Normally I avoid complaining about Apple because (a) there are plenty of other people carrying that flag, and (b) I honestly like Apple and own numerous lovely iProducts. I’m even using one to write this post.
Moreover, from a security point of view, there isn’t that much to complain about. Sure, Apple has a few irritating habits — shipping old, broken versions of librariesin its software, for example. But on the continuum of security crimes this stuff is at best a misdemeanour, maybe a half-step above ‘improper baby naming‘. Everyone’s software sucks, news at 11.
There is, however, onething that drives me absolutely nuts about Apple’s security posture. You see, starting about a year ago Apple began operating one of the most widely deployed encrypted text message services in the history of mankind. So far so good. The problem is thatthey still won’t properly explain how it works.
And nobody seems to care.
I am, of course, referring to iMessage, which was deployed last year in iOS Version 5. It allows — nay, encourages — users to avoid normal carrier SMStext messages and to route their texts through Apple instead.
Now, this is not a particularly new idea. But iMessage is special for two reasons. First it’s built into the normal iPhone texting application and turned on by default. When my mum texts another Apple user, iMessage will automatically route her message over the Iiternet. She doesn’t have to approve this, and honestly, probably won’t even know the difference.
Secondly, iMessage claims to bring ‘secure end-to-end encryption‘ (and authentication) to text messaging. In principle this is huge! True end-to-end encryption should protect you from eavesdropping even by Apple, who carries your message. Authentication should protect you from spoofing attacks.Thisstands in contrast to normal SMS which is often not encrypted at all.
So why am I looking a gift horse in the mouth? iMessage will clearly save you a ton in texting charges and it will secure your messages for free. Some encryption is better than none, right?
Well maybe.
To me, the disconcerting thing about iMessage is how rapidly it’s gone from no deploymentto securing billions of text messages for millions of users. And this despite the fact thatthe full protocol has never been published by Apple or (to my knowledge) vetted by security experts. (Note: if I’m wrong about this, let me know and I’ll eat my words.)
What’s worse is that Apple has been hyping iMessage as a secure protocol; they even propose it as a solutionto some serious SMS spoofing bugs. For example:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
And this makes me nervous. While iMessage may very well be as secure as Apple makes it out to be, there are plenty of reasons to give the protocol a second look.
For one thing, it’s surprisingly complicated.
iMessageis not just two phones talking to each other with TLS. If this partial reverse-engineering of the protocol (based on the MacOS Mountain Lion Messages client) is for real, then there are lots of moving parts. TLS. Client certificates. Certificate signing requests. New certificates delivered via XML. Oh my.
As a general rule, lots of moving parts means lots of places for things to go wrong. Things that could seriously reduce the security of the protocol. And as far as I know, nobody’s given this much of a look. It’s surprising.
Moreover, there are some very real questions about what powers Apple has when it comes to iMessage. In principle ‘end-to-end’ encryption should mean that onlythe end devices can read the connection. In practice this is almost certainly not the case with iMessage. A quick glance at the protocol linked above is enough to tell me that Apple operates as a Certificate Authority for iMessage devices. And as a Certificate Authority, it may be able to substantially undercut the security of the protocol. When would Apple do this? How would it do this? Are we allowed to know?
Finally, there have been several reports of iMessages going astray and even being delivered to the wrong (or stolen) devices. This stuff may all have a reasonable explanation, but it’s yet another set of reasons why we it would be nice tounderstandiMessage better than we do now if we’re going to go around relying on it.
So what’s my point with all of this?
This is obviously not a technical post. I’m not here to present answers, which is disappointing. If I knew the protocol maybe I’d have some. Maybe I’d even be saying good things about it.
Rather, consider this post as a plea for help. iMessage is important. People use it. We oughtto know how secure it is and what risks those people are taking by using it.The best solution would be for Apple to simply release a detailed specification for the protocol — even if they need to hold back a few key details. But if that’s not possible, maybe we in the community should be doing more to find out.
Remember, it’s not just our security at stake. People we know are using these products. It would be awfully nice to know what that means.
Republished with permission from Matthew Green, who can also be found writing on his blog, Cryptography Engineering. Check out his musings on Anonymous’ hacking spree and the future of electronic cash here and here.