Security has always been the primary confer for Apple – now it has taken some steps to secure its iMessage users. A new report published on Patently Apple states that the technology company has fixed the iMessage protocol after several issues were discovered by a team of researchers at Johns Hopkins University.
John Hopkins, cryptography professor Matthew Green and a group of his students discovered that iMessage has a paramount fault that can’t be permanently fixed. Green suggested that for the sake of the security of its user Apple must replace its iMessage encryption.
Matthew Green said that “This discovery is all the more important now, at a time when the U.S. government is arguing that technology companies shouldn’t use strong encryption and security for devices if that means the devices and communications can only be decrypted by the users themselves.” – Matthew Green
Green also said that even though Apple had proficient cryptography experts design the iMessage protocol, they still couldn’t get it quite right. This shows how hard security is – even without having to worry about government-mandated backdoors:
The faults found allows more sophisticated attackers to decrypt picture and video attachments from iMessage. Although this attack has been made more difficult on recent iOS devices thanks to certificate pinning, someone with access to Apple’s servers could still intercept and decrypt those attachments. End-to-end encryption is not supposed to be affected by a server hack, and this is why this service of iMessage’s “end-to-end encrypted” benefit is put into question.
iMessage was praised by Green for being the first widely used messenger to even come close to end-to-end encryption back in 2011. iMessage has always had a centralized key server, which is a major weakness and a “feature” that’s not common on end-to-end encrypted services. Green thinks that although this remains a major weakness for iMessage, attacking the key server would mean having the ability to actively manipulate Apple’s infrastructure without getting caught.
In the context of an end-to-end encrypted messenger that should never even have this issue, and even more significant problem would be if an attacker could also get messages that have already been sent. And that is indeed what Green and his students discovered is possible.
How iMessage crypto allows the attacker to attack
Apple doesn’t authenticate the messages, which allows the messages to meddle. The company only uses an ECDSA signature, which can be replaced by a man-in-the-middle attacker that has access to Apple’s Push Notifications Service server. And this is because the attackers are able to meddle with the original message and modify it as well.
As per the information from another source, Ian Miers, one of Green’s students, offered a short-term fix for this attack. The one part of the AES ciphertext that isn’t vulnerable to tampering is the RSA-OAEP portion, which can be used to create a cache of recently-received RSA ciphertexts and reject any repeated ciphertexts.
Moreover, Green added that for now, this fix should be sufficient, but ultimately it’s a rather weak patch for a fundamentally broken cryptosystem and recommended Apple should move away from the current iMessage encryption as soon as possible and maybe even adopt the state-of-the-art protocol already used by Signal, Silent Phone, WhatsApp, and ChatSecure.