When Apple released its iOS Security Guide for public consumption, it was an unprecedented look inside the security architecture behind its products. For cryptographer and professor Matthew Green and a team of four Johns Hopkins University graduate students, it was a road map to understanding not only how secure Apple’s iMessage messaging application was, but also one that helped them uncover a handful of significant vulnerabilities that can be exploited to put the contents of encrypted messages at risk to advanced attackers.
The vulnerabilities were patched today with the release of iOS 9.3 and an updated version of OS X. Of perhaps larger importance is the context they bring to the ongoing Apple-FBI legal fight over encryption. The team of Green and students Ian Miers, Christina Garman, Gabriel Kaptchuk and Michael Rushanan demonstrated how a resourced attacker could pick apart flaws in what is widely considered the most secure, commercial messaging platform to get at messages sent to a target phone. They contend that the FBI’s court order for the introduction of intentionally weak crypto, or other proposals such as key escrow, aren’t necessary when security issues like these can be ferreted out.
“This won’t get you access to data on the phone. The real point, to put this in context, is that crypto is hard. iMessage is considered the gold standard of how to do this, and Apple has crypto engineers that are among the best in the business, and they got this wrong,” said Miers. “If they can make these kinds of mistakes, think about how many things could go wrong if you add complex mechanisms like key escrow and backdoors. How much worse would you make it by weakening things? You can’t take for granted that crypto works all the time and plan policy things above it.”
The flaws found by the Johns Hopkins researchers date back to iMessage’s inception, Miers said. The team found a weak spot in the encryption protocol that iMessage uses in all of its applications, one that Green spotted in the iOS Security Guide.
“There’s a diagram describing the way the encryption is structured; there’s a subtle oversight in the way it’s done,” Miers said. Rather than authenticate the encrypted portion of an iMessage, Apple opted to sign each with an ECDSA signature. Those signatures can be attacked, the researchers said, putting not only messages in transit at risk, but also those stored on Apple servers, which Apple stores for up to 30 days.
The vulnerabilities were privately disclosed in November and were addressed in today’s iOS and OS X (10.11.4) updates in a number of different ways, including the enforcement of certificate pinning across all channels used by iMessage, and the removal of compression used for attachments from iMessage composition.
From the Johns Hopkins paper:
“Our results show that an attacker who obtains iMessage ciphertexts can, at least for some types of messages, retrospectively decrypt traffic. Because Apple stores encrypted, undelivered messages on its servers and retains them for up to 30 days, such messages are vulnerable to any party who can obtain access to this infrastructure, e.g., via court order, or by compromising Apple’s globally distributed server infrastructure. Similarly, an attacker who can intercept TLS using a stolen certificate may be able to intercept iMessages on certain versions of iOS and Mac OS/X that do not employ certificate pinning on Apple Push Network Services (APNs) connections.
Miers explained that the team’s proof-of-concept attack against the latest versions of iMessage or OS X required an attacker be on Apple’s system or be in a man-in-the-middle position against TLS traffic in order to obtain iOS ciphertext sent or received by a client. Their attack, while silent, required them to slightly edit an intercepted iMessage up to 130,000 times in order to study subtle changes in the response and to learn more about the encryption key. The attack took 72 hours—it could likely be optimized and the time lowered—and once they were successful, they were able to use the key to decrypt the photo or video attachment to the iMessage communication.
“The hardest part is getting your hands on the message to start with,” Miers said. “It requires you to have the ability to coerce, hack or subpoena Apple, or break TLS.” For older versions of iMessage, an attacker could steal or forge a certificate from Apple in order to break TLS. The researchers built a customized version of pushproxy for their PoC that mimicked an Apple server. The proxy allows them to carry out local attacks against devices on the same network, but if an attacker could pull off the same attack against Apple’s infrastructure, the attacks could be done remotely, the researchers said in their paper. The team said that in most cases they were able to get up to 224 bits of the key via their attack, and used a brute-force attack to get the remainder of the secret key using commodity hardware.
“The main point is that the sky is not falling with this,” Miers said. “We shouldn’t forget that crypto is not easy to get right, and that adding backdoors and complexity would only cause more problems.”