Johns Hopkins University Team Finds Weakness in Apple Encryption

The FBI was recently pushing for Apple to advertently weaken their encryption technology so that they could crack a terrorist’s iPhone. But based on a recent report from Johns Hopkins University, Apple’s mobile encryption technology is already flawed—or at least, it was.

According to the Washington Post, Johns Hopkins computer science professor Matthew Green recently convened the research team that found this particular zero-day flaw. At first, Green and his research team were mum about exactly how they attacked Apple’s encryption. Their silence gave Apple time to address the flaw and release a patch without having to worry about hackers exploiting the flaw.

Now that Apple has patched the issue, the Johns Hopkins team has revealed the specifics of their attack. Last year, Green began suspecting that the encryption on Apple’s iMessage platform might be weak. He notified Apple, but when the company failed to patch the flaw, he decided to organize a research team to exploit it.

Specifically, Green figured that he and his students could break through iMessage’s encryption to access photos or videos that had been sent via the app. To test the theory, the research team built software to mimic an Apple iCloud server and then tried breaching iMessage’s encryption to access a photo stored on the server.

To pierce the encryption, Green’s team had to guess a 64-digit key—not an easy task, considering that the key includes letters and numbers in a random configuration. In fact, normally, using a guessing system for a 64-digit key would be a downright hopeless way of figuring out the code—hence why Apple is using such a key for iMessage encryption. The problem is that, when Green’s team sent key requests to an iPhone running an old version of iOS, they were able to figure out when they had guessed a specific digit correctly. Every time a key request had the correct letter or number in the correct spot, the iPhone would accept the key.

Slowly but surely, Green’s team deciphered more and more parts of the code, until they had all 64 digits. Once that happened, Apple’s encryption was toast, and they were able to access and view the photo on the server.

Of course, not all hackers are going to go through the process of making thousands upon thousands of key requests to look at the photos or videos you’ve sent via iMessage. Furthermore, by downloading the latest version of iMessage and iOS, you shouldn’t have to worry about this issue. Still, the fact that Apple’s encryption could be cracked by a rudimentary trial and error system shows that, while modern encryption is usually secure, it’s still not perfect.

“Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right,” Green said to the Washington Post. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”