academic researchers and those within Apple, Google, and other companies—to more effectively probe quietly for weaknesses. These flaws could be fixed before a malicious party or government agency could take advantage of them.

While the researchers who wrote today’s academic paper found many avenues of exploration, some of which we can imagine that governments and criminals have already separately discovered and potentially exploited, the paper focuses on being able to decrypt attachments to iMessages, like images and other files for which the raw encrypted data has been intercepted.

However, so far, the fundamental mechanisms that prevent any but the intended recipients of a text message from being able to access the descrambled text remain intact. Also, the exploit used requires extraordinary, but not impossible, access to bypass one level of security.

Has Apple fixed the problems?

Yes, Apple has fixed all the problems the researchers specifically identified through one set of updates performed quietly a few months ago, and another set that appear in iOS 9.3 and OS X 10.11.4. Some are comprehensive fixes, while others are temporary solutions that need a significant revision in the long term.

Everything you need to know about the iMessage security flaw patched by iOS 9.3 – Macworld