Tech by VICE

Researchers Find iMessage Vulnerability, Decrypt Photos and Videos

The attack could have implications for other apps too.

by Joseph Cox
Mar 21 2016, 10:30am

Image: Anton_Ivanov/

Even when software is explicitly designed to protect sensitive data, there will always be bugs.

On Monday, researchers from Johns Hopkins University will detail an attack that would enable a sophisticated attacker to decrypt photos and videos sent using Apple's iMessage service, The Washington Post reports.

"We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability," Apple told the paper in a statement.

Very few technical details are available at the moment, however. Researchers led by Matthew Green, will publish their paper after a patch has been issued. That patch will come with the iOS 9.3 update, which is shipping later today.

The Washington Post reports that the researchers created software to mimic an Apple server, and targeted their attack at an encrypted message which included a link to a photo stored in Apple's iCloud and a 64-digit key to decrypt the photo.

Every time the researchers guessed one of the key's digits, and sent this to the target phone, the phone accepted any correct digits. They then repeated this process until they obtained the full key. Green told The Washington Post that the attack would likely require the skills of a nation state.

But some involved in the research have indicated that the attack affected more than just iMessage.

"The attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won't say what," Ian Miers, a co-author on the paper, tweeted on Monday.

Experts, including Green, have previously warned about other problems with iMessage, such as the potential for Apple to surreptitiously issue users with rogue encryption keys if forced to do so by law enforcement, for example. This could allow third parties to listen in to messages, as the iMessage software does not allow a means to verify encryption fingerprints.

We'll follow up on this story as more technical details are released.