The researchers, led by Matthew Green of Johns Hopkins’ Information Security Institute, published a paper detailing the exploit on Monday afternoon. Its publication was timed to coincide with Apple’s release of a new version of its operating system that same day. The latest version addresses the vulnerability—but the attack a reminder that digital security is a constant, uphill battle, and that even the best encryption is a far cry from an unbreakable safe.
“Apple has great cryptographic engineers and yet they still got this wrong,” said Christina Garman, one of the Johns Hopkins researchers. “Encryption is hard enough to get right when only the intended recipients should be reading things, let alone when you're trying to add in back doors, front doors, etc.” Garman was referring to the FBI's ongoing efforts to force Apple to unlock the iPhone that was in the possession of Syed Farook, one of the San Bernardino shooters. Apple has so far refused to play along with the government’s request.
The encryption that Green’s team attacked is unrelated to the security systems that protect the San Bernardino iPhone, but the vulnerability they found underscores the fact that there are a variety of ways of circumventing encryption. It also reinforces an argument made by a group of experts in a paper published by Harvard’s Berkman Center for Internet and Society last month: that the proliferation of Internet-connected devices has provided law enforcement with ample avenues for monitoring and surveilling its targets. (The FBI says hacking individual devices is too resource-intensive; it prefers relying on subpoenas and court orders to access the information it needs.)
The Johns Hopkins paper is also an encouraging moment for Apple’s slow move toward opening up the workings of its products to outsiders. Garman says the researchers first discovered the bug when they read a high-level description of the iMessage encryption system that Apple published in a security paper.
The authors reached out to Apple in November, once they had successfully crafted their attack on iMessage encryption. “They were very responsive and took our disclosure quite seriously,” Garman said.
But the flaw took a while to fix, because it wasn’t limited to iMessage. “Apple had to fix other apps, but won't say what,” said Ian Meyers, another co-author, on Twitter.
The actual code that protects iMessages remains private. That runs against the recommendations of cryptographers and security researchers, who prefer open-source encryption protocols that can anyone can test and attack. For example, the encryption behind Signal, an application that allows users to text and call one another privately, has been vetted by the developer community, earning a stamp of approval from Green. (“After reading the code, I literally discovered a line of drool running down my face,” reads a testimonial from Green on Signal’s homepage. “It’s really nice.”)