The researchers disclosed their work to Apple in November, and how the release of iOS 9.3 and OS X 10.11.4 remove some exploits and make others dramatically harder to take advantage of. The paper’s authors include Matthew D. Green, a cryptographer known for his research on privacy-preserving cryptographic protocols, including Bitcoin.
A story by the Washington Post appeared last 20 March, leading to inadvertent disclosure ahead of time. The story was quickly pulled but later republished after that became clear. PCWorld held some technical details for the initial version of this story at the request of the researchers, until Apple’s updates were out.
So how did the attack begun? The researchers found the weakest point in iMessage, which has to do with how it handles messages above a certain length, which the paper refers to as "long iMessages," and can include runs of text and attachments, like images.
Effectively, they can intercept encrypted data (see next question) intended to be sent to an iMessage server from iOS and OS X, and then perform an enormous number of operations to extract information that then lets them decrypt the attachment in a reasonable amount of time using a standard Mac for part of the process and then inexpensive fast commodity hardware for the remainder.
The main flaw the paper covers stems from the way in which attachments are losslessly compressed (replacing recurring patterns with short codes), validated, and addressed to others. The researchers predict some parts of a message and know precisely some other parts, which allowed them to substitute in new values for known or guessed ones in the raw encrypted stream or “ciphertext.”
That flaw could be exploited only because they were also able to check when their substitutions were correct: Apple lets the iMessage software validate attachment requests locally in OS X (or iOS) and without any limit to the number of times, without consulting its servers or tripping any alarms or restrictions.
The researchers ultimately were able to show they could insert additional recipients (who were one-letter-off variants of a legitimate recipient) into an attachment’s delivery list, recover an attachment’s raw ciphertext, attack it, recover its unique encryption key, and decrypt it.
Because of how iMessage in OS X handles testing the message’s validity, the paper describes having to wait nearly half a second between each check. However, only about 262,000 (218) operations were required, taking roughly 35 hours. That allowed extracting enough of the encryption key that the remaining cracking could be shifted to high-performance hardware.