Apple iMessage flaw let researchers read users’ iPhone messages, report claims

The problem will be fixed in iOS 9.3, the next version of Apple’s software for iPhones and iPads, which is set to be released very soon

A flaw in Apple’s iMessage system allowed messages to be intercepted and read, according to a new report.

The encryption technology used to ensure that messages are only read by their sender and intended recipient has been broken into, allowing for the potential diversion of messages, reports the Washington Post.

The researchers said that the weakness could help Apple in its fight against the FBI, over whether or not it should be forced to break into a phone used by one of the San Bernardino shooters. The discovery shows the importance of strong security, the report claims, and researchers said that it should show the importance of encryption measures that not even law enforcement can crack.

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Matthew D Green, a computer science professor at John Hopkins University who led the research. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Apple partially fixed the problem with iOS 9, the operating system for iPhones and iPads that was released late last year. But a full fix will be coming imminently, when the company releases the iOS 9.3 update.

The company said that it “appreciate[d]” the work that the Johns Hopkins researchers had done to find the bug. “Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”

The bug works by allowing a user to create a computer that would pretend to be an Apple server. That computer could keep probing at the phone until it correctly guessed the passcode that is meant to keep the messages safe, and once it did so it was able to see a photo stored on Apple’s iCloud server.

If a user was hit by the problem, there would have been no way of knowing, the researchers said.

The researchers haven’t yet published a paper describing exactly how the problem works, for fear that it would be exploited by malicious users. They will publish that as soon as the flaw is fixed, the Washington Post reported.

The problem was found after Mr Green read a report describing encryption and spotted a potential weakness, according to reports. He alerted the company’s engineers to his concern but the problem went unfixed, which led Mr Green to work with his graduate students to show that he could exploit the flaw himself.