Friday, 18 October 2013

Unbreakable Apple's iMessage encryption is Vulnerable to Eavesdropping Attack

Though Apple claims iMessage has end-to-end encryption, But researchers claimed at a security conference that Apple’s iMessage system is not protected and the company can easily access it.

Cyril Cattiaux - better known as pod2g, who has developed iOS jailbreak software, said that the company’s claim about iMessage protection by unbreakable encryption is just a lie, because the weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages.
Basically, when you send an iMessage to someone, you grab their public key from Apple, and encrypt your message using that public key. On the other end, recipients have their own private key that they use to decrypt this message. A third-party won’t be able to see the actual message unless they have access to the private key.

Trust and public keys always have a problem, but the researchers noted that there's no evidence that Apple or the NSA is actually reading iMessages, but say that it's possible. "Apple has no reason to do so. But what of intelligence agencies?" he said.

The researchers were able to create a bogus certificate authority and then add it to an iPhone Keychain to proxify SSL encrypted communications to and from the device, and in the process discovered that their AppleID and password was being transmitted in clear text.

He says that since Apple controls the public key directory that gives you the public key for every user, it could perform a man-in-the-middle (MITM) attack to intercept your messages if asked to by a government agency.

A solution for Apple would be to store public keys locally in a protected database within iOS, as then the keys could be compared.

No comments:

Post a Comment