Johns Hopkins researchers poke a hole in Apple’s encryption

“A group of Johns Hopkins University researchers has found a bug in the company’s vaunted encryption, one that would enable a skilled attacker to decrypt photos and videos sent as secure instant messages,” Ellen Nakashima reports for The Washington Post.

“This specific flaw in Apple’s iMessage platform likely would not have helped the FBI pull data from an iPhone recovered in December’s San Bernardino, Calif., terrorist attack, but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers, said Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team,” Nakashima reports. “Cryptographers such as Green say that asking a court to compel a tech company such as Apple to create software to undo a security feature makes no sense — especially when there may already be bugs that can be exploited.”

“‘Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,’ said Green, whose team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. ‘So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right,'” Nakashima reports. “”

Read more in the full article here.

MacDailyNews Take: Every bug found is a bug that can be squashed.

Apple works hard to make our software more secure with every release. We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability… Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead. — Apple’s statement to the Post

[Thanks to MacDailyNews Reader “Lynn Weiler” for the heads up.]


  1. Note how these researchers worked this all out for themselves independently without trying to force Apple to make a little back door for them.

    If the government forces Apple to weaken the encryption in iPhones, everybody will know that there is a built-in weakness and teams like this will redouble their efforts to find a way in and won’t give up until they succeed. On the other hand, if Apple believes their encryption is secure and are allowed to keep it secure, then Apple is able to close off loopholes when they become aware of them. If there is a government mandated back door, Apple won’t necessarily be allowed the freedom to change the way that it functions once the partial security is breached.

  2. What happens when that FBI-mandated back-door is used by some hacking team in China, Russia, Iran or North Korea to gain access to the confidential communication between various engineers or officials involved with highly classified defense projects?

    Forget that; what happens when terrorists use the same back-door to get confidential information about the movements of a high-level official?

    “Just this phone, just this one time” is a line that might only work on kids. As Cook, and many others, have said, backdoor is a backdoor; it will be an opening just as big and wide for the bad guys as it is for the good guys.

    1. This is the strongest argument when talking to police-state lovers: the police and other government agencies will be made just as vulnerable if back-doors are created. Even if these people don’t care about freedom and privacy, any broken encryption is more likely to HURT security and safety than it is to help.

      1. The problem with police-state lovers is that they love the war. They don’t care about causalities or victims. They love both wins and losses because the latter allow them to ask for even more control.

  3. “Susan Landau of Worcester Polytechnic Institute recommends that the government also disclose the bugs to the software-maker.”

    That’s a great idea, I’m sure any government from the free and civilized world would consider that.

  4. AI: Intrusion alert, bug found, by:John Doe
    Instruction: eliminate John Doe
    AI: Intrusion alert, bug found, by:John Smith
    Instruction: eliminate all
    Solution? No more bugs/intrusions

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.