A team of researchers at Johns Hopkins (Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan) discovered a profound vulnerability in how Apple's iMessage encrypts data. The flaw allows the attacker to correctly guess the cryptographic key that decrypts iMessage attachments, which enables the attacker to determine the contents of the underlying data. The flaw specifically impacts the iMessage application for iOS versions before 9.3 and Mac OS X versions prior to 10.11.
I've made a video that describes the attack at a high level.
Apple's iMessage uses standard cryptographic techniques like public-key encryption, symmetric-key encryption, and digital signing - each of which are secure in isolation. However, these building blocks are combined and used in an unfortunate way that results in a security vulnerability.
The attack is quite involved but the underlying concept isn't that difficult. Normally, if you tried guessing an entire cryptographic key, it would take an inordinate time because there are an astronomically large number of possibilities. However, iMessage is implemented in a way that allows you to guess a small piece of the key at a time, and moreover allows you to verify your guess; that makes guessing the entire key much easier.
Here's a simple example illuminating the main idea. Imagine I didn't know you and you asked me to guess your first name. If my only option was to try guessing your entire first name at once, before you told me whether I was right or not, I'd probably need a lot of guesses before stumbling on the right one.
If, instead, I could guess each letter in your name separately, and you told me whether I was right along the way, it would be way faster. For example, I can ask if the first letter of your name is an A, then B, and so on, until I'm right. Once you tell me whether the first letter is correct, I can move on to the second letter, then the third, until I'm done. The approach is quick and easy. The iMessage attack involves a similar idea.
Fortunately, the attack is very resource intensive. In fact, in tests done by the Hopkins researchers, the attacker needed 250,000+ tries and ~70 hours before succeeding. These numbers can be improved, but the attack is still involved. The attack also requires having access to encrypted iMessages themselves, which isn't always possible, though it's not entirely impossible either.
Given the above together with the fact Apple has already implemented measures to thwart the attack means you shouldn't panic. Of course, there's an old adage that attacks only get better over time, they never get worse.
This attack reminds us that cryptography is hard. Even experts often make mistakes. I bring this up because there has been a lot of discussion about backdoors in cryptographic systems. A backdoor just adds a whole new level of complexity. If it's hard to implement even basic crypto correctly, can you imagine what happens when backdoors are thrown into the mix?
Author: Zulfikar Ramzan
Category: Research and Innovation, Blog Post
Keywords: Apple, Encryption, iMessage