John Hopkins University researchers find a bug in Apple’s iMessage encryption

A group of Johns Hopkins University researchers has found a bug Apple’s encryption, one that would enable a “skilled attacker” to decrypt photos and videos sent as secure instant messages with Apple’s iMessage/Messages app/service, reports The Washington Post.

iMessage lets you send messages back and forth with anyone on iPad, iPhone, iPod touch, or a Mac using the Message apps on the devices. You can send photos, videos, locations, and contacts, too. You can text and send photos and videos via MMS to other mobile phones over cellular networks.  The iMessage service is free and unlimited for anyone texting over Wi-Fi using an iOS device or Mac. Apple has always described the service as “secure.”

"Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team, told the publication. Green, whose team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Green suspected there might be a flaw in iMessage last year after he read an Apple security guide describing the encryption process and it struck him as weak. He said he alerted the firm’s engineers to his concern. When a few months passed and the flaw remained, he and his graduate students decided to mount an attack to show that they could pierce the encryption on photos or videos sent through iMessage.