hen Apple announced the update to its iOS software this week, it was probably hoping that one of its most important changes would slip through unnoticed.
The iOS 9.3 software update includes a fix for a vulnerability in Apple’s iMessage – or texts – that could expose millions of supposedly secure photos and videos to hackers. The flaw affects iMessage on iPhone, iPad and Mac on iOS 9 and earlier. So it’s highly advised to update your software today.
How does it work?
The hack, which was discovered by researchers at Johns Hopkins University and revealed in the Washington Post, exploits the way iMessage sends photos, videos and other files to allow malicious actors to gain access to unencrypted versions of those files.
The way Apple’s encryption works is that files are stored on Apple’s iCloud server along with a 64-digit key that will decrypt them. When the files are sent to the intended device the keys match and the file appears as a decrypted image or video.
The researchers managed to intercept encrypted files that were in transit and use a computer to guess the encryption key until they got it right. It took them a few months, and thousands of guesses, but they eventually got the code right. If a hacker had managed to pull off the attack they would have been able to lift photos and videos from Apple’s server without the phone owner knowing.
The researchers alerted Apple about the flaw back in November. They kept their research a secret until Apple announced the patch.
How can I protect myself?
Download the iOS 9.3 update as soon as possible. Any device that doesn’t have the new software could have files on their devices that were sent using the unencrypted method.
The iMessage flaw is a rare crack in Apple’s normally stalwart encryption. The hack also requires hacking Apple’s server or obtaining access to it through legal warrant. Both of these would be very difficult. While it’s unlikely that the hackers could quickly take advantage of this bug, it is still worth updating your software as soon as you can.
Apple commented that iOS 9.3 offers “targeted protections” against message intercept attacks such as this one.
How it relates to Apple’s fight with the FBI
The news comes in the midst of Apple’s ongoing battle with the FBI over unlocking an iPhone belonging to San Bernadino shooter Syed Rizwan Farook. Apple has argued it would set a “dangerous precedent” if it were to create a workaround for Farook’s iPhone 5c to help the FBI investigate the San Bernardino shooting, which left 14 people in California dead.
The two institutions were due in court this week, but the hearing was postponed so the FBI could test a possible alternative method for unlocking the phone.
The encryption flaw in Apple’s iMessage, fixed in iOS 9.3, would probably be of little help to the FBI, which is trying to access data stored on Farook’s phone as opposed to data in transit. But it is a stark reminder that such systems are not watertight, and reveals that encryption can leave openings for law enforcement and hackers.