Researchers find flaw in iMessage encryption

Posted at 3:19 PM, Mar 21, 2016

NEW YORK (AP) — Much has been made of both the benefits and dangers that come with strong encryption, especially the methods used by Apple to secure its devices. But new research shows that Apple's security isn't as impenetrable as both the company and its critics claim.

A team from Johns Hopkins University says it found a security bug in iMessage, the encrypted messaging platform used on Apple's phones and other devices. The bug would allow hackers under certain circumstances to decrypt some messages.

The team's paper is extremely critical of iMessage's encryption technology, citing "significant vulnerabilities that can be exploited by a sophisticated attacker." And it argues that in the long term, the technology needs to be replaced with a more modern mechanism.

The paper was published on Monday after Apple's release of a patch fully fixing the bug. The Johns Hopkins team reported its findings to Apple in November.

But perhaps more significantly, the discovery is a blow to government arguments that Apple's encryption technology makes it impossible for law enforcement to access information stored on devices connected to criminal investigations. Apple itself maintains that iMessage's encryption is top-of-the-line and the same kind used by banks and the military.

"The main point is that encryption is hard to get right," said Ian Miers, a computer science doctoral student at Johns Hopkins in Baltimore and one of the paper's authors. "Imagine the number of things that could go wrong if you have more complicated requirements like a back door."

Some government and law enforcement officials argue that companies that use encryption in their products and services should be required to include a so-called "back door," which would give law enforcement officials armed with warrants a way to access encrypted information as part of investigations. But efforts to pass legislation that would do that have failed to gain traction.

Apple has come under fire for refusing to create and provide the government with a software tool that would help investigators unlock an encrypted iPhone used by one of the killers in the San Bernardino mass shooting. The company and its supporters have argued that doing so would threaten data security for millions by creating essentially a master key that could later be duplicated and used against other phones.

A federal magistrate will hear arguments from both sides on Tuesday.

Apple Inc. released a statement Monday saying that it appreciated the Johns Hopkins team's efforts in identifying the bug and bringing it to its attention. It also noted that some of the problems identified in the paper were fixed with the fall release of iOS 9. Monday's release of iOS 9.3 included additional protections.

"Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead," Apple said.