Disclaimer: We may earn a commission if you make any purchase by clicking our links. Please see our detailed guide here.

Follow us on:

Google News
Whatsapp

Cryptography Expert Suggests Apple Replace Its iMessage Encryption

Ankita Pareek
Ankita Pareek
Content Writer

Join the Opinion Leaders Network

Join the Techgenyz Opinion Leaders Network today and become part of a vibrant community of change-makers. Together, we can create a brighter future by shaping opinions, driving conversations, and transforming ideas into reality.

Security has always been the primary confer for Apple – now it has taken some steps to secure its iMessage users. A new report published on Patently Apple states that the technology company has fixed the iMessage protocol after several issues were discovered by a team of researchers at Johns Hopkins University.

John Hopkins, cryptography professor Matthew Green and a group of his students discovered that iMessage has a paramount fault that can’t be permanently fixed. Green suggested that for the sake of the security of its user Apple must replace its iMessage encryption.

Matthew  Green said that “This discovery is all the more important now, at a time when the U.S. government is arguing that technology companies shouldn’t use strong encryption and security for devices if that means the devices and communications can only be decrypted by the users themselves.” – Matthew  Green

Green also said that even though Apple had proficient cryptography experts design the iMessage protocol, they still couldn’t get it quite right. This shows how hard security is – even without having to worry about government-mandated backdoors:

Matthew Ggreen iMessage

The faults found allows more sophisticated attackers to decrypt picture and video attachments from iMessage. Although this attack has been made more difficult on recent iOS devices thanks to certificate pinning, someone with access to Apple’s servers could still intercept and decrypt those attachments. End-to-end encryption is not supposed to be affected by a server hack, and this is why this service of iMessage’s “end-to-end encrypted” benefit is put into question.

iMessage was praised by Green for being the first widely used messenger to even come close to end-to-end encryption back in 2011. iMessage has always had a centralized key server, which is a major weakness and a “feature” that’s not common on end-to-end encrypted services. Green thinks that although this remains a major weakness for iMessage, attacking the key server would mean having the ability to actively manipulate Apple’s infrastructure without getting caught.

In the context of an end-to-end encrypted messenger that should never even have this issue, and even more significant problem would be if an attacker could also get messages that have already been sent. And that is indeed what Green and his students discovered is possible.

How iMessage crypto allows the attacker to attack

Apple doesn’t authenticate the messages, which allows the messages to meddle. The company only uses an ECDSA signature, which can be replaced by a man-in-the-middle attacker that has access to Apple’s Push Notifications Service server. And this is because the attackers are able to meddle with the original message and modify it as well.

As per the information from another source, Ian Miers, one of Green’s students, offered a short-term fix for this attack. The one part of the AES ciphertext that isn’t vulnerable to tampering is the RSA-OAEP portion, which can be used to create a cache of recently-received RSA ciphertexts and reject any repeated ciphertexts.

Moreover, Green added that for now, this fix should be sufficient, but ultimately it’s a rather weak patch for a fundamentally broken cryptosystem and recommended Apple should move away from the current iMessage encryption as soon as possible and maybe even adopt the state-of-the-art protocol already used by Signal, Silent Phone, WhatsApp, and ChatSecure.

Join 10,000+ Fellow Readers

Get Techgenyz’s roundup delivered to your inbox curated with the most important for you that keeps you updated about the future tech, mobile, space, gaming, business and more.

Recomended

Partner With Us

Digital advertising offers a way for your business to reach out and make much-needed connections with your audience in a meaningful way. Advertising on Techgenyz will help you build brand awareness, increase website traffic, generate qualified leads, and grow your business.

Power Your Business

Solutions you need to super charge your business and drive growth

More from this topic