

Can Apple read your iMessages? - moyix
http://blog.cryptographyengineering.com/2013/06/can-apple-read-your-imessages.html

======
StavrosK
Why is everyone so critical? I'm far from an Apple fanboy, having opted to
never buy one of their products again, but they deserve _major_ props here.
They have the constraint of "the system must be easy to use" and, from what I
can tell, did pretty much as much as they could to add strong crypto to the
mix _at no benefit to themselves_.

Apple could have just gone "fuck it, let's store it in plaintext, since it's
never going to be good enough anyway", but adding strong, transparent
encryption to one of the most-used messaging services in existence right now
is a very good thing, in my book.

Sure, the transparency introduces some flaws, but Apple has protected itself
by a whole slew of passive attacks, which, to my knowledge, is the kind of
attack that the mass surveillance state uses, and what a _large_ messaging
service is most at risk of.

Getting a warrant and saying "hey, we have a warrant for X, can we look at
their communications", and then having Apple MITM that person is much, much
more preferable to me than having a government say "we need _all_ your data"
and then the provider just handing the data over, since it's all in plaintext.

As it stands, Apple has pretty much disabled large-scale surveillance of
iMessage accounts, which is what PRISM and all the furore is about, and people
_still_ shit on them?

Can we have some perspective please? If we lambaste any provider who takes
steps to safeguard our privacy (again, at no benefit to them, since most
people who use iMessage don't even _know what encryption is_ ), then what do
you think the next service to have the choice in a product will say? "Hmm, I
could either store everything in plaintext and have governments strong-arm me
into sharing it with them (which I couldn't really care less about), I could
build really strong encryption into it and make it an unusable mess for no
added benefit to me, or I could build as much encryption into it as doesn't
impact usability, again for no benefit to me, and get shat on for not
providing option #2. Gee, how can I ever decide?"

If you want strong privacy/security, use Silent Circle (disclosure I work for
them etc). If you care about your day-to-day privacy and want to talk to
people you know, you could do _much_ worse than iMessage.

~~~
andor
_Apple could have just gone "fuck it, let's store it in plaintext, since it's
never going to be good enough anyway", but adding strong, transparent
encryption to one of the most-used messaging services in existence right now
is a very good thing, in my book._

That's the point of the article: the messages stored on iCloud _aren 't_
encrypted. The claim that iMessage uses end-to-end encryption is worthless.

~~~
embolism
I'd like to see a more comprehensive test to prove that the messages are part
of the backup. Since you have to sign in to iMessage, it's possible that these
are being retrieved from the iMessage server in an encrypted form - "I
restored an iPhone and saw old messages" is _not_ proof that they are stored
in plaintext.

 _Also.._ it's important to note that the iMessage client only retains about a
day's worth of messages on the device. Earlier messages can be obtained via a
"load earlier messages" button. This means that Apple _does_ store the message
history on the iMessage servers, and there _is_ a way for the client to
retrieve them in batches while the contents are not accessible to Apple.

It seems extremely likely that this 'iCloud Backup' vulnerability is a red
herring. The messages are not stored in the regular backup but are fetched
encrypted by the client when you sign in.

~~~
dvanduzer
That's not what's happening with the "load earlier messages" button at all.
The long term iMessages history is stored in an unencrypted sqlite database on
the phone (which is included, unencrypted, in local iTunes backups).

~~~
r00fus
Local backups can be encrypted (mine are). Also it's not necessary to use
cloud backups (I don't).

Therefore, my iMessage history is secure (I fully understand that my message
recipients may expose my individual messages, but my copy is safe).

~~~
dvanduzer
The fact that it is possible to perform encryption on the entire backup file
does not change the fact that many people are (wrongly) speculating about
things which are easily verifiable.

------
pilif
In general, I totally agree with the article, however, there is one thing:

 _> From what I can tell, the iMessage app gives the sender no indication of
how many keys have been associated with a given iMessage recipient, nor does
it warn them if the recipient suddenly develops new keys._

iMessage does warn you on all devices when a new device gets added to the
account. Of course that's during normal operations. Unless somebody reverse-
engineers one of the apps, we can't know whether the protocol has a provision
for "please add this key but don't warn the user".

That's the thing with crypto in closed source software: it's completely
useless because you have to trust the software vendor not to put any backdoors
in.

And since two weeks, unfortunately, the only think we can trust is that the
vendor actually DID add a backdoor.

~~~
mrmaddog
The problem here is that you need to know the _other_ person's encryption key.
Since I'm not warned whenever you get a new device, I have no idea how many
keys are assigned to you. Hence, the key distribution problem still remains.

~~~
pilif
Oh I agree with you. The public key directory thing breaks the whole system.
No question there. I totally agree with the original article.

I just wanted to highlight the fact that devices DO inform the user when a new
key gets added. So if the directory didn't serve fake public keys and if the
devices didn't have code to not warn if certain keys were added, then you
would have the guarantee to only talk to me.

Sure: I could add more devices, but I have the full control over them, so it
doesn't matter to you how many devices your client encrypts the message for
because I have the full control over what devices I authorize or not.

That of course would be the perfect world, when in fact, Appke probably adds
surveillance keys to the directory server and doesn't warn the user as such
keys are added.

Don't use iMessages for anything you would not want Apple or the NSA or any
other law enforcement agency to read.

But then again, don't use any of email (envelope in the clear), SMS (your
carrier can read it), any other IM service (same issue as iMessage), snail
mail (can be read by the post office and anybody opening your letter box when
you aren't there).

~~~
sneak
> I just wanted to highlight the fact that devices DO inform the user when a
> new key gets added.

This is totally false. When you are sending iMessages to someone, you get no
UI indication at all when they buy new devices and add them to their Apple ID.

You are confusing it with adding devices to your own account.

We're talking about RECIPIENT keys.

~~~
msh
I would not want the sender of messages to me to be notified about my devices.

~~~
sneak
Well, they are now—if they MITM their connection to the APNS. Messages they
send get encrypted to all the devices associated with your iMessage account.

The data's available to them from Apple, though there is no UI for it.

------
anologwintermut
To anyone who thinks this is just a theoretical problem: It's worth noting
that law enforcement complained abut both Skype and Hushmail being impossible
to tap before tapping both. It seems vanishingly unlikely they either haven't
figured out a way to get Apple to help them or to get will at some point. This
just confirms it.

Also, for what its worth, at least one of the IMessage handshake headers
mentions Fairplay. Which makes me suspect the system was done by Apple's DRM
team. Given that DRM is typically an exercise in obfuscation more than actual
crypto, this does not bode well.

------
nwh
There's lots of other things to worry about in the iCloud ecosystem anyway.
The iCloud backups that devices make aren't encrypted or protected at all by
Apple's two factor authentication. Apple can pick and export these at will.
Alternately, plug in somebodies email and phished password, and you've got the
entire history of their iMessage conversations in plain text, along with a
complete copy of all their devices.

I'm much more worried about that happening than an evil-Apple scenario. I
doubt many people have strong AppleID passwords, or particularly unique ones
either. Heck, I know people that share accounts to avoid paying for apps.

------
parasubvert
iMessage uses the Apple Push Notification Service. This is like a secured
email relay server where the sender & receiver IDs are ephemeral tokens. If
you trust the CA & certificate chain, then it's reasonably confidential. The
question is where you keep your historical messages - on your device, or on
their cloud.

The long & short of it is that Apple can't get at your iMessage contents or
history if you don't use iCloud backups and don't subscribe to Apple's desktop
password recovery service (duh).

Apple's iOS Security Whitepaper adds some light:
[https://www.apple.com/ipad/business/docs/iOS_Security_Oct12....](https://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf)

In short,

(a) iMessage is end-to-end encrypted. There is metadata about who is messaging
whom because it is distributed through the Apple Push Notification Service.
This identifying metadata consists of ephemeral tokens generated by the
sending server and the receiving device. And there is a small amount of
encrypted message history kept for the PNS to resolve pending messages to all
subscribing devices.

(b) Some iOS Backup files are not accessible by anything but the original
device because they are encrypted by a combination of the device UID and your
key. Mail for example. No one can get at them other than someone with 1. your
password and 2. your device.

(c) iMessage files aren't protected like this since you CAN restore them
across devices. But this is by design -- only way for iMessage history to be
retained is through a backup.

(d) There are two backup approaches: iTunes (on your PC/Mac), which encrypts
via a password, or iCloud.

(e) With iCloud, Apple could get at your backups because they could reset your
password.

(f) _Therefore_ , make a determination as to what is more secure: your
PC/Mac's password, or your iCloud password (and Apple's willpower not to reset
it at the request of the NSA). Back up your iOS (and thus iMessages) devices
there. Or don't backup at all, and no one will see any history.

(edits: for clarity)

~~~
mannkind
... actual details (vs wild speculation).

Thank you!

------
tlrobinson
And don't forget Apple can decrypt iPhones at the request of law enforcement:
[http://news.cnet.com/8301-13578_3-57583843-38/apple-
deluged-...](http://news.cnet.com/8301-13578_3-57583843-38/apple-deluged-by-
police-demands-to-decrypt-iphones/)

~~~
nwh
They can sign their own alternate ramdisks, and the default PIN is only 4
digits, so that's not surprising really. It's been possible to load similar
forensic software on A4 devices by anybody for years now.

~~~
quackerhacker
I hope for security sake, the users on here do _not_ use 4 digit pins...or at
least have the wipe feature enabled after _x_ failed attempts.

~~~
nwh
The wipe after 10 attempts is moot anyway, we are talking about Apple loading
new software into a ramdisk and brute forcing it. I've personally done this at
an owners request.

~~~
rdl
Presumably not on a post-iPad2/iPhone4S, or without access to a previously-
paired computer, right?

~~~
nwh
A normal user could do it on any device with the A4 chip or prior, vulnerable
to the limera1n exploit. Apple could do it with any device, as they own the
signing keys for the bootloader.

There's even pre-built forensic ramdisks if you'd like to have a play around —
[https://code.google.com/p/iphone-
dataprotection/](https://code.google.com/p/iphone-dataprotection/)

I'm willing to bet that there's at least one private bootrom exploit, one of
the jailbreak developers has hinted that he has found one.

------
fpgeek
To me, the specific and carefully explained experiment is the big contribution
here.

In other comment threads I'd heard the opposite: that when new iOS devices
were activated, they didn't get access to past iMessage threads, just future
ones. Perhaps that's because there's a "new device" activation flow and a
special "replacement device" one. But that doesn't matter. Your iMessages are
only as secure as the weakest link. OP has found a pretty weak one here.

~~~
rainforest
Doesn't the experiment just show that Apple is storing the iMessages in some
form that they can decrypt? The article mentions iCloud backup - it's possible
iCloud takes a copy of decrypted messages first. This might be feasible given
it has to back up SMS messages too.

Perhaps a better experiment would be to see if messages are readable after a
restore (with and without password changes) if the device isn't backed up to
iCloud.

------
mannkind
It's a shame iCloud backups aren't encrypted, but the only information that
seems newsworthy is the fact that it takes _so little_ to reset an AppleID
password. Although I suppose if the intruder knows the AppleID and last-four
of my CC, then they probably know my name and birthday as well. :/

The rest of it though... iMessage is not perfect, but it's better than most
alternatives.

* Plaintext logs of iMessages (iOS or OS X) allow you to view past messages. Duh. So do plaintext logs of OTR chats via Adium or Pidgin.

* You don't generate your own key nor verify the keys of others; you rely on a third party to do it. The effect is that the system is __actually used __by normals unlike, sadly, GPG or OTR. Heck, even many of the technical people I know give up on GPG and OTR because they 're just too much work. The point is the messages are encrypted in transit and cannot be read by just anyone ... in contrast to SMS and typical instant messaging.

~~~
parasubvert
iCloud backups are encrypted. Not all iOS _files_ are encrypted with a device-
UID-wrapped key, however. See the iOS Security Whitepaper:
[https://www.apple.com/ipad/business/docs/iOS_Security_Oct12....](https://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf)

In short, Apple can't read your email backups, and neither can anyone
attempting to restore your device from iCloud (they would need your email
passwords). iMessage doesn't have the same protection.

~~~
mannkind
Thank you for the clarification!

------
quackerhacker
It's GREAT to know that your test shows the vulnerability in the iCloud backup
of iMessages.

Not that I believe every article that I read (I always speculate sources and
bias journalism), but here is an article "pre-PRISM," that states the FBI's
stance with iMessage: [http://news.cnet.com/8301-13578_3-57577887-38/apples-
imessag...](http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-
encryption-trips-up-feds-surveillance/)

~~~
lawnchair_larry
This only says that their SMS tap at the carrier won't have visibility into
messages sent over iMessage.

Even without iCloud backup, Apple, or anyone they add keys for on your
account, can decrypt iMessages.

~~~
_djo_
Apple's claim is specifically that they don't store those keys.

------
chrsstrm
On OS X - /Users/[user]/Library/Messages/Archive

Your whole chat history is right there, readable in TextEdit.

~~~
jrmg
You could encrypt your entire disk with File Vault.

------
jopt
The second option (MITM through access to the public key server) is not
comparable to the first. Targets would have to be singled out and surveilled
in advance of the messages, which actually lends itself pretty well to the
sort of due process surveillance that law enforcement is generally trusted
with.

It's not unthinkable that the NSA could access iCloud backups (with some sort
of FISA rubber stamp). Access to everyone's backups is much more conducive to
dystopian mass surveillance than the key server's tradeoff of vulnerability to
MITM.

The OPs first point is a lot stronger than the second. Distributed backups are
probably bad from a privacy/security perspective. That seems like the better
point to make, provided we understand that iMessage is not a guarantee of
complete safety from any surveillance.

~~~
StavrosK
How do we even know that the backups aren't encrypted? For all I know, the
author had a second iDevice and it shared the key with the first one when the
latter came online. That way, the key never leaves your devices, but you can
still sync your messages.

Is there a way to access the messages on iCloud itself (i.e. the web
interface)? That would be much stronger evidence that Apple can read it.

------
danso
> _The sad thing is there 's really no crypto to understand here. The simple
> and obvious point is this: if I could do this experiment, then someone at
> Apple could have done it too. Possibly at the request of law enforcement.
> All they need are your iForgot security questions, something that Apple
> almost certainly does keep._

It's an interesting meta-question about why Apple's claim was taken at face
value. Not just by the public but by Apple's many scoffing critics? The Mat
Honan incident should have been a clear sign that Apple's security mindset had
a gaping hole:

[http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-
hona...](http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-
hacking/all/)

> _Apple tech support confirmed to me twice over the weekend that all you need
> to access someone 's AppleID is the associated email address, a credit card
> number, the billing address, and the last four digits of a credit card on
> file. I was very clear about this. During my second tech support call to
> AppleCare, the representative confirmed this to me. "That's really all you
> have to have to verify something with us," he said._

That's a pretty grievous oversight. Why should Apple get the benefit of the
doubt that they've solved the holy grail of security...that is, having lockbox
security without impact to user convenience? In the above-cited case of
AppleID access, they hadn't overcome that tradeoff and appear to have erred on
the side of user convenience, at the cost of security.

~~~
smackfu
They have introduced two-factor for password resets since then, which everyone
should enable.

------
kamjam
Interesting, arstechnica has almost the exact same article, even the encrypted
message image is the same!

[http://arstechnica.com/security/2013/06/can-apple-read-
your-...](http://arstechnica.com/security/2013/06/can-apple-read-your-
imessages-ars-deciphers-end-to-end-crypto-claims/)

------
fortepianissimo
So, can we say Apple is lying by saying "Apple cannot decrypt that data
(iMessages)"? Is there a creative way of reading their press release that
doesn't entail their dishonesty?

------
josteink
Ofcourse they can. Saying anything else is just corporate double-speak and
should earn them nothing but further distrust.

------
fortepianissimo
Why can't Apple adopt something like OTR to eliminate the need of centralized
key distribution?

~~~
fortepianissimo
On a second reading the author did include this footnote:

"In practice it's not clear if Apple devices encrypt to this key directly or
if they engage in an OTR -like key exchange protocol. What is clear is that
iMessage does not include a 'key fingerprint' or any means for users to verify
key authenticity, which means fundamentally you have to trust Apple to
guarantee the authenticity of your keys. Moreover iMessage allows you to send
messages to offline users. It's not clear how this would work with OTR."

So I guess the need to send messages to offline users ruled out the use of
OTR.

------
dschiptsov
On a server side - of course. My bet is that messages are indexed, for
efficient querying.)

------
kimlelly
Just get your buddies to install
[http://retroshare.sourceforge.net/](http://retroshare.sourceforge.net/) and
be done with the "secure communication" question.

