What You Need to Know About the iMessage Security Flaw

Apple has been in the news a lot lately, and most of the stories are about encryption. It’s currently in a battle with the FBI about adding a back door to its encryption software to allow law enforcement to access files on a locked iPhone, and now the software is coming under fire again.

Researchers at Johns Hopkins University found a flaw in Apple’s iMessage encryption that allows them to intercept, decrypt and view messages, pictures and video sent using iMessage. What do you need to know about this encryption flaw and should you be worried about the security of your iMessages?

What Is iMessage?

iMessage is a program that allows you to use Apple’s servers to send texts, pictures and video messages between Apple devices.

In theory, the message is encrypted on your phone, sent through Apple’s servers and then decrypted on your recipient’s phone.

iMessage has been part of iOS since it was first launched in 2011 as part of iOS 5.

Looking for Back Doors

Apple and the FBI are currently embroiled in a highly publicized lawsuit regarding phone encryption. Specifically, the FBI wants Apple to add a back door to its encryption which will allow law enforcement to access locked phones. In this case, the FBI is trying to access the iPhone of the San Bernardino bomber, claiming it might contain information vital to the case.

Apple has thus far refused to comply with the FBI’s request, claiming that adding this back door could later be exploited by law enforcement, hackers or other parties with more nefarious intentions.

Intercept and Decrypt

The flaw discovered by the Johns Hopkins researchers allows them, and potentially other hackers as well, to intercept the messages sent out when they reach the Apple servers. Since iMessage uses a relatively weak 64-bit encryption and the servers don’t attempt to stop the decryption after a number of failed attempts, the researchers were able to try the thousands of keys necessary to break Apple’s encryption and access the data stored in those messages.

Researchers discovered the flaw back in November and reported it to Apple, though it is just now making it into the news.

Fixes and Patches

Apple has already partially fixed the encryption flaw with the release of iOS 9, but while making it more difficult to decrypt the files, researchers say the files are still accessible after this new OS was rolled out.

Monday marked the release of iOS 9.3, which is supposed to completely fix the encryption flaw in the iMessage system.

Uses and Exploits

Apple has not released any statements indicating iMessage was compromised by anyone other than the researchers at Johns Hopkins, so it’s a fair bet that your texts and pictures are secure.

Even though this is technically an encryption exploit, it would likely not have helped the FBI with their investigation, because it does not allow a hacker to access the entire phone, only messages that were sent using the iMessage servers.

Moving Forward

Johns Hopkins researchers are planning to release more information about the encryption flaw, but not until after iOS 9.3 has been rolled out to the general public to prevent people from potentially exploiting the flaw. Their paper will detail techniques they used to discover the flaw and break the encryption.

The release of iOS 9.3 allowed Apple to fix its mistake and to make sure all messages sent using the iMessage application are secure going forward, and to prevent any past messages from being compromised.

That being said, even users who utilize older versions of the OS shouldn’t be too worried. The researchers at Johns Hopkins stated that while the flaw is there, the technique requires hacking Apple’s server infrastructure, which is difficult even with a team of highly trained software engineers. The only other way to obtain this information is to get Apple to participate and willingly release the information, which recent cases have shown is unlikely to happen.

The best way for iOS users to protect themselves is to upgrade their OS to the newest version to ensure the flaw has been repaired. Older versions of the operating system still contain the flaw that can potentially be exploited by law enforcement or hackers.