Security Pros: iMessage Security Is a Myth
"At the 10,000-foot level, Quarkslab's technical argument is that it is possible to reverse-engineer Apple's encryption technology," said NSS Labs' Randy Abrams. However, the effort required "is such that you already have to be a person of extreme interest to some group somewhere in the world with a high level of technical expertise, and be worth the investment of time and effort."
Oct 19, 2013 5:00 AM PT
Apple's iMessage instant messenger service, which has made headlines for being uncrackable by law enforcement, is not so secure after all, according to Quarkslab.
An internal document from the United States Drug Enforcement Administration published by CNET in April stated that it was impossible to intercept iMessages between two Apple devices.
"As Apple claims, there is end-to-end encryption," Quarkslab researcher Cyril Cattiaux said. "The weakness is in the key infrastructure as it is controlled by Apple they can change a key any time they want, thus read the content of our iMessages."
Further, metadata about messages is sensitive, Cattiaux pointed out -- and Apple has that metadata.
Apple insists that iMessage is not architected to let it read messages and insisted that Quarkslab discussed theoretical vulnerabilities that would require Cupertino to re-engineer the iMessage system to exploit it, something the company does not plan to do.
The Gist of Quarkslab's Findings
Quarkslab found it easy to add a fake certificate to perform a man-in-the-middle attack because there is no certificate pinning, the company said. (With certificate pinning, IT determines that only a particular certificate, or certificates digitally signed by a particular certificate, can be trusted.)
Further, the researchers' AppleID and password went through SSL communications in clear text, which would allow Apple to see the password. That means Apple -- or intelligence agencies -- could replay the password, Quarkslab said.
It also means anyone who was able to add a certificate and proxify the communications would be able to get a target's AppleID and password, gaining access to the victim's iCloud account.
If hackers can get hold of a user's password, they can do considerable harm, as Wired writer Matthew Honan discovered last year.
The iPhone Configuration Utility, which lets enterprises manage iPhones, lets IT invisibly proxify communications to and from the device, thus gaining access to personal information, Quarkslab said. Apple's PUSH notification service is another area of vulnerability.
Dispelling iMessages Myth-information
Commenting on Quarkslab's blogpost, "HG" pointed out that Apple controls all the iMessage client software and the hardware platform the software runs on, so it could push an update that sends all chats directly to law enforcement without the user knowing.
The purported invulnerability of iMessage to surveillance by law enforcement was called into question as soon as the DEA's complaint was published.
Cryptographer Matthew Green pointed out that the ability to restore iCloud backups to a new device using only the iCloud password and Apple's "iForgot" service -- which lets users recover their iCloud passwords by answering a few personal questions -- indicates iCloud data is not encrypted end to end -- and even if it is, Apple has users' passwords on file and can recover them.
"Most security professionals don't consider iMessages to be a secure medium, just like SMS is not a secure medium," Ken Pickering, director of engineering at CORE Security, told TechNewsWorld.
More Trouble Than It's Worth?
"At the 10,000-foot level, Quarkslab's technical argument is that it is possible to reverse-engineer Apple's encryption technology," Randy Abrams, a director of research at NSS Labs, told TechNewsWorld.
However, the effort required "is such that you already have to be a person of extreme interest to some group somewhere in the world with a high level of technical expertise, and be worth the investment of time and effort," he continued. "No average user, or even crook, is likely to be worth the effort."
Apple's contention, that iMessage is secure, could be because "Apple feels, and I think most would agree, that they made iMessages as secure as could reasonably be done," Abrams said.
"I'm sure Apple realizes that almost anything that can be done with software can be undone with software," Abrams continued. "At some point, a company has to say 'it's good enough' or go bankrupt attempting to attain perfection."
Apple did not respond to our request to comment for this story.