Hackers: Here's how Apple's iMessage surveillance flaw works (video)
KUALA LUMPUR, MALAYSIA — Hackers this week showed security conference attendees findings and demonstrations directly contradicting Apple's public claim that it can't read iMessages.
Even though the messages are encrypted end-to-end as Apple claims, according to QuarksLab researchers showed a packed room at Hack In The Box Kuala Lumpur, due to the lack of certificate pinning, "Apple can technically read your iMessages whenever they want."
More worryingly, in the presentation "How Apple Can Read Your iMessages and How You Can Prevent It," the researchers also showed that iMessages can be intercepted and instantly changed via a man-in-the-middle (MiTM) attack.
The message interception allows a third-party attacker to seamlessly change the sent message before it arrives — and with the sender impersonated, the iMessage recipient is none the wiser.
The researchers followed through with their claims on Thursday in a 90-minute presentation, including detailed, step-by-step slides and descriptions, and two demonstrations.
The second demonstration was unsuccessful due to conference network issues. But after the talk, ZDNet was given an exclusive demo on video when the network was back at full operation.
French security researchers "Pod2G" (Cyril Cattiaux) and "GG" allowed us to film the hackers while they intercepted, read and changed the content of iMessages between two iPhones.
However, in a statement to AllThingsD, Apple spokesperson Trudy Muller said: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
However, "theoretical" as it may be, QuarksLab's demonstration shows that iMessage can be exploited or manipulated.
ZDNet has reached out to Apple for additional comment and will update this article if we hear back.
"Apple cannot decrypt that data"
On June 6,, Apple — among others, including Google, Facebook, Microsoft, and Yahoo — were linked to mass surveillance programs conducted by the U.S. National Security Agency (NSA) and the now-infamaous PRISM program. The named seven major technology companies were alleged to be somehow involved in legally and ethically dubious U.S. government-run surveillance programs.
Apple responded publicly saying a statement on its website that iMessages, "are protected by end-to-end encryption so no one but the sender and receiver can see or read them."
The statement added: "Apple cannot decrypt that data."
The Cupertino, Calif.-based technology giant's implication was that third-parties, such as the NSA, could not intercept messages with its quiet cooperation, because according to Apple, the system itself made such interception impossible.
"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true," QuarksLab's white paper reads. "As everyone suspected: yes they can!"
The hackers told ZDNet that every Apple product compatible with iMessages is affected.
"Basically, nearly all current Apple products: iMac, Mac Pro, MacBook Pro, MacBook Pro Retina, iPhone, iPod Touch, iPad. We will release a tweak for jailbroken iOS devices and an application for OS X just after the presentation."
Before their presentation at Hack In The Box yesterday, QuarksLab had hinted to media that they had discovered the weaknesses emphasizing that their findings showed that Apple could indeed read user messages if it wanted to.
Only possible with superior skills, access, and resources
Pod2G and GG said that hacking iMessage to impersonate users, intercept messages and read private message contents was indeed possible.
But they repeatedly emphasized this was only possible if the third party is a skilled attacker, and cited Apple and the NSA as examples of capable skill level.
The researchers explained that to break iMessage encryption (AES, RSA, and ECDSA algorithms) in the manner shown would require the attacker to get physical control of the device — once.
Then, the attacker would install fraudulent certificates on it, and run spoofed servers tricked out to mimic Apple servers. The flaw's essence, as QuarksLab described it, lies in the protocol's lack of certificate pinning.
Even though performing this man-in-the-middle attack is quite a lot of work, and can only be done under limited circumstances, QuarksLab told the security conference's attendees that if they needed a secure message system, they should choose a different one. Especially, they jokingly cautioned, if the messages contain discussion of Apple related zero-days or exploits.
How to prevent iMessage surveillance?
The hackers concluded their bombshell of a talk — to a packed, standing-room-only crowd — by sharing a tool they created that gives iMessage users on iPhones the ability to essentially plug the flaw themselves and make their messages truly private and secure.
Featured
Their tool "iMTM Protect" (available for download on GitHub) is a helpful, superlative approach to empowering users to protect themselves from a serious privacy issue that raises too many questions to answer at this time.
It's also a refreshing outcome to the revelation of a security flaw in a product from a company known for staying silent on its product's security problems — and tends to tell users that security holes will get fixed "sometime" in the next update cycle.
The tool is ready for skilled computer users, though sadly it is likely out of reach for the average Apple iMessage user's technical skill level — and only works on jailbroken iPhones at this time.
But it's a step in an interesting direction.
As QuarksLab summarized in "How Apple Can Read Your iMessages" the iMessage user may not be not at risk with this issue from an average malicious attacker.
Needless to say, what QuarksLab revealed at Hack In The Box yesterday is still a serious issue for all users of iMessage with concerns about threats with resources, such as nation-states. And now, the whole situation casts a shadow over Apple's previous reassurances.
More from QuarksLab iMessage findings: