Scientists from Johns Hopkins University crunch through Apple encryption
Apple may be renowned for its advanced encryption, but a team of researchers from Johns Hopkins University in Baltimore, Maryland, have discovered a bug that could allow photos and videos to be easily decrypted by attackers.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right,” computer science professor Matthew D. Green, who led the study, told The Washington Post.
His team of graduate students are set to publish a paper on the ‘attack’ they staged to break the encryption. The article will appear after Apple launches its new iOS 9.3 update, which will not have this bug.
The study took several months, but the group succeeded. They targeted devices which used iMessage in the operating systems launched before 2011.
To intercept a file, the scientists designed special software to mimic an Apple server. Then, they chose the encrypted transmission they wanted to decrypt: each contained a link to the photo in iCloud, as well as a 64-digit key to decrypt the picture.
The students couldn’t see the digits, but they took as many guesses as they wanted, by changing a digit or a letter in the key, and sending it back to the device they were targeting.
Each time a guess was correct, the targeted phone accepted the digit.
So they had to try it thousands of times, and “kept doing that until they had the key,” Green said.
The news comes amid the backdrop of Apple’s legal battle with the FBI. The bureau is demanding that the tech giant pull data from an iPhone found following December’s attacks in San Bernardino, California, when 14 people were killed in a shooting spree.
The Justice Department, in turn, has stated that it is not asking for encryption to be made weaker; instead, it has requested the dismantling of the password on one particular device to give the FBI the chance to access the data without the risk of losing it by typing in the wrong password too many times.
However, professor Green told The Washington Post that tampering with a device’s security in any way could do more harm than good, and could hurt security in general.
Following the researchers’ encryption breach, Apple issued a statement saying that the company “works hard” to make its systems “more secure with every release.”
“We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability… Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”
The statement concluded that the issue should be addressed in the latest iOS 9.3, set to be unveiled later on Monday.