Law enforcement agencies have been constantly bashing software companies over their use of strong encryption and privacy measure. This fight recently came to a head when the FBI and DOJ started going after Apple and its engineers for the encryption found on iPhones. But researchers at Johns Hopkins University have broken Apple’s encryption.
Security researchers and student at Johns Hopkins have found a flaw in Apple’s software that would allow an attacker to steal data sent from iMessage on an iPhone via the company’s iCloud. However, this flaw wouldn’t allow the FBI to get inside the San Bernardino’s shooter, or the dozens of other iPhones currently in the hands of law enforcement agencies. The researchers focused on intercepting data that was being sent between devices, whereas the FBI is looking to break on-device encryption.
However, this encryption flaw, recently discovered by Matthew Green and his team, is another piece of proof that shows that, even with the best engineers, encryption is a very hard problem to solve. In other words, going around and intentionally poking holes in a device’s security is a very bad idea. Green explained:
Even Apple, with all their skills - and they have terrific cryptographers - wasn't able to quite get this right. So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right.
The encryption flaw that was discovered relates to the way iMessage encrypts file transfers and sends them through Apple’s servers. Researchers were able to demonstrate that an attacker would be able to catch a message and probe the device that’s sending it for the encryption key, eventually decoding it and getting access to its iCloud copy.
Apple said they were happy with the researcher reporting the flaw and that a patched version of the affected software will be available in iOS 9.3.
Source: Chicago Tribune