Saturday, March 26, 2016

iMessage shown to have encryption flaw

Discussion article here:

Apparently, the research has found:

"It took a few months, but they succeeded, targeting phones that were not using the latest operating system on iMessage, which launched in 2011.

"To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

"Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.

"With the key, the team was able to retrieve the photo from Apple’s server. If it had been a true attack, the user would not have known.

"To prevent the attack from working, users should update their devices to iOS 9.3. Otherwise, their phones and laptops could still be vulnerable, Green said."

The research report is here:

No comments: