iMessage encryption vulnerable to attacks

A team of researchers from the Johns Hopkins University led by Christina Garman and cryptography expert, Matthew Green recently discovered several issues relating to Apple's iMessage encryption. They revealed their findings at Usenix Security Symposium. This was immediately followed by Apple's initiative to add a series of short and long-term defences to the iMessage protocol.

The team's research was based on a ‘chosen cipher text attack’ on the iMessage protocol's encryption.

This allowed them to decrypt certain types of iMessage data and attachments while the sender or receiver was online. Although, it only worked on cipher texts containing gzip compressed data.

The researchers have thus, named their attack the 'Gzip Format Oracle Attack.' According to the researchers, this attack can be carried out anywhere but will require a high-level of technical expertise by the attacker.

Adding to this, they also found several flaws in how iMessage handles device registration and key distribution mechanisms.

The researchers pointed out how Apple doesn't rotate encryption keys at regular intervals. This makes it easy for attackers to make use of the same strategy to hack the device over and over again.

“Overall our determination is that while iMessage's end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries. Our results show that an attacker who obtains iMessage ciphertexts can, at least for some types of messages, retrospectively decrypt traffic,” their research paper said.

The good news is that Apple has been able to implement most of their suggestions, thereby; eliminating most possibilities of an attack. According to the researchers, it is best that Apple replaces the iMessage encryption itself. Until then, iMessage will continue to remain vulnerable to any form of attack.