The revelation comes as British singers Adele and One Direction's Harry Styles reportedly became the latest celebrities to have private photos leaked online – Styles via an iCloud account hack and Adele through an email compromise.
Apple is promising to patch the flaw found by the John Hopkins team in today's release of iOS 9.3, and the researchers, led by Professor Matthew Green, are refusing to give full details of the bug until then.
But they say the 0-day allows attackers – or police - to view iCloud photos and videos being sent as instant messages via Apple iMessage, by brute-force guessing the required decrypt key.
Green told The Washington Post on Sunday that he first suspected there was a flaw in iMessage's encryption last year, and alerted Apple. But when no patch emerged, his graduate students set about mounting a successful attack.
They used an old phone to target a secure message that linked to a photo held on the iCloud server. After writing software that mimicked an Apple server, they uncovered the 64-bit decrypt key by brute-force guessing each digit in turn. The phone confirmed every correct guess, so after thousands of attempts they had the whole key.
The team then retrieved the photo from Apple's server and say if it had been a genuine attack, the user would not have known.
But their technique cannot help the FBI crack the encrypted iPhone of notorious San Bernardino terrorist Syed Farook – because messages have to intercept in transit. And Green pointed out the 0-day highlights more basic encryption flaws than the ‘backdoor' Apple is currently refusing to give the FBI in this case.
“It scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right,” he told The Washington Post.
Green said a modified version of the attack would work on recent Apple operating systems, but would likely require the hacking skills of a nation-state. Users should still update their devices to iOS 9.3, otherwise their phones and laptops could be vulnerable, he said.
Ahead of the researchers releasing full details of the 0-day, team member and graduate student Ian Miers sent out teasing messages on Twitter yesterday, saying: “Now you have 14 hours to guess what the attack is. As a hint, it's not a bug in how Apple stores or encrypts attachments. The attack is more interesting than just attachments and affected more than just iMessage. Apple had to fix other apps, but won't say what.”
An Apple spokesperson confirmed to SC that it partly fixed the flaw last year with the release of iOS 9, and will fully stop the attack through security improvements in iOS 9.3, due out today.
The company said in a statement: “Apple appreciates the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability.”
Commenting on the 0-day, Blue Coat security strategy director Robert Arandjelovic told SC via email: “There is always a risk for human error in even the most robust encryption mechanisms. The risk increases when the encryption is based on a proprietary scheme, as there are fewer eyes to identify the flaw. However, encryption is still the best option for securing data and we should not be looking at this as another excuse to avoid encrypting sensitive data.
“The lesson is that the security community need to work together to resolve these vulnerabilities as quickly as possible. Researchers should – as the Johns Hopkins team did here – fully disclose the vulnerability to the vendor. Vendors need to quickly turn around fixes. End-users need to be vigilant with their patch processes. The inability to rapidly apply security fixes remains a major security issue for most organisations, and is a significant contributing factor in large-scale cyber-attacks.
News of the 0-day comes as British celebrities have been targeted in more iCloud and email hacks.
Multiple Brit Award winner Adele has had photos - including a baby scan and pictures of her three-year old son - leaked online after her partner Simon Konecki's email account was reportedly breached, said The Sun on Sunday.
And over 30 photos of One Direction singer Harry Styles and model Kendall Jenner have been leaked on Twitter by a hacker who reportedly stole them from the iCloud account of Styles' mother, Anne Cox.
This follows last year's ‘Celebgate' scandal when nude photos and videos of celebrities - including actresses Jennifer Lawrence, Kate Upton and Mary Elizabeth Winstead - were leaked online. Last week, 36-year-old Ryan Collins from Pennsylvania pleaded guilty to hacking at least 50 iCloud and 72 Gmail accounts of the celebrities. He emailed his victims, pretending to be from Apple or Google.
Commenting on the invasion of Adele's privacy, ESET security specialist Mark James said via email: “It's likely the email account was compromised either through a phishing attack or insecure password. Email scams are very rife at present.”
Brian Spector, CEO of MIRACL, said: “Although this is a horrible invasion of Adele's privacy, maybe it will at least raise awareness to the general public about the vulnerability of all our digital data.”
Jonathan Sander, VP of product strategy at Lieberman Software, said: "What's interesting about this breach of Adele's privacy is how closely it follows the pattern typical corporate breaches. They suspect the attacker gained access through a poorly secured partner's access. The breach itself was discovered by a third party and reported to the unsuspecting victim. These details closely mirror many corporate breaches and Target in particular, breached through their business partner and told by a third party."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout