Biz & IT —

Contrary to public claims, Apple can read your iMessages

Control of keys gives Apple ability to read iMessages, despite end-to-end encryption.

Dan Goodin - Oct 17, 2013 9:10 pm UTC

Contrary to public claims, Apple can read your iMessages — Wikipedia

Contrary to public claims, Apple employees can read communications sent with its iMessage service, according to researchers who have reverse engineered it.

The finding, delivered Thursday at a Hack in the Box presentation titled How Apple Can Read Your iMessages and How You Can Prevent It, largely echoes the conclusion Ars reached in June. It contrasts sharply with assurances that Apple gave following revelations of an expansive surveillance program by the National Security Agency. iMessage conversations, Apple said at the time, "are protected by end-to-end encryption so no one but the sender and receiver can see or read them." It added: "Apple cannot decrypt that data."

Researchers from QuarksLab who delivered Thursday's talk, begged to differ.

"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true," researchers from QuarksLab wrote in a white paper summarizing their findings. "As everyone suspected: yes they can!"

The good news

To the credit of Apple engineers, the researchers said that it would be hard for most would-be eavesdroppers to defeat the cryptography protecting iMessages. The encryption is based on the time-tested AES, RSA, and ECDSA algorithms that are used to authenticate parties to a conversation and prevent their contents from being read by anyone able to monitor a Wi-Fi network or other connection. Breaking the encryption would generally require an eavesdropper getting physical control of an iPhone or other Apple device, installing fraudulent certificates on it, and then setting up rogue servers that masquerade as those Apple uses to transmit iMessages. (The ability to use counterfeit digital credentials, interestingly, is made much easier by the lack of the kind of certificate pinning used by Google and Twitter to require this type of attack.)

Ultimately, the QuarksLab researchers said that such man-in-the-middle exploits against the iMessage infrastructure require so much effort that they could probably be carried out only by three-letter agencies, and even then only under limited circumstances. But they went on to say there's no technical measure stopping Apple employees, working under a secret court order or otherwise, from performing the same kind of attack and making it completely transparent to the parties exchanging iMessages. Unlike third-party attacks, these insider exploits would require no tampering of end-user devices.

iMessage contents are encrypted with a random AES key that's encrypted with an RSA key belonging to the recipient. A separate ECDSA key is used for authentication. The payload is sent to one or more Apple servers and ultimately delivered to one or more devices belonging to the recipient. Since Apple controls the entire infrastructure, there's nothing preventing company employees from swapping out the proper keys with ones controlled by Apple or other parties.

"So yes, there is end-to-end encryption as Apple claims, but the key infrastructure is not trustworthy," the researchers wrote. "So Apple can decrypt your data, if they want, or more probably if they are ordered to."

In fairness to Apple, most other commercial messaging systems are also vulnerable to man-in-the-middle or similar attacks mounted by insiders. The difference is that few if any of those other providers have issued public statements claiming the messages sent over their services can be read only by the sender and receiver. The researchers have developed a Mac OS X app they call IMITMProtect that is designed to prevent such attacks. They also called on Apple to fully document the way the popular messaging service works.

Update: An Apple representative has issued a statement to AllThingsD.

"iMessage is not architected to allow Apple to read messages," said Apple spokeswoman Trudy Muller said in a statement to AllThingsD. "The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

Promoted Comments

shawnceArs Scholae Palatinae
jump to post

nidx wrote:
So if a device is compromised (to install the fake certificates) and pointed to a fake server you can read the messages because they would be encrypted with a known key. that sounds pretty obvious. I don't understand how this means that apple can read the messages that are going through their server which is what they said. All this seems to mean is that a hacked device can be tracked transparently which admittedly a neat hack but very impractical.

No this is about man in the middle when exchanging public keys between iMessage endpoints. The messages over the wire are still encrypted and can only be decrypted (ignoring brute force, etc. attacks on the message itself) by a recipient with the private key matching the public key used to encrypt the message.

Apple could in theory exchange fake public keys since its the mediator of public key exchange.

If a device is compromised it is much simpler to just grab the message before it is even encrypted and enters Apple's backend.

966 posts | registered Jan 17, 2001
fishsandwichArs Centurion
jump to post

You are missing the point that Apple does not need to compromise the device because it already legitimately point to Apple servers. You only need to compromise the device if you are a third party. Basically they are saying, you need to perform a man in the middle attack to breach the security built into iMessage. In the case of Apple, they already ARE the middle man, so they can easily compromise the security if they chose to, and the end users wouldn't really know.

341 posts | registered Aug 1, 2011
pusher robotArs Tribunus Militum
jump to post

PeterWimsey wrote:
show nested quotes
There is a semantic difference between the words "can" and "theoretically could". The article did not present evidence that they can read your message. Only that they could theoretically do this.

The headline is misleading and the evidence does not contradict apples statement.

Now if you could provide evidence that apple has implemented key falsification then that would be a different matter entirely.

This is exactly right.

If I say I "can't" drive to work because my car is broken, the fact that I could, theoretically, repair my car and drive to work does not mean that I'm lying.

Apple said that it can't decrypt your iMessages. The researcher said that Apple was "lying" because Apple could, theoretically, rewrite its protocols so that it would be able to read your iMessages.

That's not "lying" by any stretch of the word.

If it's not lying, it's at least definitely misleading. Remember, the context was the concern that third parties like the NSA could be intercepting the messages with the quiet cooperation of the service provider. In that context, Apple was certainly implying if not stating directly that this would be an impossibility with their system.

1647 posts | registered Dec 6, 2010
another ars accountArs Scholae Palatinae
jump to post

kgb999 wrote:
In what way is an entity explicitly saying they can't do something different than saying it isn't possible for them to do something?

"Can't" and "don't" share with "can't" and "impossible" the fact that sometimes their meanings coincide and sometimes they differ.* When you are repeatedly and explicitly claiming "Apple said it's impossible", it starts to sound like you're just trying to score points in the fanboy wars. More power to you if that's your goal, but it's pretty fucking boring to watch.

I think a more interesting way of looking at it is what Dan quoted before: "In the case of iMessage intercept capabilities, Apple is taking a page from Skype's playbook—make very carefully worded statements about the existence of encryption, and then let people read far more into their claims than they have actually made."

Apple's choice of words is very careful here, if we assume that they don't have a backdoor already. If they do have a backdoor in iMessage, "no one but the sender and receiver can see or read them" is a straight-up lie. But assuming they don't, it's devious in how it disarms nerds by being narrowly correct while calming anyone else by sounding more strongly correct.

Even if it's only narrowly correct, (i.e. we don't have an iMessage backdoor at the moment) it's an important statement because it strongly repudiates the claim that Apple is siphoning off data into PRISM or any other government data collection system. Is that true, though? Are they lying? Maybe we'll never know.

The QuarksLab presentation slides are pretty good, if you haven't yet read them. I agree with their conclusion that if you are trying to protect information from government or Apple scrutiny, iMessage is not something you want to be relying on. Also, why the fuck don't they have pinned certificates in iOS yet? Google clearly showed that it isn't just a theoretical concern, and it's not like Apple hasn't had enough time to get with the program on this.

* Which is an example of why "words have meanings" absolutists in online discussions generally piss me off; it's like these people can't even reach the bar, low as it is, of understanding what those numbers mean in dictionary definitions.

1403 posts | registered Mar 28, 2012
adiposeArs Praetorian
jump to post

another ars account wrote:
"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true,"

... because Apple can rewrite its software to allow them to read your messages? Is that what I'm reading here? Is this any different than saying Phil Zimmerman could release a PGP update that forwarded all plaintext to his own hotmail account?

I suppose there's the (perfectly valid) open vs closed source argument, but if there's anything else here I'm missing it.

No, you don't understand.

PGP could be vulnerable in the way you suggest, but it is a totally different scenario. That is because you are talking about modifying the client side application, something that is not only universal, but detectable. If Phil did that, it would be detected within days, I would bet.

We are talking about man in the middle. Apple is the man in the middle, no matter how honest they are being about it, now. If the NSA comes in, demands that they fake the key exchange, for one user, then Apple can do it--and no one will be the wiser. This means, they have a de facto method of reading your messages, and it probably wouldn't even be that hard to implement, and it is not detectable.

This is the equivalent of,

Quote:
Phone Company: "We cannot tap your phone calls, because we always route the call to the right user."

You: "But what if the call first was routed through an NSA tap?"

Phone Company: "But we don't do that!"

What is happening now:
Quote:
Apple: "We cannot tap your messages, because we always give you the right keys to encrypt the data so we can't read it."

You: "But what if you gave me the wrong key when I tried to encrypt the message, read the message, then re-encrypted it and sent it on its way?"

Apple: "But we don't do that!"

The bottom line is, it is possible, it is trivial, and we only have Apple's word that they aren't doing it (yet). When the NSA asks them to, not only can they, they probably will. And that is why their statements to the contrary are false. Maybe not malicious lies, but demonstrably false.

The fact (or their statement) that they haven't implemented such a system doesn't mean they can't do it. That the messages are encrypted does *nothing* to change this fact. They are saying, "Since it is impossible, you don't have to trust us!" But you do have to trust them. And you can't trust anyone, since the NSA can force them to comply and deny them the opportunity to admit they are doing it.

498 posts | registered Dec 8, 2005
kruzesArs Scholae Palatinae
jump to post

Abhi Beckert wrote:
This article basically says it's possible for Apple to change how iMessage works and make it so they also have the key.

No, it doesn't. It says Apple can change your key server-side without any updates to your software at the request of law enforcement.

Abhi Beckert wrote:
As far as I'm concerned, this is exactly the same security as SSL, which we all trust with far more sensitive data than text messages. Like SSL we are trusting a third party to guarantee the certificate belongs to the intended second party. Apple could lie, just like any SSL certificate authority could lie and provide a malicious party with a valid SSL certificate for any domain name.

Sure. And SSL certificate authorities have lied, and have issued bogus certificates for domain names they were not supposed to be granting certificates for. Google's certificate pinning implementation detected this, and allowed such certificate authorities to be publicly shamed and removed in the next security update. Which they were, to the benefit of other browsers not using certificate pinning.

Abhi Beckert wrote:
Lets be realistic, iMessage is not intended to be a competitor to TOR or PGP. It's just a free way to send SMS messages. And it provides far greater security than SMS, which can be decrypted by anyone within 20 miles of your phone, just by running GSM hacking software on their laptop (GSM encryption is so weak it might as well be completely unencrypted).

Sure. Apple's implementation prevents wholesale decryption of every message. Also, if you (and your parties) take care not to backup your messages to iCloud, it prevents previous messages from being obtained. It's much better than many of the alternatives, and should be recognized as such.

However they made it sound like the system was infeasible to tap, which it really isn't. Authorities with a warrant can request a tap which is technically feasible to achieve. It doesn't even require an update to client software. They can also request (and have requested) access to any backups, which will be granted.

788 posts | registered Apr 19, 2006

Promoted Comments

shawnceArs Scholae Palatinae
jump to post

nidx wrote:
So if a device is compromised (to install the fake certificates) and pointed to a fake server you can read the messages because they would be encrypted with a known key. that sounds pretty obvious. I don't understand how this means that apple can read the messages that are going through their server which is what they said. All this seems to mean is that a hacked device can be tracked transparently which admittedly a neat hack but very impractical.

No this is about man in the middle when exchanging public keys between iMessage endpoints. The messages over the wire are still encrypted and can only be decrypted (ignoring brute force, etc. attacks on the message itself) by a recipient with the private key matching the public key used to encrypt the message.

Apple could in theory exchange fake public keys since its the mediator of public key exchange.

If a device is compromised it is much simpler to just grab the message before it is even encrypted and enters Apple's backend.

966 posts | registered Jan 17, 2001
fishsandwichArs Centurion
jump to post

You are missing the point that Apple does not need to compromise the device because it already legitimately point to Apple servers. You only need to compromise the device if you are a third party. Basically they are saying, you need to perform a man in the middle attack to breach the security built into iMessage. In the case of Apple, they already ARE the middle man, so they can easily compromise the security if they chose to, and the end users wouldn't really know.

341 posts | registered Aug 1, 2011
pusher robotArs Tribunus Militum
jump to post

PeterWimsey wrote:
show nested quotes
There is a semantic difference between the words "can" and "theoretically could". The article did not present evidence that they can read your message. Only that they could theoretically do this.

The headline is misleading and the evidence does not contradict apples statement.

Now if you could provide evidence that apple has implemented key falsification then that would be a different matter entirely.

This is exactly right.

If I say I "can't" drive to work because my car is broken, the fact that I could, theoretically, repair my car and drive to work does not mean that I'm lying.

Apple said that it can't decrypt your iMessages. The researcher said that Apple was "lying" because Apple could, theoretically, rewrite its protocols so that it would be able to read your iMessages.

That's not "lying" by any stretch of the word.

If it's not lying, it's at least definitely misleading. Remember, the context was the concern that third parties like the NSA could be intercepting the messages with the quiet cooperation of the service provider. In that context, Apple was certainly implying if not stating directly that this would be an impossibility with their system.

1647 posts | registered Dec 6, 2010
another ars accountArs Scholae Palatinae
jump to post

kgb999 wrote:
In what way is an entity explicitly saying they can't do something different than saying it isn't possible for them to do something?

"Can't" and "don't" share with "can't" and "impossible" the fact that sometimes their meanings coincide and sometimes they differ.* When you are repeatedly and explicitly claiming "Apple said it's impossible", it starts to sound like you're just trying to score points in the fanboy wars. More power to you if that's your goal, but it's pretty fucking boring to watch.

I think a more interesting way of looking at it is what Dan quoted before: "In the case of iMessage intercept capabilities, Apple is taking a page from Skype's playbook—make very carefully worded statements about the existence of encryption, and then let people read far more into their claims than they have actually made."

Apple's choice of words is very careful here, if we assume that they don't have a backdoor already. If they do have a backdoor in iMessage, "no one but the sender and receiver can see or read them" is a straight-up lie. But assuming they don't, it's devious in how it disarms nerds by being narrowly correct while calming anyone else by sounding more strongly correct.

Even if it's only narrowly correct, (i.e. we don't have an iMessage backdoor at the moment) it's an important statement because it strongly repudiates the claim that Apple is siphoning off data into PRISM or any other government data collection system. Is that true, though? Are they lying? Maybe we'll never know.

The QuarksLab presentation slides are pretty good, if you haven't yet read them. I agree with their conclusion that if you are trying to protect information from government or Apple scrutiny, iMessage is not something you want to be relying on. Also, why the fuck don't they have pinned certificates in iOS yet? Google clearly showed that it isn't just a theoretical concern, and it's not like Apple hasn't had enough time to get with the program on this.

* Which is an example of why "words have meanings" absolutists in online discussions generally piss me off; it's like these people can't even reach the bar, low as it is, of understanding what those numbers mean in dictionary definitions.

1403 posts | registered Mar 28, 2012
adiposeArs Praetorian
jump to post

another ars account wrote:
"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true,"

... because Apple can rewrite its software to allow them to read your messages? Is that what I'm reading here? Is this any different than saying Phil Zimmerman could release a PGP update that forwarded all plaintext to his own hotmail account?

I suppose there's the (perfectly valid) open vs closed source argument, but if there's anything else here I'm missing it.

No, you don't understand.

PGP could be vulnerable in the way you suggest, but it is a totally different scenario. That is because you are talking about modifying the client side application, something that is not only universal, but detectable. If Phil did that, it would be detected within days, I would bet.

We are talking about man in the middle. Apple is the man in the middle, no matter how honest they are being about it, now. If the NSA comes in, demands that they fake the key exchange, for one user, then Apple can do it--and no one will be the wiser. This means, they have a de facto method of reading your messages, and it probably wouldn't even be that hard to implement, and it is not detectable.

This is the equivalent of,

Quote:
Phone Company: "We cannot tap your phone calls, because we always route the call to the right user."

You: "But what if the call first was routed through an NSA tap?"

Phone Company: "But we don't do that!"

What is happening now:
Quote:
Apple: "We cannot tap your messages, because we always give you the right keys to encrypt the data so we can't read it."

You: "But what if you gave me the wrong key when I tried to encrypt the message, read the message, then re-encrypted it and sent it on its way?"

Apple: "But we don't do that!"

The bottom line is, it is possible, it is trivial, and we only have Apple's word that they aren't doing it (yet). When the NSA asks them to, not only can they, they probably will. And that is why their statements to the contrary are false. Maybe not malicious lies, but demonstrably false.

The fact (or their statement) that they haven't implemented such a system doesn't mean they can't do it. That the messages are encrypted does *nothing* to change this fact. They are saying, "Since it is impossible, you don't have to trust us!" But you do have to trust them. And you can't trust anyone, since the NSA can force them to comply and deny them the opportunity to admit they are doing it.

498 posts | registered Dec 8, 2005
kruzesArs Scholae Palatinae
jump to post

Abhi Beckert wrote:
This article basically says it's possible for Apple to change how iMessage works and make it so they also have the key.

No, it doesn't. It says Apple can change your key server-side without any updates to your software at the request of law enforcement.

Abhi Beckert wrote:
As far as I'm concerned, this is exactly the same security as SSL, which we all trust with far more sensitive data than text messages. Like SSL we are trusting a third party to guarantee the certificate belongs to the intended second party. Apple could lie, just like any SSL certificate authority could lie and provide a malicious party with a valid SSL certificate for any domain name.

Sure. And SSL certificate authorities have lied, and have issued bogus certificates for domain names they were not supposed to be granting certificates for. Google's certificate pinning implementation detected this, and allowed such certificate authorities to be publicly shamed and removed in the next security update. Which they were, to the benefit of other browsers not using certificate pinning.

Abhi Beckert wrote:
Lets be realistic, iMessage is not intended to be a competitor to TOR or PGP. It's just a free way to send SMS messages. And it provides far greater security than SMS, which can be decrypted by anyone within 20 miles of your phone, just by running GSM hacking software on their laptop (GSM encryption is so weak it might as well be completely unencrypted).

Sure. Apple's implementation prevents wholesale decryption of every message. Also, if you (and your parties) take care not to backup your messages to iCloud, it prevents previous messages from being obtained. It's much better than many of the alternatives, and should be recognized as such.

However they made it sound like the system was infeasible to tap, which it really isn't. Authorities with a warrant can request a tap which is technically feasible to achieve. It doesn't even require an update to client software. They can also request (and have requested) access to any backups, which will be granted.

788 posts | registered Apr 19, 2006

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

The good news

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica