Software Integrity Blog


Apple iMessage vulnerability patched in iOS 9.3

Communications via Apple’s popular iMessage are vulnerable with a software flaw that could allow attackers to decrypt a photo stored on the company’s iCloud backup system, according to Matthew D. Green, a computer science professor at Johns Hopkins University. Green led the research team that found the bug in Apple’s encryption that would enable an attacker to decrypt photos and videos sent as secure instant messages. It would not, according to the, allow an attacker to decrypt an entire iPhone, however.

The attack, possible on iOS versions 9.2 and below, mimics Apple’s own server and targets photos stored in Apple’s iCloud. If an iMessage message contains a link to an encrypted photo on Apple’s iCloud, then an attacker could ping the iPhone with a guess at its 64-bit encryption key. If the guess is wrong, the software changes one digit, then tries again. When the guess is correct, it was a matter of having the software repeat the process thousands of times, instead of stopping the attack earlier.

An Apple representative provided Ars Technica with the following statement: “Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. Security improvements in iOS 9.0 blocked external attackers from performing the message intercept necessary to perform the attack identified in this report. Further targeted protections have been added in the beta version of iOS 9.3 and will be included in the public release for all users. Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”

Apparently this was a known problem. Apple tried to fix this last fall when it released its iOS 9 operating system. The company said iOS 9.3 release on Monday should finally address the underlying problem.

Learn strategies designed specifically to address mobile’s unique security challenges.

More by this author