As Apple battles the FBI in court to fight the demand that the company help crack its own encryption, it's helpful to remember: Crypto systems are pretty fragile to begin with. And nothing illustrates that better than Apple today pushing out a fix to a security flaw that could have left millions of supposedly secured photos and videos exposed to eavesdroppers. If you normally wait a while to update to the latest iOS, you should make an exception in this case, and do it now.
In its release of iOS 9.3 on Monday, Apple has also included a patch that's meant to repair a serious flaw in its iMessage encryption system. The fix comes in response to a possible attack revealed by researchers at Johns Hopkins University, who privately informed Apple of the problem in November of last year.
The researchers' method, which they previewed to the Washington Post and will fully detail in an upcoming paper, takes advantage of how iMessage sends photos, videos and other files: By storing them in an encrypted form on an Apple server along with an encrypted key to decrypt them, and then allowing the intended recipient to download that data.
If attackers can obtain that encrypted message, they can impersonate an Apple server (as far as the recipient's phone is concerned) and repeatedly send different versions of the encrypted file and key, each one with a tiny portion of the message altered. How the phone responds to the attacker's purposeful deformations---whether it accepts the form of the message or rejects it as invalid---reveals tiny hints about the contents. After about 130,000 of those attempts, the attacker can determine the entire key and decrypt the file. And because the server gives the phone an invalid download location of the target file that causes it to ultimately ignore every request, that entire interaction with the intended recipient's phone isn't revealed in messages popping up on his or her screen. "The user never sees it, the phone never displays anything," says Ian Miers, one of the graduate researchers who developed the attack. "But the [recipient's] computer has tried to reach out and grab the file, and we get to observe that and see whether we crafted the message correctly."
First, the good news: iOS 9.3, which Apple released today along with a parallel update Apple is releasing for the desktop version of iMessage, fixes the flaw. And the Johns Hopkin researchers kept the attack carefully under wraps until those patches were public. But now the bad news: anyone who doesn't install the update to both their iPhone and their OSX iMessage client could still potentially have files that are sent to them decrypted using the technique. And it's important to note that the recipient, not the sender, is the one whose devices must be patched to fully prevent the attack.
Even before today's patch, older versions of iOS were more vulnerable to the attack than more recent ones. One major hurdle of the technique is that---as in all encryption attacks---the attackers need to somehow already get their hands on whatever message they're hoping to decrypt. That encrypted file can be obtained from a law enforcement request or by hacking Apple's servers. But there's an easier way to get messages off phones running any iOS version before iOS 9: if the cryptographic certificate Apple uses to authenticate users can be spoofed, the encrypted message could also be obtained by eavesdroppers on the user's network. After iOS 9, Apple implemented "certificate pinning," a measure designed to prevent that spoofing.
The Johns Hopkin researchers' work represents a rare and deep crack in Apple's encryption protections. But Miers says that the average iPhone owner shouldn't panic: For more recent versions of iOS, at least, the technique requires hacking Apple's server infrastructure or obtaining the company's cooperation through legal demands. Even so, he advises that everyone should update immediately, not just those concerned with highly motivated hackers or law enforcement.
Miers says the larger point applies to the ongoing conversation around mandating backdoors in encryption, and the FBI's standoff with Apple over its demand that the company help crack the encrypted iPhone of San Bernardino killer Syed Rizwan Farook. In fact, Apple had already come under fire from the DEA in 2013 specifically because of the encryption measures in iMessage. But even without law enforcement backdoors or special assistance from the company in cracking its own encryption, it turns out that iMessage's data protections had significant flaws of their own, which law enforcement could have exploited.
"The real message is that encryption is hard. People thought iMessage was secure, and wanted to add ways for law enforcement to get access to it," says Johns Hopkin's Miers. "It’s hard [to protect data] even when you don’t to do that. When you do, you make it even harder."
