iMessage_mitm3_quarkslab

Responding to a Quarkslab white paper made public at the Hack the Box conference yesterday – which claims that researchers have successfully intercepted iMessage exchanges – Apple felt compelled to issue a written statement reiterating the company’s stance that it can’t read any one’s iMessage even if it wanted to because it doesn’t have access to the public keys used to encrypt communication (AES, RSA, and ECDSA algorithms).

The assumed message interception reportedly allows attackers to seamlessly change the sent message before it arrives and thereby impersonate the sender. Apple’s claim that “iMessage is not architected to allow Apple to read messages” is now brought into question as the researchers released video evidence of the vulnerability…

French security researchers Pod2G and GG allowed ZDNet to film an exclusive demo of them intercepting, reading and changing the content of iMessages between two iPhones, have a look below.

Both devices were running iOS 7, in case you’re wondering.

That’s pretty scary stuff right there.

Although that’s just a “theoretical” demonstration, a message intercept like that could – again, theoretically – allow someone to easily intercept, impersonate and read your private messages.

This is Apple’s statement issued in June in response to the NSA snooping (emphasis mine):

Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them.

Apple cannot decrypt that data.

Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

“Apple’s claim that they can’t read end-to-end encrypted iMessages is definitely not true,” QuarksLab’s white paper reads. “As everyone suspected: yes they can!”

Performing such a man-in-the-middle attack, however, would require someone with superior skills, substantial resources and physical access to your device.

The researchers explained that to break iMessage encryption in the manner shown would require the attacker to get physical control of the device — once.

Then, the attacker would install fraudulent certificates on it, and run spoofed servers tricked out to mimic Apple servers. The flaw’s essence, as QuarksLab described it, lies in the protocol’s lack of certificate pinning.

What’s more, QuarkLab cautions that every Apple product that runs iMessage is potentially vulnerable to this kind of attack, meaning all desktop and portable Macs in addition to iPhone, iPod Touch and iPad devices.

imessage-security-flaw-525x365-v1-620x431

The researchers released a tool for jailbroken iOS devices called iMTM Protect which they claim prevents Apple to mess with encryption keys.

I wonder how Apple reacts to this video demonstration and whether the company’s previous reassurances will now come to bite them in the you-know-what.

Keep in mind that iMessage is regarded as one of the most secure, surveillance-proof messaging platforms.

According to a leaked memo by the United States Drug Enforcement Administration, its agents had found it impossible to “intercept iMessages between two Apple devices” due to strong iCloud encryption.

Thoughts?