Apple iMessage vulnerable to MITM attack

Quarkslab researchers Cyril Cattiaux has revealed Apple lied when it claimed it could not intercept iMessages sent by its users.

Quarkslab researchers Cyril Cattiaux revealed that it is possible to break encryption implemented in Apple’s iMessage application due the presence of a weakness in the key management process. The announcement was made during the Hack in the Box conference in Malaysia this week.

Cattiaux, aka pod2g, is known because it has developed a iOS jailbreak, this time they sustain that iMessage encryption is vulnerable to eavesdropping attack despite Apple always declared a secure end-to-end encryption.

“For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data,” Apple declared in a statement on its website.

According the researchers Apple is able to access the content of iMessage app changing the key anytime they need, it should be noted that they confirm there’s no evidence that Apple or the NSA are analyzing also iMessage content despite it is technically possible.

“Apple’s claim that they can’t read end-to-end encrypted iMessage is definitely not true,” they said. Apple has no reason to do so. But what of intelligence agencies?” they said.

It is clear the reference to the case PRISM and the revelation made by Snowden on the collaboration offered by Apple to NSA for surveillance activities. When the user sends a iMessage to someone, he takes the receiver’s public key from Apple, and encrypts the message. Once the message is received by recipient he is able to decrypt the message with his private key according classic asymmetric encryption scheme. Apple acts as a Certification Authority of any PKI architecture, public keys were managed on a server called ESS that could be not publicly inspected. The researchers created its own bogus Certification Authority and inserted its reference into the iPhone Keychain to be able to access to SSL encrypted traffic acting as a proxy. Cattiaux noted that Apple ID and password was being transmitted in clear text during iMessage transmission. Apple actually controls public key repository this means that it could perform a MITM to intercept users’ messages.

They exploited the lack of mechanisms to tell devices to trust a given certificate, for PUSH and iMessage servers, allowing a fake certificate authority to be added to the user Keychain.

“Firstly, it means that Apple [and intelligence agencies] can replay our password using for instance our email on many websites. Secondly, it also means that anyone capable of adding a certificate and able to [proxy] the communications can get user’s Apple ID and password, thus get access to include accounts, backups” and app purchasing.

There is the concrete risks that enterprise IT managers when assigning Apple devices with mobile device management platforms could intercept sensitive Apple user account details including iCloud usernames and passwords.

“If the device is connected to iPhone Configuration Utility, Apple’s enterprise solution for management of iPhones, a trusted CA (Certificate Authority) is added. The consequence is that all subsequent certificates signed by that CA will be trusted to create the SSL communication. It means all companies using that are able to retrieve their employee’s AppleID and password by simply [proxying] the SSL communication.”

A possible implementation that could dispel the doubts about the good faith of Apple is to store user’s public keys locally within iOS, avoiding centralized management by Apple.

I suggest to read the interesting analysis published in the blog post of the researchers.

Pierluigi Paganini

(Security Affairs – Apple, Privacy, iMessage)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.