iMessage Attachments Security Flaw
A flaw in Apple’s encryption systems has been found that enables an attacker to decrypt photos and videos sent over its iMessage instant messenger service.
According to The Washington Post, the security hole in Apple’s code was exploited by a group of Johns Hopkins University researchers, led by computer science professor Matthew D. Green.
Green reportedly alerted Apple to the problem last year after he read an Apple security guide describing an encryption process that struck him as weak. When a few months passed and the flaw remained, Green and his graduate students decided to mount an attack to show that they could break the encryption of photos and videos sent over iMessage.
[…]
Apple said that it partially fixed the problem last fall when it released iOS 9, and will fully address the issue through security improvements in iOS 9.3, which is expected to be released this week.
mtgx:
Another iMessage/iOS design flaw (in the context of its “end-to-end encryption”) is that you can’t disable iCloud sync for the messages alone. It’s an all or nothing proposition. It would be good if in iOS 9.3 they’d allow iMessage sync to be disabled, or even better keep it disabled by default, even when you enable “iCloud sync” (it is after all supposed to be end-to-end encryption, not “end-to-end encryption with centralized storage in our cloud”, at which point saying iMessage is E2E is just a misnomer).
This is the point I keep mentioning. iCloud backup is the only way to back up an iPhone without a Mac or PC, and there’s no way to configure it. Want to back up your important app data? Then you also have to store your iMessages on Apple’s server, encrypted with their key.
Update (2016-03-22): Apple (via Rosyna Keller):
Impact: An attacker who is able to bypass Apple’s certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments
Description: A cryptographic issue was addressed by rejecting duplicate messages on the client.
Apple’s fixes are twofold. First, starting in iOS 9.0 (and before our work), Apple began deploying aggressive certificate pinning across iOS applications. This doesn’t fix the attack on iMessage crypto, but it does make it much harder for attackers to recover iMessage ciphertexts to decrypt in the first place.
Unfortunately even if this works perfectly, Apple still has access to iMessage ciphertexts. Worse, Apple’s servers will retain these messages for up to 30 days if they are not delivered to one of your devices. A vulnerability in Apple Push Network authentication, or a compromise of these servers could read them all out. This means that pinning is only a mitigation, not a true fix.
As of iOS 9.3, Apple has implemented a short-term mitigation that my student Ian Miers proposed. This relies on the fact that while the AES ciphertext is malleable, the RSA-OAEP portion of the ciphertext is not. The fix maintains a "cache" of recently received RSA ciphertexts and rejects any repeated ciphertexts. In practice, this shuts down our attack -- provided the cache is large enough. We believe it probably is.
In the long term, Apple should drop iMessage like a hot rock and move to Signal/Axolotl.
I wrote about this flaw in IEEE Security and Privacy earlier this year[…]
Related: A different iOS flaw was reported last week. Called AceDeceiver, it is a Trojan that allows an attacker to install malicious software onto an iOS device, bypassing Apple’s DRM protections.