Cryptography Experts Say Apple Needs to Replace iMessage Encryption

Share this…

iMessage receives several fixes following mammoth research. Apple has added a series of short- and long-term defenses to the iMessage protocol following the private disclosure of several issues discovered by a team of researchers from the Johns Hopkins University led by Christina Garman, a group that also included famous cryptography expert Matthew Green.

The five-man research team has presented their findings at the recently concluded Usenix Security Symposium.

This is the same research that fueled a series of articles in the international press last March, about a zero-day in the iMessage protocol that allowed attackers to decrypt images and videos sent through iMessage apps.

In a technical paper made available after the symposium’s conclusion, the team reveals that at the basis of their research is a “chosen ciphertext attack” on the iMessage protocol’s encryption.

Attack is hard to pull off, reserved only for state-level actors

Researchers say that their attack allows them to retrospectively decrypt certain types of iMessage payloads and attachments, if either the sender or receiver is still online.

Their proof-of-concept attack on the iMessage protocol encryption can be carried out remotely and silently, and while it requires a high-level of technical expertise on the attacker’s side, it’s nothing that state-sponsored actors can’t achieve. The researchers also discovered several flaws in how iMessage handles device registration and key distribution mechanisms.

The attack scenario requires the attacker to be in a position to intercept iMessage traffic using stolen TLS certificates, or have access to Apple’s servers, by legal or illegal means.

This is possible because Apple stores undelivered iMessage data on its servers for up to 30 days and because some older iOS and Mac OS X versions don’t employ certificate pinning on Apple Push Network Services (APNs) connections, allowing attackers with stolen TLS certificates to obtain a Man-in-the-Middle position.


Attack can be used on historical, backed-up iMessage data

After reverse-engineering the iMessage protocol, researchers also found that Apple doesn’t rotate encryption keys at regular intervals, like modern encryption protocols such as OTR and Signal.

This means that attackers can use this very same attack on iMessage historical data, which is often backed up inside iCloud and stored on Apple’s servers. Law enforcement can force Apple trough a court order to provide access to iCloud backups and deploy this attack to decrypt older iMessage data.

Their chosen ciphertext attack works only on ciphertexts containing gzip compressed data, which explains why only certain types of iMessage data can be recovered from its encrypted form. Because of this, the researchers named their attack the Gzip Format Oracle Attack.

Other encryption protocols may be vulnerable to this attack as well

Researchers believe that the Gzip Format Oracle Attack can also work on other encryption protocols that handle encrypted data in a gzip format.

One of them is the Handoff service used to exchange data between Apple devices via Bluetooth LE, which Apple describes as using encryption “in a similar fashion to iMessage.” Other technologies may include OpenPGP encryption as implemented by GnuPG.

  Overall, our determination is that while iMessage’s end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries. Our results show that an attacker who obtains iMessage ciphertexts can, at least for some types of messages, retrospectively decrypt traffic.  

Apple fixed some of the flaws, but a major iMessage overhaul is needed

The good news is that the research team said that the vulnerabilities were straightforward to repair, which Apple did after they were notified in November 2015.

Since then, Apple has been pushing mitigations recommended by the researchers through monthly updates to several of their products. Most of the repairs were included in iOS 9.3 and OS X 10.11.4, which shipped in March 2016.

A full list of short- and long-term mitigations that researchers proposed can be found in their researcher paper called Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage, in section 7.

Apple implemented most of their suggestions, like removing gzip compression and adding duplicate RSA ciphertext detection, but the researchers do recommend that Apple replaces the iMessage encryption mechanism in the long run.