Can Apple read your iMessage?
Translation of an article by Matthew Green. In cryptography is not strong, therefore, for all corrections of inaccuracies and refinements in drugs I will be extremely grateful. Thank you .
About a year ago, I wrote a short post urging Apple to publish the technical details of encryption in iMessage. I would like to say that Apple saw my influential cryptoblog and showed the specifications. But no, iMessage is still the same black box it has always been.
What really changed is that people began to worry. This is partly due to Apple's alleged friendship with the NSA . In part, it is the fault of not so friendly relations with UBN. In any case, people want to know what part of their information Apple owns and with whom it is shared.
And that brings us back to the issue of encryption in iMessage. Apple launched one of the most popular encrypted communication services on the planet: more than 2 billion messages in iMessage every day. Each of them contains personal information that the NSA and the UBN would like to get in their hands. But, in fact, even Apple cannot read them :
For example, conversations through iMessage or FaceTime use end-to-end encryption , so that no one except the sender and receiver can read them. Apple cannot decrypt this data.
It looks believable, and my experience says it is likely. My point of view is due to Green's Law on Applied Cryptography, which says that mostly applied cryptography sucks. Cryptography never gives unconditional guarantees, as you would like, and this is what users suffer from .
And that’s the problem with iMessage: users are not suffering enough! The service is incredibly easy to use, which means that Apple has compromised, or rather found a balance between usability and security. And while there is nothing wrong with compromises, their decisions are of great importance when it comes to your private information. Pursuing these details on its own, Apple frees its users from unnecessary actions to protect themselves.
The details of these trade-offs are exactly what I want to talk about in this post. The post I swear will be the last post I will write about iMessage. From now on, there will be only ciphers and no evidence.
The biggest problem with Apple’s position is that it’s not true. If you use the iCloud backup service to save the data of your iDevice, then there is a pretty high probability that Apple may receive the last few days of correspondence in iMessage.
For those unaware of the Apple ecosystem: iCloud is an optional data storage service provided by Apple for free. Backups are delightful, but if iMessages get into a backup, then the question arises of their security. Faith in the word of the company (that they cannot receive our messages) leaves us only two options:
Unfortunately, none of these options is true, and proving it is quite simple. All you need to do is conduct an easy experiment : for starters, lose your iPhone. Then, change the password using the Apple password recovery service (you will need to answer a few questions, or enter a backup e-mail). Now we go to the Apple store and lay out a fortune for a new phone.
If you can recover your lost messages on the new iPhone (as I did right in the Apple store this afternoon), then Apple does not protect your iMessages with any keys and passwords. Sadly (Ashkan Soltani made some screenshots from the same test).
The bad news is that there is no cryptography that is worth understanding. A simple and obvious fact is this: if you could do it, then someone at Apple can do it too. Perhaps at the request of the law services. All they need is your Secret Questions, something that Apple probably stores in itself * .
You may not be using backups. In this case, all of the above is not about you and Apple honestly says that messages use end-to-end encryption. The question you need to ask yourself in this case is: are messages encrypted for whom?
The problem is that encryption works if I have your encryption key. This means that if I want to talk to you, I must first get the key. Apple found a solution to this problem: they have a directory that iMessage can use to find the key associated with the email address or phone number. This is great, but this is another “compromise”: now you are completely dependent on giving Apple the right key .
The danger is that Apple (or the hacker who attacked the server with the Apple key catalogs) must first deliver its key to you. From now on, you will not know that you are sending messages to this person, and not to your friend. **
Moreover, iMessage allows you to associate multiple keys from multiple devices. For example, you can add your Mac to receive copies of all messages sent to your phone. Also, iMessage does not give the user information about how many keys are associated with one account and does not notify you when new keys are added.
In fact, the integrity of iMessage depends on how correctly Apple distributes the keys. If Apple makes a mistake (or the hacker attacks the iMessage server), then a man-in-the-middle attack becomes possible and intercepting iMessage data will not cause any particular difficulties.
Today for some it is obvious, for others it does not really matter. And everyone is happy. But people should at least understand the strengths and weaknesses of the concept chosen by Apple. With this knowledge, they can determine for themselves how much Apple should be trusted.
Although Apple can encrypt the contents of your messages, their rules do not preclude the ability to store the data of the person you are talking to. This is known metadata that the NSA immediately dismisses and (as I said ) it’s impossible not to at least collect this information, especially given that Apple delivers your messages through its servers.
This data can be just as valuable as the rest. And while Apple does not store the content of your messages, their agreement says nothing about all this metadata.
And the last (not very serious) point - iMessage clients (for iPhone and Mac) communicate with the Apple distribution directory using the HTTPS protocol (note that this applies to the search in the message history, current iMessages are encrypted separately and travel using theXMPP push- Apple notifications ).
Using HTTPS is a good idea and, basically, it provides good protection against interception. But so do not defend against all attacks. There is still a real possibility for an attacker to obtain a fake certificate (possibly with damage to the certification authority) and thus intercept or change contact with Apple.
Here it’s not very clear to me why an attacker should get a fake certificate, not an authentic one. Maybe it meant the introduction of a fake certificate by a hacker?
These kinds of things are not as crazy as we think. This happened to hundreds of Iranian Gmail users and is likely to happen again in the future. The standard solution to this problem is certificate pinning (tells the application not to trust unknown certificates). Many applications, such as Twitter, have done this. But not Apple, as I found out during testing and writing this post.
I did not write this post because I do not like Apple. On the contrary, I really like their products and would even bathe with them if (unfortunately) this did not nullify the guarantee.
But the flip side of my admiration is simple: I trust their devices and want to know how protected they are. I do not see any Apple flaws in explaining this to at least high-level specialists, even if I didn’t give details. The explanation should include the type and principle of the encryption algorithms, the details of the directory service and the key agreement protocol.
Apple may think outside the box, but information protection rules apply to them. Sooner or later, someone will break or rewrite the iMessage system. And then all this will come out.
* Of course, it is possible that Apple uses your security questions to obtain an encryption key. However, this is unlikely. Firstly, because Apple probably stores your question / answer in a separate file. And if not, it is unlikely that most of the answers to the questions store enough entropy for decryption. After all, there are so many birthdays and car brands in the world. Two-step authentication can improve things if you use it. Back to top
** In practice, it is not clear, generate key Apple-Soup themselves or arrange OTR -like key exchange . It’s clear that iMessage does not contain a “fingerprint” or something similar for users to verify the authenticity of the key, which implies Apple’s full confidence in encryption. In addition, iMessage allows you to send messages offline. It's not entirely clear how this should work with OTR.
About a year ago, I wrote a short post urging Apple to publish the technical details of encryption in iMessage. I would like to say that Apple saw my influential cryptoblog and showed the specifications. But no, iMessage is still the same black box it has always been. What really changed is that people began to worry. This is partly due to Apple's alleged friendship with the NSA . In part, it is the fault of not so friendly relations with UBN. In any case, people want to know what part of their information Apple owns and with whom it is shared.
And that brings us back to the issue of encryption in iMessage. Apple launched one of the most popular encrypted communication services on the planet: more than 2 billion messages in iMessage every day. Each of them contains personal information that the NSA and the UBN would like to get in their hands. But, in fact, even Apple cannot read them :
There are several categories of information that we don’t pass either to law enforcement agencies or to any other groups, since we decided not to save them.
For example, conversations through iMessage or FaceTime use end-to-end encryption , so that no one except the sender and receiver can read them. Apple cannot decrypt this data.
It looks believable, and my experience says it is likely. My point of view is due to Green's Law on Applied Cryptography, which says that mostly applied cryptography sucks. Cryptography never gives unconditional guarantees, as you would like, and this is what users suffer from .
And that’s the problem with iMessage: users are not suffering enough! The service is incredibly easy to use, which means that Apple has compromised, or rather found a balance between usability and security. And while there is nothing wrong with compromises, their decisions are of great importance when it comes to your private information. Pursuing these details on its own, Apple frees its users from unnecessary actions to protect themselves.
The details of these trade-offs are exactly what I want to talk about in this post. The post I swear will be the last post I will write about iMessage. From now on, there will be only ciphers and no evidence.
Apple saves copies of iMessages in iCloud
The biggest problem with Apple’s position is that it’s not true. If you use the iCloud backup service to save the data of your iDevice, then there is a pretty high probability that Apple may receive the last few days of correspondence in iMessage.
For those unaware of the Apple ecosystem: iCloud is an optional data storage service provided by Apple for free. Backups are delightful, but if iMessages get into a backup, then the question arises of their security. Faith in the word of the company (that they cannot receive our messages) leaves us only two options:
- IMessage backups are encrypted with a key that never leaves your device
- IMessage backups are encrypted with a key that is associated with your password
Unfortunately, none of these options is true, and proving it is quite simple. All you need to do is conduct an easy experiment : for starters, lose your iPhone. Then, change the password using the Apple password recovery service (you will need to answer a few questions, or enter a backup e-mail). Now we go to the Apple store and lay out a fortune for a new phone.
If you can recover your lost messages on the new iPhone (as I did right in the Apple store this afternoon), then Apple does not protect your iMessages with any keys and passwords. Sadly (Ashkan Soltani made some screenshots from the same test).
The bad news is that there is no cryptography that is worth understanding. A simple and obvious fact is this: if you could do it, then someone at Apple can do it too. Perhaps at the request of the law services. All they need is your Secret Questions, something that Apple probably stores in itself * .
Apple distributes iMessage encryption keys
You may not be using backups. In this case, all of the above is not about you and Apple honestly says that messages use end-to-end encryption. The question you need to ask yourself in this case is: are messages encrypted for whom?
The problem is that encryption works if I have your encryption key. This means that if I want to talk to you, I must first get the key. Apple found a solution to this problem: they have a directory that iMessage can use to find the key associated with the email address or phone number. This is great, but this is another “compromise”: now you are completely dependent on giving Apple the right key .
The danger is that Apple (or the hacker who attacked the server with the Apple key catalogs) must first deliver its key to you. From now on, you will not know that you are sending messages to this person, and not to your friend. **
Moreover, iMessage allows you to associate multiple keys from multiple devices. For example, you can add your Mac to receive copies of all messages sent to your phone. Also, iMessage does not give the user information about how many keys are associated with one account and does not notify you when new keys are added.
In fact, the integrity of iMessage depends on how correctly Apple distributes the keys. If Apple makes a mistake (or the hacker attacks the iMessage server), then a man-in-the-middle attack becomes possible and intercepting iMessage data will not cause any particular difficulties.
Today for some it is obvious, for others it does not really matter. And everyone is happy. But people should at least understand the strengths and weaknesses of the concept chosen by Apple. With this knowledge, they can determine for themselves how much Apple should be trusted.
Apple may store metadata
Although Apple can encrypt the contents of your messages, their rules do not preclude the ability to store the data of the person you are talking to. This is known metadata that the NSA immediately dismisses and (as I said ) it’s impossible not to at least collect this information, especially given that Apple delivers your messages through its servers.
This data can be just as valuable as the rest. And while Apple does not store the content of your messages, their agreement says nothing about all this metadata.
Apple does not use Certificate Pinning
And the last (not very serious) point - iMessage clients (for iPhone and Mac) communicate with the Apple distribution directory using the HTTPS protocol (note that this applies to the search in the message history, current iMessages are encrypted separately and travel using the
Using HTTPS is a good idea and, basically, it provides good protection against interception. But so do not defend against all attacks. There is still a real possibility for an attacker to obtain a fake certificate (possibly with damage to the certification authority) and thus intercept or change contact with Apple.
Here it’s not very clear to me why an attacker should get a fake certificate, not an authentic one. Maybe it meant the introduction of a fake certificate by a hacker?
These kinds of things are not as crazy as we think. This happened to hundreds of Iranian Gmail users and is likely to happen again in the future. The standard solution to this problem is certificate pinning (tells the application not to trust unknown certificates). Many applications, such as Twitter, have done this. But not Apple, as I found out during testing and writing this post.
Finally
I did not write this post because I do not like Apple. On the contrary, I really like their products and would even bathe with them if (unfortunately) this did not nullify the guarantee.
But the flip side of my admiration is simple: I trust their devices and want to know how protected they are. I do not see any Apple flaws in explaining this to at least high-level specialists, even if I didn’t give details. The explanation should include the type and principle of the encryption algorithms, the details of the directory service and the key agreement protocol.
Apple may think outside the box, but information protection rules apply to them. Sooner or later, someone will break or rewrite the iMessage system. And then all this will come out.
Notes:
* Of course, it is possible that Apple uses your security questions to obtain an encryption key. However, this is unlikely. Firstly, because Apple probably stores your question / answer in a separate file. And if not, it is unlikely that most of the answers to the questions store enough entropy for decryption. After all, there are so many birthdays and car brands in the world. Two-step authentication can improve things if you use it. Back to top
** In practice, it is not clear, generate key Apple-Soup themselves or arrange OTR -like key exchange . It’s clear that iMessage does not contain a “fingerprint” or something similar for users to verify the authenticity of the key, which implies Apple’s full confidence in encryption. In addition, iMessage allows you to send messages offline. It's not entirely clear how this should work with OTR.