In mid-March, during the FBI vs. Apple scandal surrounding the encrypted San Bernardino iPhone, a report revealed that security researchers from Johns Hopkins University were able to access photos and videos in iMessage conversations, even though they were encrypted. The same university came up with a different attack against the same iMessage, one that allowed them to access content that should be protected by the strong encryption Apple advocates.
The good news is the security holes have been patched already. You just have to run the latest versions of iOS and OS X. However, the researchers recommend that Apple should replace its iMessage encryption with one that eliminates potential weaknesses.
The security issues called a “ciphertext attack” would let the attacker access certain type of payloads and message attachments as long as at least one of the people involved in a conversation is still online.
The researchers discovered that Apple doesn’t rotate encryption keys at regular intervals like modern protocols do, which means a hacker could even break into older conversations that are backed up to the cloud.
“Overall, our determination is that while iMessage’s end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries,” the attackers wrote.
While average hackers might not be able to pull off such tricks, nation states would have the resources needed to do it. The process did involve gaining access to Apple’s servers of using stolen TLS certificates.
As MacRumors notes, law enforcement would be able to retrieve data from encrypted messages using this flaw by simply issuing a court order to force Apple to provide access to their servers.
Apple was notified of the issues as early as November 2015 and patched them in iOS 9.3 and OS X 10.11.4, and worked with researchers to push out other fixes to several of its products.
More details about this security issue are available at this link.