Can Apple read your iMessage?
Translation of an article by Matthew Green. In cryptography is not strong, therefore I will be extremely grateful for all corrections of inaccuracies and clarifications in drugs. Thank you .
About a year ago, I wrote a short post calling for Apple to publish technical details of encryption to iMessage. I wish I could say that Apple saw my powerful cryptoblog and showed specifications. But no, iMessage is the same black box it always was.
What really changed was that people began to worry. This is partly due to Apple’s supposed friendship with the NSA . In part, this is not the fault of such friendly relations with OBN . In any case, people want to know how much of their information Apple owns and with whom it is shared.
And that brings us back to the issue of encryption in iMessage. Apple launched one of the most popular encrypted communication services on the planet: over 2 billion messages in iMessage every day. Each of them contains personal information that the NSA and the DEA would like to have in their hands. But, in fact, even Apple cannot read them :
')
For example, conversations via iMessage or FaceTime use end-to-end encryption , so that no one except the sender and the recipient can read them. Apple cannot decrypt this data.
It looks believable, and my experience says that it is quite likely. My point of view is due to the “Green Law on Applied Cryptography,” which says that basically applied cryptography sucks. Cryptography never gives unconditional guarantees, as you would like, and this is what users suffer from .
And this is the problem with iMessage: users do not suffer enough! The service is incredibly easy to use, which means that Apple compromised, or rather found a balance between usability and security. And as long as there is nothing wrong with compromises, their decisions are of great importance when it comes to your personal information. By engaging in these details on its own, Apple frees its users from unnecessary actions to protect themselves.
The details of these trade-offs are exactly what I want to talk about in this post. The post that I swear will be the last post I write about iMessage. From this point on, there will be only ciphers and no evidence.
The biggest problem with Apple’s position is that it’s not true. If you use the iCloud backup service to save your iDevice data, then there is a rather high probability that Apple may receive the last few days of correspondence in iMessage.
For those who are not aware of the Apple ecosystem: iCloud is an optional data storage service provided by Apple for free. Backups are amazing, but if iMessages get backed up, then the question arises of their security. Believing in the word of the company (that they cannot receive our messages) leaves us with only two options:
Unfortunately, none of these options is true, and to prove it is quite simple. All you need to do is make an easy experiment : first, lose your iPhone. Then, change the password using the Epplow password recovery service (you will need to answer a few questions, or enter a spare e-mail). Now we go to the Apple store and lay out a fortune for a new phone.
If you can restore your lost messages on the new iPhone (as I did it right in the Apple store this afternoon), then Apple does not protect your iMessages with any keys and passwords. Sadly (Ashkan Soltani (Ashkan Soltani) made some screenshots from the same test).
The bad thing is that there is no any cryptography in which to understand. The simple and obvious fact is this: if you could do it, then someone at Apple can do it too. Perhaps when requesting services of the law. All they need is your Secret Questions, something Apple is sure to keep * .
You may not be using backups. In this case, all of the above is not about you and Apple honestly says that the message uses end-to-end encryption. The question you should ask yourself in this case: the messages are encrypted for whom?
The problem is that encryption works if I have your encryption key. This means that if I want to talk to you, I must first get the key. Apple found a solution to this problem: they have a directory that iMessage can use to find the key associated with an email address or phone number. This is great, but this is another “compromise”: now you are completely dependent on giving Apple the right key .
The danger is that Apple (or the hacker who attacked the server with the Apple key directories) must first give you your key. From now on, you will not know that you are sending messages to this person, and not to your friend. **
Moreover, iMessage allows you to link multiple keys from multiple devices. For example, you can add your Mac to receive copies of all messages sent to your phone. Also, iMessage does not give the user information about how many keys are associated with one account and does not notify you when new keys are added.
In fact, the integrity of iMessage depends on how well Apple distributes the keys. If Apple makes a mistake (or a hacker attacks the iMessage server), then a mediator attack ( man-in-the-middle attack ) becomes possible and intercepting iMessage data will not cause any particular difficulties.
Today it is obvious for some, for the rest it doesn’t matter much. And everyone is happy. But people should at least understand the strengths and weaknesses of Apple’s chosen concept. With this knowledge, they can determine on their own how trust Apple should be.
Although Apple can encrypt the content of your messages, their rules do not exclude the possibility of storing the data of who you are communicating with. These are well-known metadata that the NSA immediately dismisses and (as I said before ) cannot at least not collect this information, especially given the fact that Apple delivers your messages through its servers.
This data can be as valuable as the rest. And while Apple does not store the content of your messages, their agreement says nothing about all this metadata.
And the last (not very serious) point is that iMessage clients (for iPhone and Mac) are connected to the Apple distribution directory using the HTTPS protocol (note that this applies to search in message history, current iMessages are encrypted separately and travel using theXMPP push Apple notifications ).
Using HTTPS is a good idea and, basically, it provides good protection against interception. But so do not defend against all attacks. There is still a real possibility for an attacker to obtain a fake certificate (possibly with damage to the certificate authority) and thus intercept or change the connection with Apple.
Here I don’t really understand why an attacker should get a fake certificate, and not a genuine one. Maybe it meant the introduction of a fake certificate by a hacker?
This kind of thing is not as crazy as we think. This happened to hundreds of Iranian Gmail users and is likely to repeat in the future. The standard solution to this problem is certificate pinning (it tells the application not to trust unknown certificates). A lot of apps like Twitter did it. But not Apple, as I found out during testing and writing this post.
I did not write this post because I do not like Apple. On the contrary, I really like their products and would even swim with them if (unfortunately) this did not nullify the warranty.
But the reverse side of my admiration is simple: I trust their devices and want to know how protected they are. I do not see any flaws in Apple in explaining this, at least to high-level specialists, even with the backlog of details. The explanation should include the type and principle of encryption algorithms, the details of the directory service and the key agreement protocol.
Apple may think outside the box, but information security rules apply to them. Sooner or later, someone will break or rewrite the iMessage system. And then it all comes out.
* Of course, it is possible that Apple uses your secret questions to get the encryption key. However, this is unlikely. First, because Apple probably stores your question / answer in a separate file. And if not, then most of the answers to the questions are unlikely to store enough entropy to decrypt. After all, there are so many birthdays and car brands in the world. Two-step authentication can improve the situation if you use it. Back to top
** In practice, it is not entirely clear whether Apple devices generate the key themselves or arrange an OTR -like key exchange . It is clear that iMessage does not contain a “key fingerprint” or something similar for users to verify the authenticity of the key, which implies Apple’s full confidence in encryption issues. In addition, iMessage allows you to send messages offline. It's not entirely clear how this should work with OTR.
About a year ago, I wrote a short post calling for Apple to publish technical details of encryption to iMessage. I wish I could say that Apple saw my powerful cryptoblog and showed specifications. But no, iMessage is the same black box it always was.What really changed was that people began to worry. This is partly due to Apple’s supposed friendship with the NSA . In part, this is not the fault of such friendly relations with OBN . In any case, people want to know how much of their information Apple owns and with whom it is shared.
And that brings us back to the issue of encryption in iMessage. Apple launched one of the most popular encrypted communication services on the planet: over 2 billion messages in iMessage every day. Each of them contains personal information that the NSA and the DEA would like to have in their hands. But, in fact, even Apple cannot read them :
')
There are several categories of information that we do not pass on to any law enforcement authorities or to any other groups, since we have decided not to keep them.
For example, conversations via iMessage or FaceTime use end-to-end encryption , so that no one except the sender and the recipient can read them. Apple cannot decrypt this data.
It looks believable, and my experience says that it is quite likely. My point of view is due to the “Green Law on Applied Cryptography,” which says that basically applied cryptography sucks. Cryptography never gives unconditional guarantees, as you would like, and this is what users suffer from .
And this is the problem with iMessage: users do not suffer enough! The service is incredibly easy to use, which means that Apple compromised, or rather found a balance between usability and security. And as long as there is nothing wrong with compromises, their decisions are of great importance when it comes to your personal information. By engaging in these details on its own, Apple frees its users from unnecessary actions to protect themselves.
The details of these trade-offs are exactly what I want to talk about in this post. The post that I swear will be the last post I write about iMessage. From this point on, there will be only ciphers and no evidence.
Apple saves copies of i Messages in iCloud
The biggest problem with Apple’s position is that it’s not true. If you use the iCloud backup service to save your iDevice data, then there is a rather high probability that Apple may receive the last few days of correspondence in iMessage.
For those who are not aware of the Apple ecosystem: iCloud is an optional data storage service provided by Apple for free. Backups are amazing, but if iMessages get backed up, then the question arises of their security. Believing in the word of the company (that they cannot receive our messages) leaves us with only two options:
- IMessage backups are encrypted with a key that never leaves your device
- IMessage backups are encrypted with a key that is associated with your password
Unfortunately, none of these options is true, and to prove it is quite simple. All you need to do is make an easy experiment : first, lose your iPhone. Then, change the password using the Epplow password recovery service (you will need to answer a few questions, or enter a spare e-mail). Now we go to the Apple store and lay out a fortune for a new phone.
If you can restore your lost messages on the new iPhone (as I did it right in the Apple store this afternoon), then Apple does not protect your iMessages with any keys and passwords. Sadly (Ashkan Soltani (Ashkan Soltani) made some screenshots from the same test).
The bad thing is that there is no any cryptography in which to understand. The simple and obvious fact is this: if you could do it, then someone at Apple can do it too. Perhaps when requesting services of the law. All they need is your Secret Questions, something Apple is sure to keep * .
Apple distributes iMessage encryption keys
You may not be using backups. In this case, all of the above is not about you and Apple honestly says that the message uses end-to-end encryption. The question you should ask yourself in this case: the messages are encrypted for whom?
The problem is that encryption works if I have your encryption key. This means that if I want to talk to you, I must first get the key. Apple found a solution to this problem: they have a directory that iMessage can use to find the key associated with an email address or phone number. This is great, but this is another “compromise”: now you are completely dependent on giving Apple the right key .
The danger is that Apple (or the hacker who attacked the server with the Apple key directories) must first give you your key. From now on, you will not know that you are sending messages to this person, and not to your friend. **
Moreover, iMessage allows you to link multiple keys from multiple devices. For example, you can add your Mac to receive copies of all messages sent to your phone. Also, iMessage does not give the user information about how many keys are associated with one account and does not notify you when new keys are added.
In fact, the integrity of iMessage depends on how well Apple distributes the keys. If Apple makes a mistake (or a hacker attacks the iMessage server), then a mediator attack ( man-in-the-middle attack ) becomes possible and intercepting iMessage data will not cause any particular difficulties.
Today it is obvious for some, for the rest it doesn’t matter much. And everyone is happy. But people should at least understand the strengths and weaknesses of Apple’s chosen concept. With this knowledge, they can determine on their own how trust Apple should be.
Apple can store metadata
Although Apple can encrypt the content of your messages, their rules do not exclude the possibility of storing the data of who you are communicating with. These are well-known metadata that the NSA immediately dismisses and (as I said before ) cannot at least not collect this information, especially given the fact that Apple delivers your messages through its servers.
This data can be as valuable as the rest. And while Apple does not store the content of your messages, their agreement says nothing about all this metadata.
Apple does not use Certificate Pinning
And the last (not very serious) point is that iMessage clients (for iPhone and Mac) are connected to the Apple distribution directory using the HTTPS protocol (note that this applies to search in message history, current iMessages are encrypted separately and travel using the
Using HTTPS is a good idea and, basically, it provides good protection against interception. But so do not defend against all attacks. There is still a real possibility for an attacker to obtain a fake certificate (possibly with damage to the certificate authority) and thus intercept or change the connection with Apple.
Here I don’t really understand why an attacker should get a fake certificate, and not a genuine one. Maybe it meant the introduction of a fake certificate by a hacker?
This kind of thing is not as crazy as we think. This happened to hundreds of Iranian Gmail users and is likely to repeat in the future. The standard solution to this problem is certificate pinning (it tells the application not to trust unknown certificates). A lot of apps like Twitter did it. But not Apple, as I found out during testing and writing this post.
Finally
I did not write this post because I do not like Apple. On the contrary, I really like their products and would even swim with them if (unfortunately) this did not nullify the warranty.
But the reverse side of my admiration is simple: I trust their devices and want to know how protected they are. I do not see any flaws in Apple in explaining this, at least to high-level specialists, even with the backlog of details. The explanation should include the type and principle of encryption algorithms, the details of the directory service and the key agreement protocol.
Apple may think outside the box, but information security rules apply to them. Sooner or later, someone will break or rewrite the iMessage system. And then it all comes out.
Notes:
* Of course, it is possible that Apple uses your secret questions to get the encryption key. However, this is unlikely. First, because Apple probably stores your question / answer in a separate file. And if not, then most of the answers to the questions are unlikely to store enough entropy to decrypt. After all, there are so many birthdays and car brands in the world. Two-step authentication can improve the situation if you use it. Back to top
** In practice, it is not entirely clear whether Apple devices generate the key themselves or arrange an OTR -like key exchange . It is clear that iMessage does not contain a “key fingerprint” or something similar for users to verify the authenticity of the key, which implies Apple’s full confidence in encryption issues. In addition, iMessage allows you to send messages offline. It's not entirely clear how this should work with OTR.
Source: https://habr.com/ru/post/221489/
All Articles