Apple’s iMessage has long been lauded as being the first mainstream chat application to use end-to-end encryption. However, cryptography professor Matthew Green and his team of students at Johns Hopkins University discovered that the iMessage's encryption is actually hardly any better than regular TLS network encryption.
iMessage Attacks
Earlier this year, after doing an overview of iMessage’s security architecture, Green ended up saying that the iMessage end-to-end encryption was fundamentally broken. He also recommended Apple to switch to the Signal protocol or another modern alternative to iMessage’s protocol.
At the Usenix Security Symposium this week, professor Green and his team presented a more thorough analysis of the iMessage protocol and potential attacks against it. The team of researchers had to reverse-engineer Apple’s iMessage clients to uncover these vulnerabilities. Apple doesn’t offer much documentation for iMessage other than a high-level overview of the protocol, and the client apps are closed source.
The researchers identified a practical adaptive chosen ciphertext attack, which allowed them to decrypt certain iMessage payloads and attachments, provided that a Sender or a Receiver device is still online. To test the attack, the team also created a proof of concept exploit that showed that the attack could be done remotely and silently against any iMessage user.
The researchers noted that they had to use novel exploit techniques to create a chosen ciphertext attack against ciphertexts that contain gzip compressed data. They believe this type of attack could be used against other encryption protocols, as well. Now would probably be a good time for other chat application providers to check whether this type of attack, which the researchers described in their paper in more detail, can be used against their own apps.
iMessage’s Biggest Weakness
The attack described by the Johns Hopkins researchers is retrospective, which means an attacker can decrypt messages that were already encrypted. Perhaps this wouldn’t be such a big issue if Apple wouldn’t store both undelivered messages (for up to 30 days) and iCloud backed-up messages on its servers. Because it does, though, a sophisticated attacker can use an attack like this to access those messages.
It also exposes the messages to be decrypted by court order, because Apple itself is able to decrypt any iCloud backups. In that case, users have the option to disable iCloud backups, but because iMessage backups can’t be individually enabled or disabled, the users would have to disable iCloud backup for other files, as well. However, even with iCloud sync disabled, there’s still the issue of the undelivered messages being stored for 30 days.
Green’s team also warned that an attacker could steal a certificate and then be able to decrypt iMessages on certain versions of iOS and macOS, which don’t have support for certificate pinning. The researchers believe these types of threats are realistic, given how many people use iMessage all over the world, not to mention the attention Apple’s devices and services have been getting from various national governments.
Lack Of Forward Secrecy
Ever since Edward Snowden released the NSA documents, an encryption mechanism called “forward secrecy” has significantly increased in popularity with service providers. The mechanism essentially automatically rotates the encryption keys at regular intervals, and once it switches to a new key, past data can’t be decrypted anymore.
This has been a main feature of end-to-end encryption protocols such as Off-The-Record (OTR) and Signal, but Green said iMessage lacks it completely. The lack of forward secrecy means that if someone steals an iOS or macOS device and unlocks it, they can then decrypt past conversations from those devices.
The researchers also criticized Apple for using non-standard encryption that seems implemented in a rather ad hoc manner. Moreover, Apple doesn’t use a properly authenticated symmetric encryption algorithm and instead relies on a digital signature to prevent tampering. This is what makes the chosen ciphertext attacks that can recover full contents of some messages possible.
iMessage Mitigations
Green once again recommended that Apple entirely replace iMessage with a new messaging system that’s been properly designed and verified. However, he realizes that Apple has to maintain some sort of backwards compatibility for the hundreds of millions of users that would continue to use iMessage even if Apple did create a new messaging app.
Because of that, he and his team also proposed some “short-term patches” for iMessage that can make the older iMessage clients a little more secure, as well as some long-term ones that will break iMessage’s compatibility with the old clients.
The short-term patches for the old clients include:
- Duplicate RSA ciphertext detection, which means Apple will have to maintain a list of previously received RSA ciphertexts
- Regeneration of encryption keys and the destruction of message logs
- Pin Apple Push Notification Service Daemon and Messages certificates
- Reorganize message layout in a way that can block the type of attacks Green talks about in his paper
The long-term changes that were proposed in the paper include:
- Completely replace iMessage’ encryption with a well-studied construction such as OTR or Signal
- Adopt AES-GCM authenticated encryption for TLS traffic
- Place the protocol versioning information in the public key block and the authenticated portions of the ciphertext to prevent downgrade attacks
- Implement key transparency (Apple’s centralized key server is a major weakness of iMessage’s protocol)
The researchers said that they have reported all of these vulnerabilities to Apple, and the company has already implemented most of the proposed short-term patches such as the duplicate RSA ciphertext detection and certificate pinning (only for iOS 9+ clients), and it removed gzip compression. However, Green and his team stressed that Apple should eventually do a major overhaul of the iMessage protocol while following their proposed long-term changes.
