Less than a week later Apple’s iMessage service was hit with an outage that prevented people from sensing messages to each other using the service. Now this led us to look at the system in a different light. If Apple’s servers are being used to broker the connections or as a directory service then there is a way to compromise the messaging system at its root and potentially capture conversations as they are initiated.
Now researchers have shown that it is indeed possible to hack into Apple’s allegedly secure iMessage system and not only capture messages, but also to modify them en route without the sender or the recipient knowing anything happened. The new revelation was announced a few days ago at a Hack-in-the-Box event. Qarkslab gave a talk about the security in the iMessage system and while they did acknowledge that there is end-to-end encryption once the conversation is started there are flaws in the key control for that encryption. Cyril Cattiaux stated: “The weakness is in the key infrastructure as it is controlled by Apple they can change a key any time they want, thus read the content of our iMessages”
Apple’s rebuttal to this claim is that they have no intention of changing the key and that the data presented is al theoretical. The problem with this statement is that Apple has also admitted that they release information as required by law. If they receive a National Security Letter or other directive from the government would they change the keys to ensure conversation capture? There is also the matter of conversation metadata, remember Apple maintains the brokers for their messaging service and they will have that metadata available for someone to take a look at if needed. Remember Apple was one of the companies that was accused of direct cooperation with the NSA in the leaked PRISM slides a “flaw” like the one described by Quarkslab, might not be so theoretical after all.
However, there is more wrong with iMessage than weak key control. Quarkslab also found that they were able to execute a very disturbing man-in-the-middle attack on iPhones using a faked certificate. As of iOS7 there is nothing that prevents a self-signed or faked certificate from being inserted into a phone. Once this is done someone can use a built-in iPhone utility to proxy the communication to through their own servers to monitor information and also to skim user credentials. If someone gets those they have access to a user’s iCloud account and can pull backups of your data down and restore them to another device.
Some are countering that the flaw uncovered by Quarkslab is massively complex and would require a high level of technical expertise. However, after asking around we found that the skills needed execute the man-in-the-middle attack on iMessage would not be that complicated and certainly not outside the realm of most of the malicious organizations currently in operation or many other independent hackers out there. It is certainly not outside the realm of the NSA to pull any of these hacks off and that is very concerning.
In the end you have to decide if you feel Apple has been honest with their claims that iMessage is secure and that they have no way to read your messages. From the evidence presented by Quarkslab we would have to say that they have not been exactly honest about the security and the capabilities of their iMessage service or the extent of their cooperation with law enforcement.
Tell us what you think in our Forum