Quarkslab researchers Cyril Cattiaux has revealed Apple lied when it claimed it could not intercept iMessages sent by its users.
Quarkslab researchers Cyril Cattiaux revealed that it is possible to
break encryption implemented in Apple's iMessage application due the
presence of a weakness in the key management process. The announcement
was made during the Hack in the Box conference in Malaysia this week.
Cattiaux, aka pod2g, is known because it has developed a iOS jailbreak, this time they sustain that iMessage encryption is vulnerable to eavesdropping attack despite Apple always declared a secure end-to-end encryption.
"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data," Apple declared in a statement on its website.
According the researchers Apple is able to access the content of
iMessage app changing the key anytime they need, it should be noted that
they confirm there's no evidence that Apple or the NSA are analyzing
also iMessage content despite it is technically possible.
"Apple's claim that they can't read end-to-end encrypted iMessage is definitely not true," they said. Apple has no reason to do so. But what of intelligence agencies?" they said.
It is clear the reference to the case PRISM and the revelation made by Snowden on
the collaboration offered by Apple to NSA for surveillance activities.
When the user sends a iMessage to someone, he takes the receiver's
public key from Apple, and encrypts the message. Once the message is
received by recipient he is able to decrypt the message with his
private key according classic asymmetric encryption scheme. Apple acts
as a Certification Authority of any PKI architecture,
public keys were managed on a server called ESS that could be not
publicly inspected. The researchers created its own bogus Certification
Authority and inserted its reference into the iPhone Keychain to be able
to access to SSL encrypted traffic acting as a proxy. Cattiaux noted
that Apple ID and password was being transmitted in clear text during
iMessage transmission. Apple actually controls public key repository
this means that it could perform a MITM to intercept users' messages.
They
exploited the lack of mechanisms to tell devices to trust a given
certificate, for PUSH and iMessage servers, allowing a fake certificate
authority to be added to the user Keychain.
"Firstly, it means that Apple [and intelligence agencies] can replay our password using for instance our email on many websites. Secondly, it also means that anyone capable of adding a certificate and able to [proxy] the communications can get user's Apple ID and password, thus get access to include accounts, backups" and app purchasing.There is the concrete risks that enterprise IT managers when assigning Apple devices with mobile device management platforms could intercept sensitive Apple user account details including iCloud usernames and passwords.
"If the device is connected to iPhone Configuration Utility, Apple's enterprise solution for management of iPhones, a trusted CA (Certificate Authority) is added. The consequence is that all subsequent certificates signed by that CA will be trusted to create the SSL communication. It means all companies using that are able to retrieve their employee's AppleID and password by simply [proxying] the SSL communication."
A possible implementation that could dispel the doubts about the good
faith of Apple is to store user's public keys locally within iOS, avoiding centralized management by Apple.
I suggest to read the interesting analysis published in the blog post of the researchers
No comments:
Post a Comment