While cracking iPhone encryption is difficult enough for the FBI to ask Apple for help, it seems that there are still some vulnerabilities in the system. It may not aid the Department of Justice, but researchers from John Hopkins University discovered a flaw in iMessage that allowed them to decrypt photos and videos sent by the service.
The research team, led by professor Matthew D. Green, first wrote software to mimic an Apple server. The transmissions they intercepted contained links to photos and videos - stored in the Apple iCloud server - which only use 64-bit encryption. As they don’t lock out intruders after multiple attempts to decrypt, the team was able to use brute force attacks to decrypt the media content.
Apple did partially fix the problem with the release of iOS 9, but Green said that hackers with the skills of a “nation state” could create a modified version of the attack to work on Apple’s latest operating system
The researchers informed Apple of the problem, and the company will be fully resolving the issue with the release of iOS 9.3 - expected to arrive after Apple’s media event later today. Once the update is here, Green and his team will reveal more details regarding the vulnerability.
"Apple works hard to make our software more secure with every release," the company said in a statement. "We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability."
The researchers say this bug highlights the need for Apple to stand firm in its battle with the government over the San Bernardino iPhone. "Even Apple, with all their skills — and they have terrific cryptographers — wasn't able to quite get this right," Green said. "So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right."