Johns Hopkins University researchers exploited a flaw in the security of Apple’s iMessage service, in order to steal videos and text sent via the app. The group, headed by computer science profession Matthew Green, spent several months on the effort and submitted their findings to Apple so the computer hardware giant could issue a fix with this week’s iOS 9.3 update.
The hack involved mimicking an Apple server and repeatedly pinging the target iPhone with guesses at a 64-digit decryption key — the phone would respond with an affirmative when a digit was correct, so breaking through was only a matter of time.
Apple is currently wrangled in a legal battle with the United States government over the the government’s demand that Apple help it break into the password-protected iPhone of San Bernardino, Calif. mass shooters Syed Rizwan Farook and Tashfeen Malik. “Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” Green told The Washington Post. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
Green and his student researchers plan to publish a paper on the hack once the exploitation is resolved.
CEO Tim Cook addressed the ongoing suit Monday, during Apple’s media event in which the next generation of iPhone was unveiled.
“About a month ago, we asked Americans across the country to join in a conversation. We need to decide as a nation how much power the government should have over our data and over our privacy,” Cook said. “I’ve been humbled and deeply grateful for the outporuring of support that we’ve received from Americans across the country over all walks of life.”
The U.S. Justice Department asserts that it doesn’t want Apple to produce a backdoor through the iPhone’s security, but rather through the removal of one device’s password protection.