The vulnerabilities were patched today with the release of iOS 9.3 and an updated version of OS X. Of perhaps larger importance is the context they bring to the ongoing Apple-FBI legal fight over encryption. The team of Green and students Ian Miers, Christina Garman, Gabriel Kaptchuk and Michael Rushanan demonstrated how a resourced attacker could pick apart flaws in what is widely considered the most secure, commercial messaging platform to get at messages sent to a target phone. They contend that the FBI’s court order for the introduction of intentionally weak crypto, or other proposals such as key escrow, aren’t necessary when security issues like these can be ferreted out.
Apple's iMessage system has a cryptography flaw that allowed researchers to decrypt a photo stored in iCloud, the Washington Post reported on Sunday. The researchers, led by cryptography expert Matthew D. Green of Johns Hopkins University, wrote software that mimicked an Apple server and then targeted an encrypted photo stored on iCloud, the publication reported. They were able to obtain the decryption key by repeatedly guessing each of its 64 digits. When a correct digit was guessed, the phone let them know if it was correct. Further technical details were not available.