Sophos Cloud Optix
Well known American cryptographer Matthew Green has just announced a zero-day flaw in Apple’s iMessage, and perhaps in other online Apple services.
Green and a team of students from Johns Hopkins University in Baltimore, Maryland, figured out a cryptographic flaw in the way iPhones interact with Apple’s servers.
(To give them their due, the students are named by The Register as: Ian Miers, Christina Garman, Gabriel Kaptchuk, and Michael Rushanan.)
The hole apparently allows a determined attacker to shake loose photos and videos sent via Apple’s iMessage service by figuring out the needed cryptographic secrets bit-by-bit, photo-by-photo.
In other words, this is not a trivial attack; it doesn’t break open any of your Apple accounts to give open access to crooks; and it doesn’t let an attacker download all your digital treasures in one go.
As far as we can see, you get one photo or video each time you mount the attack, about which the abovementioned Ian Miers has tweeted “you have 14 hours to guess what the attack is.”
That tweet was 8 hours ago [as at 2016-03-21T12:30Z], so perhaps he means that Apple’s fix is coming out in six hours’ time, because the team’s paper will intentionally only be published after Apple ships its patch.
Miers also tweeted that “[t]he attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won’t say what.”
Ah, the mystery!
How does the attack work?
All we know so far is what the Washington Post is saying, presumably based on an interview with Green:
To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.
Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.
“And we kept doing that,” Green said, “until we had the key.”
That’s not terribly helpful (were they letters or digits? were they guessed one at a time? did it take just 64 guesses in sequence, or was a probabilistic approach with lots of retries required? what does ‘the phone accepted it’ mean here?), but it sounds as though the attack has something to do with some sort of “side channel” whereby different sorts of failure are reported in detectably different ways.
To open a 5-lever barrel lock, for example – the sort of lock found on many suburban doors – a crook who wants to pick it has to lift 5 individual locking pins to specific, individual heights inside the barrel, freeing it up so it can turn.
With masses of time, huge amounts of care and precision, and lots of immensely frustrating fiddling, he could try tens of thousands of different combinations until he hit the jackpot, provided he didn’t slip, or lose grip, or miss any of those combinations along the way.
But an experienced lock-picker can open a lock of that sort in minutes, and sometimes even seconds, by using feedback from the lock’s own mechanism to feel when each pin reaches the right position.
He solves the position problem by for the first pin individually, using rotational force on the lock to gauge when he’s right, and then to hold the pin in place.
Then he repeats his fiddling for the the second pin, and the third, and so on until the lock pops open. (Older locks are usually easier to pick because they wear out internally, so the pins “stick” in their rightful positions more readily.)
Very simply put, our lock-picker started with a multiplicative problem, with five pins each in six different positions multiplied out in any combination, and turned it into an additive problem, with five pins each solved for position one-at-a-time.
The difference in approach in our lock-picking example turns the complexity of the solution into 6+6+6+6+6 (a maximum of six choices for five pins individually) instead of 6×6×6×6×6 (six choices for all five pins tried simultaneously).
What to do?
Of course, the attack mounted by Green et al. was almost certainly not as simplistic as picking a worn-out barrel lock.
But it might have some similarities: current reports suggest that some sort of feedback about individual key bits could be extracted one-at-a-time, thus turning an attack that was supposed to require unachievable zillions of guesses into one that was feasible.
Apparently, the fix is in iOS 9.3 Beta, so you’ll be able to learn about the problem and fix it at the same time when the next iOs update comes out.
While you’re waiting, you might want to read about Sophos and #nobackdoors.
As Green pointed out in his interview with the Washington Post, it’s dangerously ironic that some regulators areso keen about putting backdoors – deliberate security vulnerabilities – into encryption technology to ensure that “the right people” can get in…
…at the very same time that the world expects software vendors to get ever-faster at fixing vulnerabilities to ensure that “the wrong people” are kept out.
Image of lock-picking courtesy of Shutterstock.
Ugh…terrible article full of hype. This is a vulnerability with research demonstrating a proof of concept. Not only that, but as your own article states, not much is known about this vulnerability nor the attack methodology needed to exploit it. It’s not a zero-day. That’s for contributing to the problem.
maybe not an SLE (Snowden-Level Event) but still worth mentioning. Plus with the recent Apple backdoor drama it’s still worth reading for the irony factor alone. And yes, yes, yes; I know *that* phone doesn’t fall to this specific vulnerability until successfully someone logs into it.
Duck, couple typos about old barrel locks: [s/our/out] [s/righftul/rightful]
‘they wear our internally, so the pins “stick” in their righftul positions’
Fixed, thanks!
As far as I can see, this is a cryptographic vulnerability that can be exploited.
I suppose you could say that it’s not really a zero-day because it was responsibly disclosed rather than found in use “in the wild”.
But I’m sticking with zero-day nevertheless. One of the discoverers had stated that the paper would be publishing “in 14 hours”, meaning as soon as 9.3 dropped (which is now has). So for most people it’s as close to a zero-day as matters, meaning that I’d suggest you patch at once. (I already did.)
I’m satisfied that my coverage was *not* hype, not least because I carefully wrote, “this is not a trivial attack; it doesn’t break open any of your Apple accounts to give open access to crooks; and it doesn’t let an attacker download all your digital treasures in one go. As far as we can see, you get one photo or video each time you mount the attack.”
That’t not hype in my book…and this *is* my book, or at least my article, so I’m not changing it on your say-so.
not hype in my book…and this *is* my book
heheh, still chucklin’
I’m very grateful to have received the news of this article well ahead of the actual update arriving. I like to have the heads up, so to speak.
The update was available to me on 21st March in the morning AEDST. Quite a simple one but a difference at the end where I had to sign back in with my password, etc. I always feel great when I’ve completed an Apple update as know I’m good to go so to speak!
I don’t understand why some have to criticise every other helpful article that is produced when I feel so happy to get the information, and…….all for nothing. But maybe I’m too easy to please.
Anyway thank you for all your excellent ongoing work…….you make a difference to me.
iOS 9.3 is now available, including a fix for this vulnerability, identified as CVE-2016-1788. Check out all the security updates on Apple’s support article here: https://support.apple.com/en-us/HT206166
There are a LOT of other CVE fixes in there too. the libxml CVEs look significant enough to warrant an immediate update also, in my opinion.
Previous comment dubbing this hype and dispariging the article quality is unfair. This particular CVE was responsibly disclosed, and Mr. Ducklin had limited information available, (or if he had all information on the subject he chose to ALSO be responsible about not disclosing in advance of a patch) so that response is unfair.
No, it’s not a SLE, but I want every known hole plugges AS SOON as possible, don’t the rest of you? It’s not as if we don’t know that state actors and every for-profit Internet criminal cartel on the planet would like to have working iOS exploits…