A group of researchers from Johns Hopkins University have discovered a bug in Apple's encryption system that could allow attackers to decode photos and videos in iMessage. The discovery comes amidst Apple's dispute with the Federal Investigation Bureau (FBI) over user data encryption.
Mathew Green, computer science professor at Johns Hopkins University, who led the research, said: "Even Apple, with all their skills - and they have terrific cryptographers - wasn't able to quite get this right. So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right."
The decryption could be possible due to a flaw in iMessage, suspects Green after he read an Apple security guide describing the encryption process. He claims to have alerted the engineers about his concerns. But the issue still existed even after a few months, when he and his team decided to carry out an operation demonstrating how to pierce the encryption on photos and videos in iMessages.
The researchers took a few months to do it. They mimicked an Apple server through software to intercept a file. The encrypted transmission contained a link to the photos stored in Apple's iCloud server and 64-digit key used to decode the photos.
Green added that a modified version of the decryption would also work on the later version of iOS. In order to safeguard iOS devices, Green advises users to update them to iOS 9.3.
He said experts at the National Security Agency could have easily caught hold of the flaw. "If you put resources into it, you will come across something like this," he added.
In a statement issued to the Chicago Tribune, the iPhone maker said: "Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. . . Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead."
Apple said it has partially fixed the problem with iOS 9 and the issue would be completely resolved in the latest iOS 9 iteration, iOS 9.3.
Christopher Soghoian, principal technologist at the American Civil Liberties Union, said: "The cryptographic history books are filled with examples of crypto-algorithms designed behind closed doors that failed spectacularly."
The better approach, according to Soghoian, is to have an open design. He said encryption protocols are created by researchers at Open Whisper Systems. Although they publish their code and designs, the encryption keys generated by senders and users remain a secret.