Apple�s iMessage Defense Against Spying Has One Flaw

[Henry Baker]

FYI -- Of course the same flaw can be used by non-U.S. govts.

http://www.wired.com/2015/09/apple-fighting-privacy-imessage-still-problems/

Apple’s iMessage Defense Against Spying Has One Flaw

Joseph Cox Security  09.08.15  1:10 pm.

Yesterday, the New York Times mentioned a trend that’s becoming more common: tech companies fighting back against government requests for user data, among them Microsoft and Apple.  According to the report, the Justice Department obtained a court order demanding that Apple provides the iMessages sent between crime suspects, in real time.

Apple said that wasn’t possible, because its iMessage service was encrypted.

But, the thing is, there is actually a very high likelihood that, technologically, iMessage could be wiretapped, because it does not allow users to verify encryption keys when writing or receiving messages.

How iMessage Works

When someone—-let’s call her Alice—-sends a text over iMessage, the content doesn’t simply travel from Alice’s Apple device to another.  First, Alice’s device contacts one of Apple’s servers.  Called ESS, this server stores all of the public encryption keys for iMessage users.

 From here, the Apple server provides Alice with, say, Bob’s encryption keys.  Then armed with this information, Alice’s iPhone encrypts the message, sends the garbled text to Apple, which then forwards it over to Bob, who can decrypt it.

At no point in this process does Apple see the actual content of the message, because it is encrypted before it leaves Alice’s device, aka end-point.  Hence, the label “end-to-end encryption.”

This centralized approach to key management isn’t necessarily a problem, and is the same process that other encrypted messaging services use.  Signal, developed by Open Whisper Systems, also makes a user’s device connect to a central server of keys, Nicholas Weaver a senior researcher from the International Computer Science Institute, told WIRED in an email.

However, as pointed out by Weaver in a recent post on the Lawfare Blog, it is impossible for an iMessage user to make sure that the Apple server has provided them with the right set of encryption keys.

“Without such an interface, iMessage is “backdoor enabled” by design: the keyserver itself provides the backdoor,” Weaver writes.

Weaver says that, if configured to do so, the Apple server could, instead of providing Alice with Bob’s correct keys, send an additional one that the FBI had access to.  Indeed, this was highlighted by researchers as far back as 2013, and Matthew Green, assistant professor at Johns Hopkins University also previously laid out a similar case.

“[In that case] the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future,” Weaver continues.  Likewise, by adding another FBI key to all messages that Alice sends herself, it would be possible for the agency to snoop all of her outgoing texts too.

The Solution?  Let Us Verify Our Keys

So, the only way around this potential backdoor is in allowing users to verify what keys they have received.  With Signal, users can hit a ‘Verify identity’ button, and the app will display their key fingerprint, as well as that of the person they’re communicating with.  To make sure that they’ve been issued the genuine keys, the pair can then send this code over another means of contact, or just show it to each other in person.

“Hardly anybody actually does verify keys offline, but the capability of doing so is what forces the keyserver to be honest,” Weaver continued.  It’s worth pointing out that Open Whisper Systems partnered with WhatsApp to deliver end-to-end encryption, but that service, like iMessage, does not have a feature to verify user’s fingerprints.

It’s unclear why Apple has not implemented some sort of manual verification method.  The company did not respond to a request for comment.

Regardless, it would likely be a pretty easy addition to make to iMessage.  “A “long press” of view keys would be sufficient,” Weaver said, although he anticipated that Apple could probably come up with some other, even easier-to-use method.

This is all assuming that the FBI, or other agency, could find the legal standing to compel Apple to send bogus encryption keys to a target.  As the New York Times piece pointed out, a court order was obtained to demand Apple deliver unencrypted messages.  Although that request was apparently unsuccessful, the technological groundwork for wiretapping iMessage is there, at least for the time being.