Researchers at the Johns Hopkins University have discovered a bug in iOS that could allow hackers to bypass Apple’s encryption. The flaw has the potential to expose photos, messages, and other personal data stored on iOS devices, but Apple has already promised a fix.
The finding comes just as Apple is embattled in a dispute against the FBI and the Justice Department over encryption and iPhone backdoors. However, it wouldn’t allow law enforcers to gain access to the iPhone used by San Bernardino shooter Syed Farook.
Despite that, “it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers,” reports The Washington Post, citing Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” Green added. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
The DoJ insists that it is not asking Apple to weaken its encryption, but dismantle security on one device so that the passcode lock can by bypassed. Apple argues that creating a tool to do this leaves million of iOS users around the world vulnerable to bad actors.
Should the tool fall into the wrong hands, it could be used to unlock other devices. It could also set a precedent that other law enforcement agencies and other countries would look to exploit when they obtain other iPhones and iPads used by suspected criminals.
As for the hole discovered by researchers, Apple has already vowed to fix that in iOS 9.3.
“Apple works hard to make our software more secure with every release,” the company said in a statement to The Washington Post. The issue was “partially fixed” last fall with iOS 9, but it will be fully address in the update that will rollout to all today.
“We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability,” Apple added. “Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”
Green suspected there could be a flaw in iMessage while reading Apple’s security guide last year. He raised his concern with the company’s engineers, then waited a few months before he and a bunch of students set about exploiting the flaw.
Using a piece of software that mimics an Apple server, the researchers were able to intercept an encrypted transmission containing a link to a photo stored in iCloud — as well as the 64-digit key to decrypt it.
Although the researchers could not see the digits of that key, they guessed it by changing a digit or letter one at a time and sending it back to the phone. They did this thousands of times until they had the key, Green explained.
“A modified version of the attack would also work on later operating systems, Green said, adding that it would likely have taken the hacking skills of a nation-state.”
Updating to iOS 9.3 later today will eliminate this flaw and prevent such attacks. We expect the update to be available right after Apple’s big keynote.[via The Washington Post]