Hackers: Here's how Apple's iMessage surveillance flaw works (video)

Hackers: Here's how Apple's iMessage surveillance flaw works (video)

Summary: Apple's iMessage is believed to be among the most secure, surveillance-proof messaging tools. But hackers have exposed a flaw that allows malicious interception, impersonation, and the viewing of private messages.

TOPICS: Security
(Image: Violet Blue/ZDNet)

KUALA LUMPUR, MALAYSIA — Hackers this week showed security conference attendees findings and demonstrations directly contradicting Apple's public claim that it can't read iMessages.

Even though the messages are encrypted end-to-end as Apple claims, according to QuarksLab researchers showed a packed room at Hack In The Box Kuala Lumpur, due to the lack of certificate pinning, "Apple can technically read your iMessages whenever they want."

More worryingly, in the presentation "How Apple Can Read Your iMessages and How You Can Prevent It," the researchers also showed that iMessages can be intercepted and instantly changed via a man-in-the-middle (MiTM) attack.

The message interception allows a third-party attacker to seamlessly change the sent message before it arrives — and with the sender impersonated, the iMessage recipient is none the wiser.

(Image: QuarksLab)

The researchers followed through with their claims on Thursday in a 90-minute presentation, including detailed, step-by-step slides and descriptions, and two demonstrations.

The second demonstration was unsuccessful due to conference network issues. But after the talk, ZDNet was given an exclusive demo on video when the network was back at full operation.

French security researchers "Pod2G" (Cyril Cattiaux) and "GG" allowed us to film the hackers while they intercepted, read and changed the content of iMessages between two iPhones.

However, in a statement to AllThingsD, Apple spokesperson Trudy Muller said: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

However, "theoretical" as it may be, QuarksLab's demonstration shows that iMessage can be exploited or manipulated.

ZDNet has reached out to Apple for additional comment and will update this article if we hear back.

"Apple cannot decrypt that data"

On June 6,, Apple — among others, including Google, Facebook, Microsoft, and Yahoo — were linked to mass surveillance programs conducted by the U.S. National Security Agency (NSA) and the now-infamaous PRISM program. The named seven major technology companies were alleged to be somehow involved in legally and ethically dubious U.S. government-run surveillance programs.

Apple responded publicly saying a statement on its website that iMessages, "are protected by end-to-end encryption so no one but the sender and receiver can see or read them."

The statement added: "Apple cannot decrypt that data."

The Cupertino, Calif.-based technology giant's implication was that third-parties, such as the NSA, could not intercept messages with its quiet cooperation, because according to Apple, the system itself made such interception impossible.

"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true," QuarksLab's white paper reads. "As everyone suspected: yes they can!"

The hackers told ZDNet that every Apple product compatible with iMessages is affected.

"Basically, nearly all current Apple products: iMac, Mac Pro, MacBook Pro, MacBook Pro Retina, iPhone, iPod Touch, iPad. We will release a tweak for jailbroken iOS devices and an application for OS X just after the presentation."

Before their presentation at Hack In The Box yesterday, QuarksLab had hinted to media that they had discovered the weaknesses emphasizing that their findings showed that Apple could indeed read user messages if it wanted to.

Only possible with superior skills, access, and resources

Pod2G and GG said that hacking iMessage to impersonate users, intercept messages and read private message contents was indeed possible.

But they repeatedly emphasized this was only possible if the third party is a skilled attacker, and cited Apple and the NSA as examples of capable skill level.

(Image: QuarksLab)

The researchers explained that to break iMessage encryption (AES, RSA, and ECDSA algorithms) in the manner shown would require the attacker to get physical control of the device — once.

Then, the attacker would install fraudulent certificates on it, and run spoofed servers tricked out to mimic Apple servers. The flaw's essence, as QuarksLab described it, lies in the protocol's lack of certificate pinning.

Even though performing this man-in-the-middle attack is quite a lot of work, and can only be done under limited circumstances, QuarksLab told the security conference's attendees that if they needed a secure message system, they should choose a different one. Especially, they jokingly cautioned, if the messages contain discussion of Apple related zero-days or exploits.

How to prevent iMessage surveillance?

The hackers concluded their bombshell of a talk — to a packed, standing-room-only crowd — by sharing a tool they created that gives iMessage users on iPhones the ability to essentially plug the flaw themselves and make their messages truly private and secure.

Their tool "iMTM Protect" (available for download on GitHub) is a helpful, superlative approach to empowering users to protect themselves from a serious privacy issue that raises too many questions to answer at this time.

It's also a refreshing outcome to the revelation of a security flaw in a product from a company known for staying silent on its product's security problems — and tends to tell users that security holes will get fixed "sometime" in the next update cycle.

The tool is ready for skilled computer users, though sadly it is likely out of reach for the average Apple iMessage user's technical skill level — and only works on jailbroken iPhones at this time.

But it's a step in an interesting direction.

As QuarksLab summarized in "How Apple Can Read Your iMessages" the iMessage user may not be not at risk with this issue from an average malicious attacker.

Needless to say, what QuarksLab revealed at Hack In The Box yesterday is still a serious issue for all users of iMessage with concerns about threats with resources, such as nation-states. And now, the whole situation casts a shadow over Apple's previous reassurances.

More from QuarksLab iMessage findings:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • apple says...........

    Its not a flaw, its a feature!
    • Remember; this is Apple and Peter Oppenheimer we're talking about.

      Well, I'm not all that surprised. Apple, the company who hired a familymember of J. Robert Oppenheimer (father of the Atomic Bomb) to develop tax payment subversion; didn't really invest into security... Ever.

      Oppenheimer Funds still isn't the right way to invest.
      • On second thought...

        But I suppose, when your family is really smart; and known for bombing a continent, you can't usually top that. Unless you find a way to cheat death and taxes.
        • You have been saving that little chestnut for a long time, haven't you?

          Hey, guess what. Your genes have been involved with serial killers "sometime" in the past of human history. It's amazing you are employed at all.
          • Your Point..?

            I just think it's slick that Apple has lineage to nuclear bomb physicists responsible for cooking Millions of Japanese relatively recently.

            Today, company efforts include cooking the books in ireland, while Al Gore remains on the board of directors, after performing investigations into backdated stock transactions.

            Did I miss anything?
          • And your point?

            "nuclear bomb physicists responsible for cooking Millions of Japanese relatively recently."

            I take it that you feel it would have been better had we sent 100,000 plus Allied soldiers into Japan where a large majority could have been killed, and many of their decedents that are here today would have never been born.

            So what that the Japanese were "nuked". If I remember correctly, it was they that started it with Pearl Harbor, and they appeared to care little for their own people given that they were trained to fly one way missions towards the end. They, or Germany would have surely nuked us had we not beaten them to it.

            In your quest to sound humorous, you instead come off as ignorant, as you speak on matters you appear to have given very little thought to.
            John Zern
          • It's an interesting subject!

            To do a research on, you might be surprised what you'll find. I did a study on this in the 1970's in Criminology. Turns out there was only a small reason to let the first bomb off and NO reason to drop the second one. See the second one was only dropped for research as it was a different design to the first. It's ok if you feel bad for being the only country in the world to ever actually use a nuclear bomb on a living population.

            Unless you count the poms who although didn't drop one in anger did use Australians to stand around just out side of the bomb radius to see what the side effect were!
          • Wrong on both counts

            I hope your research now is better than what you did in college.

            The expectation for an invasion of Japan, even if later suspected to be wrong, was over 1 million casualties. The bomb was dropped. Japan did not surrender. So a second was dropped. Yes, there was a desire to determine whether the second would work operationally, but that could have been proved in other ways had Japan surrendered. Indeed, had Japan not surrendered after the second bomb, more were being prepared.

            It's easy to find a few details and pull together a theory after the fact, but both Hiroshima and Nagasaki were part of a war the US did not start and chose to finish with the least US casualties.
          • Nonsense

            Any such estimates were concocted post facto as a justification for dropping the bomb.

            As to your timeline, it is complete and utter bunk. The Japanese did not surrender immediately after the scone bomb was dropped either. They only surrendered after their one and only condition to surrender was met, a condition that had been stated MONTHS before the first bomb fell: that the emperor remain supreme leader of Japan.

            It's easy to find a few details and pull together a theory after the fact, but both Hiroshima and Nagasaki were part of a war with Japan the US instigated through their naval blockade of the island and chose to finish even though there was no real threat to U.S. citizens.
          • Any thoughts of your own?

            You seem to be very adept at regurgitating propaganda from government class, have you ever thought about the fact that maybe what you were told those things for a reason? Why drop the bomb when we already knew that the Emperor wanted to end the war (1946 The United States Strategic Bombing Survey) also see http://www.wagingpeace.org/articles/db_article.php?article_id=381. I grew up believing a lot of the same things that you were talking about. Is it ethical to treat human beings so horribly? Think about it before you speak such ridiculous things. The bomb was a message to Russia and started the cold war, that's all.
          • Finally someone with the correct tactical understanding of the A-Bomb

          • Learn history

            Seriously, learn history. All you have managed to do is regurgitate the nonsense still being propagated in the U.S. educational system, nonsense with NO basis in fact.
            First, this idea that 10,000 Allied troops would have died invading Japan ins utter nonsense, based on a flawed, stereotypical understanding of the Japanese psyche (and the idea that surrender was impossible of the Japanese mind) that simply is not true. As General MacArthur tried repeatedly to point out (having spent significant time in Japan as a young man as aide-de-camp to his father, and being intimately aware of the culture). In fact, the Generals in charge of the Japanese military had already sent out various missions to the Allies to discuss terms for possible surrender, well before the bombs were dropped. They had only one condition, a condition that WAS dictated by the Japanese psyche, namely that the Emperor remain supreme ruler of Japan. Empirically, this idea of no Japanese surrender also fails, as they had already begin to do so in numerous parts of the Pacific theatre.
            Beyond that, even AFTER the bombs were dropped, the Japanese military, who themselves did not suffer crippling losses from the bombs, STILL did not surrender. In fact, they only did so after, guess what, the Allies agrees to their single negotiated demand: continued reign of the emperor. A demand that, in the end, was granted.
            The idea that ANY U.S. or Allied forces would have died invading the island is preposterous.

            Beyond that, the myth that the Japanese attack on Pearl Harbor was unprovoked is ludicrous. In fact, for quite some time prior to the bombing the Allies, principally the U.S. had been maintaining a naval blockade of the island of Japan, destroying any and all sea traffic they could find attempting to port. As a country with few resources, this was not a blockade the nation could long withstand. So plans were drawn up to hit the U.S. naval forces in a decisive blow to end the blockade in the only way that had a chance at working: taking out the majority of the fleet in one massive strike.
            As to your nonsense about suicide missions, if that is your metric, please name a nation that satisfies you definition of "caring for their people".
            Lastly, the idea that the Japanese would have nuked us if they had the chance evinces a complete ignorance of the Japanese psyche the rest of your diatribe rests on. Germany, led by psychopath, maybe. Japan, doubtful.
            In your quest to sound incredulous, you instead come off as ignorant, as you speak on matters you appear to have given very little thought to.
          • Oh Please

            The U.S. "manipulated" Japan into planning a "surprise" attack, and then "we" did nothing to prevent it. But hey -- believe what you want to.
          • I normally (well, almost never) indulge in Ad hominem attacks

            In fact, my first comment to you was my first on ZDNet - which would span about a five year time period.

            But I just can't seem to help myself in your case, Malcolm.

            When I read your initial comments and now your answer to mine, I can't help but recall a line from the movie "Field of Dreams". That line was spoken by one of my favorite actors, James Earl Jones.

            Not to keep you in suspense any longer, that line was, "You're seeing a whole team of psychiatrists, aren't you?"

            I'm sorry. I know that was uncalled for (although it was fun to write) but really, what does a distant relative of Oppenheimer have to do with a software hack. (Which, by the way, in order to work, needs physical access to a person's Apple device before it can "theoretically" be accomplished.)

            Or how are your comments related to a perfectly legal (at the time) accounting practice to accusations that Apple can somehow confiscate all their customers Apple devices in order to plant a software hack in order to listen in on iMessages? BTW, Violet Blue and MalcolmTucker, that is something that could NEVER happen so, how in the universe could Violet Blue ever suggest Apple reps or NSA personnel could exploit this "flaw" to compromise iMessage security?

            Nope, IMO, your comments have no bearing on this topic discussion. They may indeed be relevant to you and your fellow tin foil hat friends but not to this topic discussion.
          • Furthermore, Oppenheimer did not want to go BEYOND the A-bomb.

            Oppenheimer had one incentive for working on Project Manhattan: being Jewish and knowing (somewhat) that the Nazis wanted to exterminate, eventually, ALL JEWS ON EARTH, he wanted America (and Britain) to develop the bomb before Germany could, to have it in reserve as a deterrent to Hitler.

            After Hitler's suicide and the Nazi surrender, Oppenheimer and a number of other Los Alamos scientists did NOT want the bomb actually dropped on Japan, since the end of the war was near anyway. He circulated a petition to get Truman to drop "demo" bombs on uninhabited islands instead, and after the war, he was against going further to develop the H-bomb (fission+fusion) that Edward Teller advocated (and later designed).

            Once the postwar Red scare started, Teller argued that Oppenheimer and others who did not want to advance the arms race were not patriotic enough, and got Oppenheimer's (and other scientists') security clearances revoked, forcing them back into the private sector.

            There were probably several reasons Truman rejected the "demo bomb" idea, but one of them was surely the fact that several more months would have been needed to make enough fuel for another bomb of either design, and they had one of each in the inventory after the Trinity test. Another reason was undoubtedly that, if he did not use the bomb, and the war lasted two more years, with casualties comparable to Okinawa and Iwo Jima, he would surely have been impeached once Congress found out he had the bomb and did not use it. And of course, there was the fact that Stalin was planning to join the fight against Japan, once it was almost over, in hopes of making it a Soviet satellite nation. Revealing that the bomb existed did make Stalin postpone that invasion, which eventually became untenable, even after he had his own bomb, ushering in the MAD strategy which prevented the two superpowers from using them.

            As for surrender, it turned out that a small group of Japanese Army officers wanted to thwart the broadcast of the Emperor's surrender message, even attacking the Palace itself. They were stopped by the fact that a flight of American conventional bombers (the last such attack in the war) were flying OVER Tokyo to bomb an electric plant further north, triggering a defensive blackout that messed up the timing of the coup attempt. If they had succeeded, it may very well have caused us to drop a third A-bomb.
          • MalcolmTucker "nuclear bomb physicists responsible for cooking Millions .."

            Dropping nuclear bombs on Japan at the end of WWII was a military decision. However, three prominent physicists at the time were given the opportunity to voice their opinion on the matter. Both Oppenheimer and Teller agreed with dropping the nuclear bombs, while Lawrence (think of the Lawrence-Livermore and Lawrence Berkeley Labs in California) disagreed. There's much more if you read "The Brotherhood of the Bomb".

            And let's not overlook the destructive capabilities of conventional bombing. I recommend that you read the Chapter covering the Allied fire-bombing of Dresden, Germany, in Richard Rhodes' "The Making of the Atomic Bomb". This was every bit as horrid as Hiroshima and Nagasaki.

            As for the necessity of having dropped atomic bombs on Japan at the end of WW2, some believe that the primary purpose was to send a message to Stalin and the USSR. Look what we've (the U.S. and British) got, don' f**k with us.
            Rabid Howler Monkey
          • A little bit more involved than that

            In fact, a timeline to the invasion of Japan had been written up far before, at the Conference at Yalta, wherein the Soviets took responsibility for invasion of the island. Both Roosevelt and Churchill understood that their true aim was eventual domination of the island, as well as Europe, so the U.S. set to making plans of their own, to end the war prematurely (relative to the timeline laid out in Yalta) before the Soviets has time to launch their invasion. In fact, the bombs were dropped only a matter of days before the planned Soviet invasion of the island of Hokkaido and Honshu.
            This rationale mirror that for the U.S. entering the war in the first place. We did NOT enter the European conflict to save Europe from Hitler. It was clear that there was no way Hitler would succeed in the end once he attacked Stalin, a sociopath with no concern for treating millions of his own people as cannon fodder if it served a tactical aim. In fact, Stalin was well on his way to drawing up final plans for a march on Berlin. However, all the Allied powers knew that Stalin had no intention of stopping at Berlin, but that he would continue marching to Paris and Madrid, and Rome, and London.
            The U.S. knew this as well, and this is what finally broke through the isolationist mind set here, precipitating the U.S. joining the war, to prevent Stalin from taking all of Europe.
          • We might have stayed "neutral" in Europe, except

            Hitler declared war on the US after we declared war on Japan. A dumb move by Hitler (one of many caused by his arrogance). After that, we had no choice but to declare a two-front war (which FDR wanted but the isolationists did not).

            Incidentally, one alternate history short story was published in the last few years in which a writer is interviewing the retired painter Adolph Hitler, who used to be a Communist sympathizer, persecuted by the Nazi government under Himmler, then escaping to Switzerland. The emphasis of the fictional interviewer in the story is to find out who made a grant to the art institute to force Hitler to be accepted as a student (thus preventing the anger causing him to become a Nazi), but the other point made was that Nazism WITHOUT Hitler became the established leader of Western Europe, except for Britain. Why? Because without Hitler, their war strategy would have been more rational! Certainly they would have had better "luck" without fighting the Soviet Union and America.
          • Again, no one had any actual reason to believe that any invasion of the island was necessary, certainly not that is would take two more years. A few meetings with high level envoys and an acceptance of their conditional surrender was all that was necessary, and would have taken maybe a week.
            As to fictional speculation, I suspect Hitler was not the only psychopath in charge in Germany, and even without him, it would have come to a head soon enough.
          • Maths, perhaps

            Millions of people did not die in the bombing of Japan in WWII.

            And maybe genetics. And ethics. And sense.