Just when the FBI is hard at work trying to find a way to break into the San Bernardino iPhone, a team of researchers at Johns Hopkins University has uncovered a flaw in Apple encryption that could have helped the law enforcement agency to crack the device.
The bug could pave the way for hackers to decrypt an otherwise secure communication between iOS devices, peering into private photos, videos and instant messages. Specifically, the flaw involves the iMessage service, a platform used by Apple customers to send instant messages. The discovery utterly disrupts the belief that the iPhone encryption is completely sure-fire. It’s not at all foolproof.
Johns Hopkins University’s findings make the legal battle between the FBI and Apple – where the agency is forcing the company to develop software that could bypass the encryption protocol – nonsense, if at all the Apple does not release a patch for the flaw. But that is not the case, as Apple already confirmed a fix is underway for the latest operating system, iOS 9.3.
While the Apple-FBI legal strife revolves around data stored in an iPhone, the Johns Hopkins University researchers’ discovery zeroed in on data that traverses between two devices. But the common ground is the flaw found in the encryption software, which could lead to greater loopholes in security of the entire infrastructure.
How did the researchers manage to intercept a file stored in an iPhone? The cryptography experts develop a software tool that imitates an Apple server. The clone software then targeted a transmitted data that involved a photo stored in the iCloud server. The targeted transmission also included a 64-digit key used to decrypt the data.
The key’s digits were not visible to the researchers, but they managed to guess the key through repeated attempts at altering a character in the key and transmitting each iteration to the targeted device until they were able to guess the exact digits. According to the researchers, they repeated the process thousands of times until they succeeded. The process also works on the later versions of the iOS operating system.
When they succeeded in guessing the key, the researchers managed to recover the photo from the server of Apple. The attack was stealth in nature, so the user would have not known it if it had been a real-life scenario, according to researchers.
The tactic would not work on iOS devices that run the 9.3 version, fortunately. Part of the security loophole is the lack of third-party assessment of the Apple encryption, the researchers claim.