Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Flaws In iMessage Crypto Allow For Message Decryption (onthewire.io)

Posted by msmash on from the security-woes dept.

Reader Trailrunner7 writes: New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on its iMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim's past iMessage texts. The iMessage system, like much of what Apple does, is opaque and its inner workings have not been made available to outsiders. One of the key things that is known about the system is that messages are encrypted from end to end and Apple has said that it does not have the ability to decrypt users' messages. The researchers at JHU, led by Matthew Green, a professor of computer science at the school, reverse engineered the iMessage protocol and discovered that Apple made some mistakes in its encryption implementation that could allow an attacker who has access to encrypted messages to decrypt them.The team discovered that Apple doesn't rotate encryption keys at regular intervals (most encryption protocols such as OTR and Signal do). This means that the same attack can be used on iMessage historical data, which is often backed up inside iCloud. Apple was notified of the issue as early as November 2015 and it rolled out a patch for the iMessage protocol in iOS 9.3 and OS X 10.11.4.

43 comments

  1. G- by Anonymous Coward · · Score: 0

    Force or String?

    1. Re:G- by XXongo · · Score: 1

      G-whiz.

    2. Re:G- by Anonymous Coward · · Score: 0

      Spot.

  2. these aren't "flaws" by Anonymous Coward · · Score: 0

    dammit.

    Sincerely,
    Your friendly neighborhood (illegally spying domestically) government spooks.

  3. So, if Apple "rolled out a patch" for this ... by DaveyJJ · · Score: 4, Insightful

    Shouldn't the headline more accurately read "Serious Flaws In iMessage Crypto Used To Allow For Message Decryption, But Don't Anymore"? Or am I missing something?

    --
    DaveyJJ
    1. Re:So, if Apple "rolled out a patch" for this ... by Anonymous Coward · · Score: 0

      TFA doesn't say that the patch issued by Apple resolves the problem. It may have patched something else.

    2. Re:So, if Apple "rolled out a patch" for this ... by Anonymous Coward · · Score: 2, Insightful

      TFA is written by someone who has not read the research. Apple addressed the problem.

    3. Re:So, if Apple "rolled out a patch" for this ... by Anonymous Coward · · Score: 0

      I was thinking the same thing

    4. Re:So, if Apple "rolled out a patch" for this ... by Anonymous Coward · · Score: 1

      From the article:

      Apple has been aware of the vulnerabilities in iMessage since November, when the JHU researchers reported them privately. The company has fixed the issues in recent iOS releases.

      So yes, you're right: "Apple patches serious flaws in iMessage crypto" would have made a better headline, but, you know, it's Slashdot. If it's not a click-baity headline chock full of Slashtard trigger words, nobody would comment. Or even read TFS.

      What's even better is that this news is LITERALLY 5 months old - OS X 10.11.4, which contained this fix (https://support.apple.com/en-us/HT206167), was released on March 21, 2016. The summary and the article make it sound like Apple's been sitting on this stuff for a year. In actuality, rolling out the security patch took them about 4 months, start to finish. Not the 9 months TFA and TFS imply.

      And in related news - my comment is more informative than both Slashdot and "OnTheWire" were able to be. As a software engineer, I have zero qualifications or training to be a reporter. Yet I managed to provide more factual information in this discussion than the "reporters" did with their "reporting." At what point did we stop expecting even rudimentary fact checking and accuracy in our "News"?

    5. Re:So, if Apple "rolled out a patch" for this ... by Anonymous Coward · · Score: 0

      From the article:

      "The company has fixed the issues in recent iOS releases. One of the problems the researchers found is that older versions of iOS (pre-iOS 9) don’t enforce certificate pinning, opening those devices up to man-in-the-middle attacks."

      So it's an issue for 14% of users on iOS 9 and below. Moral: keep your software up to date, folks!

    6. Re:So, if Apple "rolled out a patch" for this ... by saloomy · · Score: 1

      I admit, I didn't click on your link to the fix documentation, so I'm not sure what apple said about the bug when it was patched. Usually the patch needs to be out in the wild for a little while before disclosing it, so the majority of users are protected before hackers get a chance to exploit it. Therefore it may have been 4 months from notice to apple, to patch from apple, which is great. It may have also been a few more months between patch release and disclosure, so > 50% of users are already immune.

      Even if thats not how it went down, thats the right way to do it.

    7. Re:So, if Apple "rolled out a patch" for this ... by mhotchin · · Score: 1

      Looks like old messages can still be decrypted. So, I guess the answer is yes/no depending on what messages you want to look at.

    8. Re:So, if Apple "rolled out a patch" for this ... by bloodhawk · · Score: 1

      As the historical data is still sitting their I would think their is a whole raft of data still vulnerable so while it may not affect new messages it means everything done previously is still potentially exposed or did they decrypt it all and reencrypt it?

    9. Re:So, if Apple "rolled out a patch" for this ... by 93+Escort+Wagon · · Score: 1

      If it's not a click-baity headline chock full of Slashtard trigger words, nobody would comment.

      Johns Hopkins researchers told Apple about a serious security problem... and you won't believe what happened next!

      Number six will blow your mind!

      --
      #DeleteChrome
    10. Re:So, if Apple "rolled out a patch" for this ... by AmiMoJo · · Score: 1

      It's only fixed on devices running iOS 9.3 and OS X 10.11.4. Anything too old or that didn't upgrade for other reasons like performance is still vulnerable. I doubt that the client warns you that you are chatting to a known insecure peer either.

      This is the problem with building apps into your OS. It's much better to have them update asynchronously, and degrade gracefully to older API versions or at least pop up warnings/refuse to run with older versions.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:So, if Apple "rolled out a patch" for this ... by thejuggler · · Score: 1

      From the article:

      Apple has been aware of the vulnerabilities in iMessage since November, when the JHU researchers reported them privately. The company has fixed the issues in recent iOS releases.

      So yes, you're right: "Apple patches serious flaws in iMessage crypto" would have made a better headline, but, you know, it's Slashdot. If it's not a click-baity headline chock full of Slashtard trigger words, nobody would comment. Or even read TFS.

      What's even better is that this news is LITERALLY 5 months old - OS X 10.11.4, which contained this fix (https://support.apple.com/en-us/HT206167), was released on March 21, 2016. The summary and the article make it sound like Apple's been sitting on this stuff for a year. In actuality, rolling out the security patch took them about 4 months, start to finish. Not the 9 months TFA and TFS imply.

      And in related news - my comment is more informative than both Slashdot and "OnTheWire" were able to be. As a software engineer, I have zero qualifications or training to be a reporter. Yet I managed to provide more factual information in this discussion than the "reporters" did with their "reporting." At what point did we stop expecting even rudimentary fact checking and accuracy in our "News"?

      There aren't any standards left in journalism these days. The "News" is scripted entertainment. Facts are sometimes reported when they fit into the script.

    12. Re:So, if Apple "rolled out a patch" for this ... by Anonymous Coward · · Score: 0

      I agree -- but if you look at the wording of the articles, "Apple was notified AS EARLY AS November 2015," but they don't make any note of the actual date it was patched, just the version numbers where they rolled the patch out. The entire thing is a hysterical tempest in a teacup. The article might as well read, "Security researchers notify Apple of bug in responsible fashion; Apple puts out a fix in their next point update 4 months later."

      The article is thin on details, and basically just says "ERMAGHERD, APPLE BUGZ!!!" And says nothing about how quickly, or when, they were fixed, which is stupid, click-baity behavior.

    13. Re:So, if Apple "rolled out a patch" for this ... by allo · · Score: 1

      Because not everybody installed it, yet?

  4. Foward Security by thaneross · · Score: 2

    I'm quite surprised the iMessage team would go to the effort of implementing end-to-end encryption without being familiar with the basics like perfect forward secrecy.

    1. Re:Foward Security by mattwarden · · Score: 1

      End to end encryption is part of a marketing strategy. They aren't out to protect your privacy for some personal mission. They're selling iPhones, and this feature helped sell iPhones. It took this long for anyone to see this shortcut, and I'm sure there are others, which is why iMessage is opaque.

      That said, it reminds me of the password manager debate. Strictly speaking, it's insane to put all your passwords in one place and secure it with one master password. But in practice it actually increases security for most people who would otherwise use "password" for their password on every site on the interwebs. Even though iMessage is not 100%, it's ease of use and integrated nature leads to higher security/privacy for most people. For a use case that relies heavily on a network of people who all have a given encryption app installed for YOU to be able to send them encrypted messages, the fact that "normal" people will use iMessage is actually a big deal.

    2. Re: Foward Security by Anonymous Coward · · Score: 0

      Whether encryption is done altruistically or to sell stuff, wouldn't it either way make sense to get it right? In fact knowing it's a marketing feature would add greater emphasis. Take off your tinfoil hat. Mistakes happen in the absence on conspiracies or supposed sinister motives.

    3. Re: Foward Security by mattwarden · · Score: 1

      Tinfoil hat? Resources are always limited. Software dev teams always make trade offs. This one is completely justifiable. No conspiracy required.

    4. Re: Foward Security by allo · · Score: 0

      It's called security theater. You need to entertain your audience in the show, not to tell the truth.
      So you need to have End-to-End encryption to have marketing keyword, but you do not need to have a secure implementation for marketing, because very few people will notice and the non-nerds won't care at all, even when they were impressed by the keyword when buying the stuff.

  5. No offense moderators by Anonymous Coward · · Score: 0

    No offense moderators, but this was submitted over the weekend, and was red and orange all the time. The other article was better explained, not like this 6-paragraph story with a misleading headline. https://slashdot.org/submission/6211741/cryptography-experts-say-apple-needs-to-replace-imessage-encryption
    Nice work moderating /.

  6. this by Anonymous Coward · · Score: 0

    "like much of what Apple does, is opaque and its inner workings have not been made available to outsiders"

    I always found my coding to be more secure when my door is locked.

  7. Not a mistake? by slowdeath · · Score: 2

    Maybe it is not a 'mistake' but rather an obfuscated backdoor?

    1. Re: Not a mistake? by Anonymous Coward · · Score: 0

      Good point. As soon as you share your evidence, we can begin determining whether it's the NSA, Jews, Soviets, or moon Nazis behind this back door.

  8. They need to hide their backdoors better by Anonymous Coward · · Score: 0

    This is embarrassing.

  9. And? by Dan+East · · Score: 2

    So if I understand this correctly, this simply means that *if* an attacker can brute-force a key and decrypt messages between two individuals, then they can also go back and decrypt past messages further back than the author of this article thinks they should be able to? If that's the case, then if an entity has the processing power and skill to brute force the key in the first place, the fact that they have to be bothered to do it again X number of times isn't exactly reassuring. If they want to access your messages bad enough to spend the computational resources and they can brute force them at all, having to do it several more times to access historical data is pretty trivial.

    --
    Better known as 318230.
    1. Re:And? by Anonymous Coward · · Score: 0

      Yes, but you assume they got one key through bruteforcing. I think it would be more likely that they were able to obtain a key by some side-channel attack. Or that someone back-doored the device and captured the current key that way. Of course, with the backdoor the hacker will always be able to see all new messages, but most people wouldn't expect them to be able to decrypt old messages as well.

    2. Re:And? by Anonymous Coward · · Score: 0

      No.

      The paper explains how to get a decrypt for a message with an attachment, so long as you've got a copy of the _encrypted_ message and at least one _recipient_ is online, connected to the Internet.

      Basically you send their iPhone a lot of broken messages with iMessage. The messages are broken so it _silently discards them_ but if you guessed something it connects to a server _you control_ and thus feeds you one bit of information, that one of your guesses was correct. You can use this to guess hundreds of bits of the long-lived key and then brute force the rest with cheap cloud computing to decrypt any messages.

      Apple bodged this by making the iMessage system spot when you try this and stop delivering your broken messages to the iPhone. That's all they've done. All the underlying problems remain unfixed, but, you know, hooray, more Apple security.

      One of the many unfixed problems is that if you did this before Apple "fixed" it, you can decrypt all messages ever delivered to that iPhone. But mostly the paper says iMessage is garbage and Apple should throw it away and use something that's been reviewed by people who know what the fuck they're doing. Did you see "iMessage going away" announced by Apple? No, because they've correctly gambled their users are happy not knowing it's garbage.

    3. Re:And? by AmiMoJo · · Score: 1

      They also found a know ciphertext attack that reduces the effort needed to brute force messages to something manageable on a desktop PC. If they can take your device off you they can execute the attack and decrypt all the previous messages.

      It's more of a state sponsored oppression thing where someone like the NSA or GCHQ would do it, but it's still a vulnerability and something worth fixing.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  10. PRESUME IT'S A LIE (FBI) (FBI) (FBI) [singing] by Anonymous Coward · · Score: 0

    Maybe if THE FBI could have got into the San Bernardino iPhone this would not be a problem?

    What is next? Maybe Windows Anniversary 10 has a bitlocker update to protect your data from Russians?

  11. Backwards compatibility... by tlhIngan · · Score: 2

    So how many of those iMessage flaws are because they need to allow for backwards compatibility between newer and older devices? And how many can they fix before they start breaking older devices?

    (I'm sure the moment they do, everyone will cry out for iPhone 4 (circa 2010) users who can no longer use iMessage that Apple is forcing them to upgrade their phones. Or whatever the oldest phone that can run iMessage is. Then the class action lawsuits get filed...).

    1. Re:Backwards compatibility... by Anonymous Coward · · Score: 0

      (I'm sure the moment they do, everyone will cry out for iPhone 4 (circa 2010) users who can no longer use iMessage that Apple is forcing them to upgrade their phones. Or whatever the oldest phone that can run iMessage is. Then the class action lawsuits get filed...).

      4S user here (it ain't quite broke yet).

      I don't give a rat's rear if someone wants to decrypt my messages. If I wanted them to be secure, I wouldn't have sent them out over the internet in the first place. I will be annoyed if I have to buy a new phone so support some bogus privacy theatre revival.

      But, such is life.

    2. Re:Backwards compatibility... by bloodhawk · · Score: 1

      A better question is how many of those flaws are intentional as backdoors!

    3. Re:Backwards compatibility... by Anonymous Coward · · Score: 0

      Obviously, it's about a similar amount as the intentional flaws in the Linux source code.

  12. Re:iDontCare by Anonymous Coward · · Score: 0

    Most self-respect commenters would proof-read their comments for idiotic typos and bad grammar anyway.

    --
    Sent from my iPhone

  13. Hmmm... by drew_92123 · · Score: 1

    Y'all better let your drug dealers... errr... I mean "unlicensed pharmacists" know about this as soon as possible.... ;-)

  14. Not perfect but not "serious" by seoras · · Score: 2

    Read the paper.
    https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garman.pdf

    Quote "Overall, our determination is that while iMessage’s end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries."

    The attacker requires stolen TLS certificates or by gaining access to Apple's servers.
    Serious? No. All systems are flawed in someway and are breakable to that extent.

  15. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion