New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on itsiMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim’s past iMessage texts.
The iMessage system, like much of what Apple does, is opaque and its inner workings have not been made available to outsiders. One of the key things that is known about the system is that messages are encrypted from end to end and Apple has said that it does not have the ability to decrypt users’ messages. The researchers at JHU, led by Matthew Green, a professor of computer science at the school, reverse engineered the iMessage protocol and discovered that Apple made some mistakes in its encryption implementation that could allow an attacker who has access to encrypted messages to decrypt them.
“Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker. In particular, we outline a novel chosen ciphertext attack on Huffman compressed data, which allows retrospective decryption of some iMessage payloads in less than 2^18 queries. The practical implication of these attacks is that any party who gains access to iMessage ciphertexts may potentially decrypt them remotely and after the fact,” the researchers wrote in a paper delivered at the USENIX Security Symposium last week.
Any party who gains access to iMessage ciphertexts may potentially decrypt them remotely.
The JHU researchers said that the bugs they identified in iMessage essentially “reduce the level of security to that of the TLS encryption used to secure communications between enduser devices and Apple’s servers.” That is not a compliment. Specifically, the team was able to perform a chosen cipher text attack on encrypted iMessages that resulted in them decrypting the messages. The attack specifically targeted messages that contain gzip compressed information, and the researchers found that using their technique they could decrypt old messages, as well.
Apple has been aware of the vulnerabilities in iMessage since November, when the JHU researchers reported them privately. The company has fixed the issues in recent iOS releases. One of the problems the researchers found is that older versions of iOS (pre-iOS 9) don’t enforce certificate pinning, opening those devices up to man-in-the-middle attacks.
“These repairs include: enforcing certificate pinning across all channels used by iMessage, removing compression from the iMessage composition (for attachment messages), and developing a fix based on our proposed ‘duplicate cipher text detection’ mitigation. Apple has also made changes to the use of iMessage in inter-device communications such as Handoff, although the company has declined to share the details with us,” the paper says.