Johns Hopkins University professor Matthew Green says a hard-to-exploit zero day vulnerability in iOS encryption allows skilled attackers to decrypt intercepted iMessages.
Replication steps for the bug have been withheld until Apple releases a patch for the latest stable iOS 9 version.
Green told The Washington Post he and his student team of Ian Miers, Christina Garman, Gabriel Kaptchuk, and Michael Rushanan could eventually guess the key required to view encrypted iCloud photos and videos.
The team spun up an Apple server and sent key digit guesses to an iPhone running an old version of iOS which in turn indicated when each key was correct.
Thousands of attempts later and the key was cracked.
And now you have 14 hours to guess what the attack is. As a hint, no, its not a bug in how Apple stores or encrypts attachments.— Ian Miers (@secparam) March 21, 2016
Green says the attack applies to the latest iOS but would be largely restricted to "nation-state"-grade skilled attackers.
He says police could use it to obtain photos and videos sent using iMessage.
iOS 9.3 beta is unaffected and will be released as stable shortly.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” Green told WaPo.
“So it scares me that we’re having this conversation about adding backdoors to encryption when we can’t even get basic encryption right.”
Green says he suspected the flaw when reading guidance that appeared to describe a borked encryption schema, and began research after tipping off Apple.
Apple says it partially fixed the flaw when it released iOS 9, a platform used by half of all active users, and thanked the university team for their research. ®