The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.
The iMessage system is Apple’s proprietary text system, which works only among iOS devices. It uses a series of servers owned by Apple that receive and forward messages. Those messages are sent via Apple’s PUSH notification service, which keeps an IP connection open all the time to check for new notifications and display messages. Each iPhone, iPod or other iOS device serves as a PUSH client, and they communicate with Apple’s servers over SSL. The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system.
One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users’ messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could. Users’ AppleID passwords also are sent in clear text to the Apple servers.
“What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order. As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages,” the pair, who work for Quarkslab, wrote in a long analysis of the iMessage protocol.
“Also remember that the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they have your metadata.”
Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices. The company uses proper encryption to protect the communications, but the Quarkslab researchers discovered that Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers. During their research, Pod2g and GG were able to create a new certificate authority, add it to an iPhone keychain and then proxy the SSL communications to and from the device. Certificate pinning is the process of associating a given host with a specific certificate. That way, if a browser or other client encounters a certificate for a host that isn’t the expected one, it can reject it and warn the user of the problem. Google, for example, use certificate pinning for many of its Web properties.
“I guess they just didn’t get around to it. There’s no great reason, I think they just didn’t do it. The Twitter app does, which is kind of ironic because Twitter isn’t typically handling your sensitive information,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University.
The lack of certificate pinning for iMessage is troubling, the researchers said, as it opens the door for attackers to create a forged CA, and if they can get it onto a device or devices, proxy all of the supposedly encrypted communications. This is especially problematic in enterprise environments that employ Apple’s iPhone Configuration Utility, which enables enterprises to manage iPhones centrally. An attacker could install his CA at enrollment on all of the target devices.
“All communications to Apple’s servers are made through a secure SSL tunnel. We do not need to know what protocol is used or how packets are forged. The first thing we want to try when we see that is adding a certificate to perform a MITM. We were actually very surprised it worked as easily, which means there is no certificate pinning. We created a fake CA, and added it to the iPhone keychain. Then, we could [proxy] communications much more easily. When a SSL communication arrives to the proxy, we generate a certificate signed by the newly added CA, and everything becomes unencrypted,” the researchers said.
The researchers put together several scenarios through which an attacker could intercept iMessage transmissions through a MiTM attack. They also developed a tool called iMiTMProtect that can defeat certain of these attacks on OS X devices. Green of Johns Hopkins said that there are other methods that Apple could have used for the key infrastructure to avoid some of these problems.
“Companies like Silent Circle do real end-to-end key management and OTR (Off the Record) messaging. So all of these instant message things that use OTR-like protocols , they do end to end key establishment. The idea there is that the two parties establish keys without any central directory. And then what you’re supposed to do is either compare a key fingerprint over another phone line or you’re supposed to check – Silent Circle has an authentication string – so you’re supposed to read this string back and forth over the phone. That is the alternative way. That is the de-centralized version of this where you don’t have to trust Apple or some centralized server. And maybe that’s too hard for some people, but a lot of people will use OTR; it’s pretty easy to use. It certainly wouldn’t be so hard to add something like that as an optional feature for security-conscious people into iMessage. Definitely you can do better,” Green said.