Well known American cryptographer Matthew Green has just announced a zero-day flaw in Apple’s iMessage, and perhaps in other online Apple services.
Green and a team of students from Johns Hopkins University in Baltimore, Maryland, figured out a cryptographic flaw in the way iPhones interact with Apple’s servers.
(To give them their due, the students are named by The Register as: Ian Miers, Christina Garman, Gabriel Kaptchuk, and Michael Rushanan.)
The hole apparently allows a determined attacker to shake loose photos and videos sent via Apple’s iMessage service by figuring out the needed cryptographic secrets bit-by-bit, photo-by-photo.
In other words, this is not a trivial attack; it doesn’t break open any of your Apple accounts to give open access to crooks; and it doesn’t let an attacker download all your digital treasures in one go.
As far as we can see, you get one photo or video each time you mount the attack, about which the abovementioned Ian Miers has tweeted “you have 14 hours to guess what the attack is.”
That tweet was 8 hours ago [as at 2016-03-21T12:30Z], so perhaps he means that Apple’s fix is coming out in six hours’ time, because the team’s paper will intentionally only be published after Apple ships its patch.
Miers also tweeted that “[t]he attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won’t say what.”
Ah, the mystery!
How does the attack work?
All we know so far is what the Washington Post is saying, presumably based on an interview with Green:
To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.
Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.
“And we kept doing that,” Green said, “until we had the key.”
That’s not terribly helpful (were they letters or digits? were they guessed one at a time? did it take just 64 guesses in sequence, or was a probabilistic approach with lots of retries required? what does ‘the phone accepted it’ mean here?), but it sounds as though the attack has something to do with some sort of “side channel” whereby different sorts of failure are reported in detectably different ways.
To open a 5-lever barrel lock, for example – the sort of lock found on many suburban doors – a crook who wants to pick it has to lift 5 individual locking pins to specific, individual heights inside the barrel, freeing it up so it can turn.
With masses of time, huge amounts of care and precision, and lots of immensely frustrating fiddling, he could try tens of thousands of different combinations until he hit the jackpot, provided he didn’t slip, or lose grip, or miss any of those combinations along the way.
But an experienced lock-picker can open a lock of that sort in minutes, and sometimes even seconds, by using feedback from the lock’s own mechanism to feel when each pin reaches the right position.
He solves the position problem by for the first pin individually, using rotational force on the lock to gauge when he’s right, and then to hold the pin in place.
Then he repeats his fiddling for the the second pin, and the third, and so on until the lock pops open. (Older locks are usually easier to pick because they wear out internally, so the pins “stick” in their rightful positions more readily.)
Very simply put, our lock-picker started with a multiplicative problem, with five pins each in six different positions multiplied out in any combination, and turned it into an additive problem, with five pins each solved for position one-at-a-time.
The difference in approach in our lock-picking example turns the complexity of the solution into 6+6+6+6+6 (a maximum of six choices for five pins individually) instead of 6×6×6×6×6 (six choices for all five pins tried simultaneously).
What to do?
Of course, the attack mounted by Green et al. was almost certainly not as simplistic as picking a worn-out barrel lock.
But it might have some similarities: current reports suggest that some sort of feedback about individual key bits could be extracted one-at-a-time, thus turning an attack that was supposed to require unachievable zillions of guesses into one that was feasible.
Apparently, the fix is in iOS 9.3 Beta, so you’ll be able to learn about the problem and fix it at the same time when the next iOs update comes out.
While you’re waiting, you might want to read about Sophos and #nobackdoors.
As Green pointed out in his interview with the Washington Post, it’s dangerously ironic that some regulators areso keen about putting backdoors – deliberate security vulnerabilities – into encryption technology to ensure that “the right people” can get in…
…at the very same time that the world expects software vendors to get ever-faster at fixing vulnerabilities to ensure that “the wrong people” are kept out.