

Apple Explains How Secure iMessage Is - prateekj
http://techcrunch.com/2014/02/27/apple-explains-exactly-how-secure-imessage-really-is/?utm_campaign=fb&ncid=fb

======
lawnchair_larry
Author isn't very clever about crypto attacks.

Sending device grabs all of the recipients public keys (as well as all of
their own keys for other devices, which allows the conversation to be
replicated on all of their own devices as well) hosted by Apple. Sending
device _has no way to verify those keys belong to the intended recipient_.
User has no way to verify which, or how many devices they are sending to. User
doesn't even know if the recipient is mysteriously using a different key that
has never been seen before. Sending device does not display any information
about how many keys it grabs.

Apple wants to read your messages? They drop one of their public keys in the
list. Apple gets a warrant? They drop the FBI's key in the list. You'll never
know that you're CCing the FBI device keys on all of your messages.

What's more, is these keys are provided by Apple over TLS without certificate
pinning. So now anyone who can mint certificates from a CA trusted by the
device can just assume Apple's position. You don't need to hack or legally
compel Apple in order to eavesdrop.

If your iDevice is managed by your company IT department, it can be silently
fed a certificate without compromising a CA.[1]

Finally, if you did not apply the goto fail update a few days ago, it's
trivial to break that TLS channel and also "misconfigure" those keys. That
hole has been there since September 19, 2012, by the way.

Basically, iMessage has been securing you against someone who knows how to run
wireshark or tcpdump, but not much else.

[1] [http://blog.quarkslab.com/imessage-
privacy.html](http://blog.quarkslab.com/imessage-privacy.html)

~~~
redthrowaway
>Apple wants to read your messages? They drop one of their public keys in the
list. Apple gets a warrant? They drop the FBI's key in the list.

If they were doing this, it would come out _real_ quick. You'd just send a
message to a different account you control then see how many keys you're
getting/encrypted messages you're sending. Someone like Applebaum, who knows
he's under surveillance and has the crypto/networking chops to dig into it,
could verify it quite quickly.

~~~
rpdillon
GP's point is sound: the weakness in public key crypto is key exchange. Unless
you can independently verify that the keys you're getting from Apple belong to
the intended recipient, the system doesn't work. You don't even have to add a
key to the pool, you simply replace a key in the pool with a key generated by
Apple, and when the message arrives on the server, it's decrypted and sent to
anyone at all, and then re-encrypted with the recipient's key and sent along
as normal. Even signatures aren't really a barrier in this case, since Apple
can MITM your public key (used to verify the signature) to the recipient, as
well.

Any crypto system whose security is predicated on a trusted server might as
well be compromised. It's way too easy for servers to be subverted, either
technologically or (il)legally.

~~~
redthrowaway
If you have access to the private keys, which I'm assuming as I'm not talking
about users trusting the system but rather researches identifying malicious
use, then it's trivially easy to verify that the public keys being used are
those, and only those, that correspond to the correct devices.

It's not a good system, but it's also not one that is impervious to detection
of malicious activity.

------
sigil
It's worth re-reading this post by Matthew Green, "Can Apple read your
iMessages?" [1]

For one, if you back up your device with iCloud, then yes, Apple can read your
iMessages. This has been verified by experiment.

Second, Apple operates a central directory of iMessage public keys mapped to
accounts, and this enables various kinds of MiTM attacks. Contrast this with
the way TextSecure / RedPhone does contact discovery using blinded signature
queries [2].

Third, iMessage and iOS are closed source. Ultimately, closed source can do
whatever the heck it wants. Not just what they're telling you it does.

All the same, we now have some new details on iMessage from Apple [3], and I'm
looking forward to hearing the crypto experts pick it apart.

[1] [http://blog.cryptographyengineering.com/2013/06/can-apple-
re...](http://blog.cryptographyengineering.com/2013/06/can-apple-read-your-
imessages.html)

[2] [https://whispersystems.org/blog/contact-
discovery/](https://whispersystems.org/blog/contact-discovery/)

[3]
[http://images.apple.com/iphone/business/docs/iOS_Security_Fe...](http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf)

~~~
MBCook
It's still way better than SMS, and Facebook loves to use that kind of
information to sell ads.

This is actually _more_ secure than I expected.

~~~
kevinchen
And it's far better than other messaging services where messages can be read
by the server (e.g. Google talk). If they/the government wanted to read your
messages, at last they'd have to jump through some hoops.

~~~
snotrockets
A single, very easily jumpable hoop: sending a lawyer to the nearest friendly
judge, asking him/her to sign a warrant.

~~~
schrodinger
I don't have a problem with a judge granting a warrant for a search. That's
the whole point of warrants. The problem is the warrant less dragnet
surveillance

------
X-Istence
The way Apple could "read" the messages is by sending a keybag down to the
person sending the messages with another public key, one that Apple holds the
private key for.

For example if you have 3 devices (iPhone, iPad, MBP) and someone goes to send
you a message, they have to re-encrypt the message three times because Apple
would have sent them three public keys.

Now if Apple were evil because of a government order, they could send down
four public keys, the three ones for the devices you own, and the one public
key that Apple has the private key for. At that point once they receive the
message they can read it.

Any system that distributes public keys like this can be compromised the same
way.

\---

The only real way to stop something like this is to make sure that the person
you are talking to holds the keys, OTR does this for example by allowing both
parties to verify the fingerprint...

~~~
Spooky23
Lawful intercept isn't evil.

~~~
aryastark
that depends on if the law is moral or immoral. Anything can be turned into
law.

~~~
timdiggerm
Who decides if they're moral?

~~~
niels_olson
You do, or at least I hope you do.

------
Osiris
_Unless Apple is omitting something or there’s some backdoor tucked into their
many-layers-deep encryption (which, while unlikely, isn’t inconceivable) they
really can’t read your iMessages without a fairly insane amount of effort._

That is, assuming, that there isn't some code in the app that allows Apple to
request that the app send your private key up to the server. It's conceivable
that in order to comply with law enforcement, for example, that Apple could
just tell the app to send up your private key so that it can decrypt any
message they have stored.

There's also no way to verify that your messages have, in fact, been removed
from their services.

~~~
na85
> (which, while unlikely, isn’t inconceivable)

Not only do I think it's not unlikely, I actually think it's pretty much a
certainty that Apple has a backdoor in their code. After the slides detailing
how easy it is for NSA to break into Apple phones I'd be simply shocked if
they hadn't inserted such a vulnerability.

Sounds to me like the author is applying a nice coat of white wash.

~~~
nemothekid
After reading a post by a Google engineer on this issue, I'm going to err on
the side of believing that Google, Apple, and others aren't actually actively
inserting back doors into their code.

[https://plus.google.com/108799184931623330498/posts/SfYy8xbD...](https://plus.google.com/108799184931623330498/posts/SfYy8xbDWGG)

~~~
michaelt
By all accounts, these secret court orders often come with gagging clauses -
which would likely extend to even gagging one employee from telling another.
For all I know the guy next to me could be under a secret court order forcing
him to insert backdoors.

Of course, as there's no way to disprove this hypothesis, and there's no proof
of it, you can still err any way you like :)

~~~
brisance
So why would Apple voluntarily issue an update to fix the problem if they were
gagged under a secret court order?

------
sjwright
Obviously this system has limitations and entirely relies on your ability to
trust Apple. But there's quite a few things to consider here:

* Text messages and most other chat protocols require that you trust multiple hardware vendors, multiple software vendors, and multiple telcos. By comparison, iMessage only requires that you trust a single company, Apple.

* As long as the operating system and messaging software is closed source, it would be impossible to eliminate the requirement to trust Apple anyway. If you really need serious security, you shouldn't be relying on any closed source third party systems, period.

* This is about as secure as it could ever get without requiring users to be educated about security principles. Given that iMessage is foremost a seamless alternative to text messages, it's difficult to imagine how they could make it more secure without compromising utility.

* The implementation details mean that any Government snooping must be done with Apple's knowledge, and will require the blessing of Apple's legal department. This might not be a particularly high bar to cross, but it does mean that Governments aren't running rampant, analyzing every message sent.

* The United States government isn't the only bad actor out there. The level of security appears to be extremely good against entities that hold no sway with Apple's legal team. It's also presumably impervious to a hostile network, or hostile foreign governments.

~~~
lawnchair_larry
Most of these points are completely wrong.

> * Text messages and most other chat protocols require that you trust
> multiple hardware vendors, multiple software vendors, and multiple telcos.
> By comparison, iMessage only requires that you trust a single company,
> Apple.

This is incorrect. It requires you to trust Apple, every company who operates
a CA, every government who can compel any CA to mint a certificate (read: you
trust the Turkish and Chinese governments), your IT department, and any hacker
who has access to any of those. If you didn't install the patch this week, and
for the last year and a half, it required you to trust _everyone_ on every
network segment you have ever connected to from any Apple device.

> * This is about as secure as it could ever get without requiring users to be
> educated about security principles. Given that iMessage is foremost a
> seamless alternative to text messages, it's difficult to imagine how they
> could make it more secure without compromising utility.

It could very easily be more secure. For example, certificate pinning would be
a decent start. It could also allow users to view key fingerprints if they
choose to. Many users wouldn't understand the purpose of that exercise, but at
least the option exists. More paranoid users could enable warnings if a user's
key changes. See also: Whisper Systems

> * The implementation details mean that any Government snooping must be done
> with Apple's knowledge, and will require the blessing of Apple's legal
> department. This might not be a particularly high bar to cross, but it does
> mean that Governments aren't running rampant, analyzing every message sent.

Incorrect, as explained above. There are attacks that do not require
governments nor do they require any assistance or blessing from Apple.

> * The United States government isn't the only bad actor out there. The level
> of security appears to be extremely good against entities that hold no sway
> with Apple's legal team. It's also presumably impervious to a hostile
> network, or hostile foreign governments.

It's not impervious to hostile networks if those networks include your
corporate IT network or if you have used it in the past year and a half on any
network. Even with the latest patches, it is not impervious to hostile foreign
governments. Check your browser's CA list and take a look at how many
different countries are in there. For a more complete list, take a look at
this:
[https://www.eff.org/files/colour_map_of_CAs.pdf](https://www.eff.org/files/colour_map_of_CAs.pdf)

~~~
sjwright
Every one of your objections relies upon the assertion that iMessage is
vulnerable to certificate forging attacks. Do you have a citation? Has this
been demonstrated, or is it theoretical?

~~~
lawnchair_larry
Now you're just being _willfully_ ignorant.

~~~
sjwright
Or rather, you're being _willfully_ obtuse.

Citation, please?

------
IBM
The whole document was an interesting read.

[http://images.apple.com/iphone/business/docs/iOS_Security_Fe...](http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf)

~~~
MBCook
Agreed. I found this bit about Touch ID interesting:

> With one finger enrolled, the chance of a random match with someone else is
> 1 in 50,000. However, Touch ID allows only five unsuccessful fingerprint
> match attempts [...]

I assumed it was more accurate than 1 in 50,000. Then again I don't know what
a normal fingerprint sensor is capable of. Does anyone know the accurate of
the sensor in the new S5, or the sensors that IBM/Lenovo/etc. have put on
laptops?

Also:

> The 88-by-88-pixel, 500-ppi raster scan is temporarily stored in encrypted
> memory within the Secure Enclave while being vectorized for analysis, and
> then it’s discarded after.

I wonder what kind of neat stuff people could come up with if we had raw
access to that kind of sensor data.

~~~
drewinglis
As I understand it, most fingerprint scanners can only distinguish between on
the order of tens of thousands of fingerprints. 50,000 is higher than other
numbers I've heard for fingerprint scanners (30-40k).

------
patmcc
If all that is true, it sounds perfectly secure against anyone other than
Apple and whatever law enforcement agencies they comply with requests from.

So, you know, really not secure at all.

------
jostmey
More so that its rivals, Apple has consistently put forth a greater effort to
explain their technology to its customers. Apple has remained keen to point
out the difficulties of hardware and software development. Perhaps this is one
reason why people outside of the technology sector perceive Apple products as
superior. People think Apple has gone the extra mile.

~~~
xcrunner529
Perhaps not how I'd phrase it, but I do love reading Apple's documents and
whitepapers. They're all designed and laid out so well for reading the
information. It's amazingly rare for that kind of stuff. I read the entire
document and found it fascinating.

~~~
martinjb
Apple Style Guide
[https://help.apple.com/asg/mac/2013/ASG_2013.pdf](https://help.apple.com/asg/mac/2013/ASG_2013.pdf)

------
mehrdada
As mentioned in other comments, you have to trust Apple to hand you the
correct public keys. They could easily MITM you and decrypt the messages on
the server if they misrepresent the other party's public key. Additionally,
the iMessages you send are signed by your private key, which is probably not
something you want.

~~~
declan
More to the point, they could be forced under court order (or FAA 702 order
etc.) to MITM. This is a cousin to the Lavabit scenario.

Nothing wrong with end-to-end encryption, folks. Why don't we have more of it?

~~~
toomuchtodo
> Nothing wrong with end-to-end encryption, folks. Why don't we have more of
> it?

Complacency and laziness. There is no excuse.

~~~
declan
Well said! :)

------
staticvar
Coming from a background of using cryptography regularly (far from an advanced
user), this revelation seems... Not surprising. It's practically the
equivalent of using SSL for viewing webpages. I say practically because for
some mind boggling reason, using standard crypto practices seems to be novel
for messaging services on the Internet.

------
h8liu
It is closed sourced anyway; so who knows if the document is correct, and who
knows if there is a backdoor or a bug...

------
pwnna
They don't have to have your private key to pull off a MITM.

In reality, it is probably secure enough against most adversaries. State level
adversaries is a different story.. That you need OTR and key verification in
person.

~~~
snotrockets
If the above reports of not Apple not pinning their certificate, then this
isn't secure enough against any adversary that can compel or hack a CA to
issue you a certificate in Apple's name. The latter appears to be not as hard
as you might imagine.

And the recent fail in their SSL/TLS library means you don't even need the
help of a CA to create a certificate Apple software would consider valid.

------
stormbrew
And if Apple's servers lie to you and tell you there's a device with a private
key they generated?

They may never have your private key, but you are still trusting them to
deliver the correct public keys to other users.

------
afhsfsfdsss88
No end-to-end no bueno.

Standard SSL even when done right isn't enough to guard against our current
privacy-abusing GO's.

------
cyphunk
Everyone needs to start caring a lot more about verification and authenticity
of keys (even public keys). iMessage anchors all trust in Apple Inc. with no
means to verify that you're public key has not been swapped.

If you can't verify and pin keys, then assume there is no encryption.

------
antirez
The new "Security through trust in big corp" model.

~~~
throwaway2048
also known as feudal security, where the serfs just have to trust their lord
knows whats best for them.

------
adrr
Can't they man in the middle the encryption? If there's a key exchange, how do
clients verify the keys they get are legitimate? SSL/TLS uses trusted
authorities to verify the public key.

------
eddieroger
The combination of dislike for Apple and paranoia in this thread makes for a
pretty potent combination. Every communication channel has it's flaws. Once
upon a time, the post office was opening mail to read it, or wiretaps on
telegrams and telephones. Now, it's iMessage. Every channel has potential
exploitations, and if you can't agree with the ones that a channel comes with,
don't use it. iMessage is optional. SMS is optional. Don't open your mail.
Whatever.

------
rollthehard6
What would be more interesting to me would be a comparison between the
security of the iMessage protocol and similar competing facilities like SMS
and Google Hangouts.

------
seanhandley
This means nothing without the full source code to prove it.

------
karunr
Apple is able to do this today because instant message services not (yet)
covered under CALEA. ( Carrier assistance for Law enforcement agencies.) If
CALEA is updated to include instant messaging services, Apple would be legally
obligated to have a method of intercepting these messages, possibly with a
separate public key as discussed in other comments.

~~~
Zigurd
CALEA can't compel you to hand over anything you do not have access to. If
cleartext in your chat system can't be accessed because you don't have access
to customer private keys, that's not illegal.

------
grrowl
Apple could mitigate most of the security concerns listed in this thread by
listing the trusted devices which you're encrypting against. This solves the
"extra encryption key" angle. You'd still have to trust your recipient to be
just as mindful of this as you to prevent the vulnerability in the other
direction though.

~~~
lloeki
> by listing the trusted devices which you're encrypting against

More precisely, on a user device: list the contact devices and key
fingerprints. Adding a contact's device: on first exchange show fingerprint
and ask for trust then pin the pubkey. Warn should the key change. What
remains is for parties to exchange fingerprints in a peer to peer side channel
(possibly even physically via bluetooth/qr-code).

------
andy9775
Excuse me if this sounds ignorant as I am not a security expert, but isn't
there a flaw in using a public key for continuous messaging? Shouldn't public-
private key crypto be used only to generate a symmetrical key? The system was
originally designed for symmetrical key exchange no? Using it this way
presents some flaw?

------
hmottestad
I read that a lot of the comments are related to key exchange.

Just wanted to mention that there is a possibility to key verification over
sms. An sms can even be used for a temporary key for encrypting the key
transfer.

------
rburhum
That sounds great and super secure, but all I wanted was a single line goto
statement fixed asap. Took forever and basically made my phone, tablet,
personal laptop and gifts I gave for Christmas insecure for a long time.

~~~
sarreph
I'm afraid they were as secure as Apple crumble, indeed.

------
felix
Much better than I expected, it may not be perfect but it seems like the most
secure of the mainstream chat services. I would love to also have seen forward
security but that's asking for quite a bit.

------
the_watcher
Does this explain why when I get an iMessage, no matter what, it appears on my
Macbook, my iPad, and my iPhone?

------
Splendor
This article is clearly timed to offset the bad security PR generated by the
goto fail SSL flaw.

------
NicoJuicy
Talk is cheap, show the code

------
iratedev
This is great security for what it is. Probably enough to keep you 98% secure.

Which is still exactly 0% secure as far as I'm concerned.

All in all though - in general - I'll be more than happy to continue using
iMessage and feel at peace. As a general rule, however, never send anything
electronically that may screw you over later.

~~~
jjarmoc
If you see security as boolean, you're going to have a rough time...

~~~
Geee
Security is as strong as the weakest link. If there is a weak link there's no
security. So, it is boolean.

~~~
aryastark
Any more fuzzy platitudes for us, Geee?

The best encryption we have today is still bound to time and technology.
Without a threat model, it's pointless to discuss security. To the NSA, not
much of anything is secure on the Internet. There is a lot you can do when you
have total visibility into all traffic. But your psychotic girl/boyfriend who
barely understands what Wi-Fi is? They probably won't be eavesdropping on your
iMessages.

