Cryptography Experts Recommend Apple Replace its iMessage Encryption

IMessage_IconApple has implemented a series of short- and long-term defenses to its iMessage protocol after several issues were discovered by a team of researchers at Johns Hopkins University, according to a report published today (via PatentlyApple).

This attack is different to the one Johns Hopkins researchers discovered in March, which allowed an attacker to decrypt photos and videos sent over iMessage.

The technical paper details how another method known as a "ciphertext attack" allowed them to retrospectively decrypt certain types of payloads and attachments when either the sender or receiver is still online.

The scenario requires that the attacker intercepts messages using stolen TLS certificates or by gaining access to Apple's servers. While the attack takes a high level of technical expertise to be successful, the researchers note that it would be well within the means of state-sponsored actors.

Overall, our determination is that while iMessage’s end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries.

The team also discovered that Apple doesn't rotate encryption keys at regular intervals, in the way that modern encryption protocols such as OTR and Signal do. This means that the same attack can be used on iMessage historical data, which is often backed up inside iCloud. In theory, law enforcement could issue a court order forcing Apple to provide access to their servers and then use the attack to decrypt the data.

The researchers believe the attack could also be used on other protocols that use the same encryption format, such as Apple's Handoff feature, which transfers data between devices via Bluetooth. OpenPGP encryption (as implemented by GnuPGP) may be vulnerable to similar attacks when used in instant messaging applications, the paper noted.

Apple was notified of the issue as early as November 2015 and patched the iMessage protocol in iOS 9.3 and OS X 10.11.4 as a result. Since that time, the company has been pushing out further mitigations recommended by the researchers through monthly updates to several of its products.

However, the team's long-term recommendation is that Apple should replace the iMessage encryption mechanism with one that eliminates weaknesses in the protocol's core distribution mechanism.

The paper detailing the security issue is called Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage, and was published as part of the USENIX Security Symposium, which took place in Austin, Texas. You can read the full paper here.

Top Rated Comments

joe-h2o Avatar
67 months ago
John Hopkins is a renowned medical school in Baltimore. What makes them the experts on cryptography?
It's more than just a medical school.

Jesus ****ing christ on a stick we're less than three comments in and 2/3 of them are dismissing this out of hand because it's not a 100% positive Apple story but a constructive criticism of how they can improve weaknesses in their cryptography.
Score: 40 Votes (Like | Disagree)
Telos101 Avatar
67 months ago
John Hopkins is a renowned medical school in Baltimore. What makes them the experts on cryptography?
They have an Information Security Institute. Professor Matthew Green was part of the research team.

Green is part of the group which developed Zerocoin ('https://en.wikipedia.org/wiki/Zerocoin'), an anonymous cryptocurrency ('https://en.wikipedia.org/wiki/Cryptocurrency'). His research team has exposed flaws in more than one third of SSL/TLS ('https://en.wikipedia.org/wiki/Transport_Layer_Security') encrypted web sites as well as vulnerabilities in encryption technologies, including RSA BSAFE ('https://en.wikipedia.org/wiki/RSA_BSAFE'), Exxon/Mobil Speedpass ('https://en.wikipedia.org/wiki/Speedpass'), E-ZPass ('https://en.wikipedia.org/wiki/E-ZPass'), and automotive security systems. In 2015, Green was a member of the research team that identified the Logjam ('https://en.wikipedia.org/wiki/Logjam_(computer_security)') vulnerability in the TLS protocol.

Green is a member of the technical advisory board for the Linux Foundation Core Infrastructure Initiative, formed to address critical Internet security concerns in the wake of the Heartbleed ('https://en.wikipedia.org/wiki/Heartbleed') security bug disclosed in April 2014 in the OpenSSL ('https://en.wikipedia.org/wiki/OpenSSL') cryptography library.

He sits on the technical advisory boards for CipherCloud ('https://en.wikipedia.org/wiki/CipherCloud'), Overnest and Mozilla Cybersecurity Delphi. Green co-founded and serves on the Board for Directors of the Open Crypto Audit Project (OCAP), which undertook a security audit ('https://en.wikipedia.org/wiki/Security_audit') of the TrueCrypt ('https://en.wikipedia.org/wiki/TrueCrypt') software.

https://en.wikipedia.org/wiki/Matthew_D._Green
Score: 35 Votes (Like | Disagree)
voxtro Avatar
67 months ago
John Hopkins is a renowned medical school in Baltimore. What makes them the experts on cryptography?
Comments like these annoy me quite a bit (unless I'm missing some type of sarcasm). As an Apple user and someone with a background in cryptography who has actually read the entire paper, you don't need to have a MIT or Stanford paper to make a cryptanalysis. In cryptography papers are heavily peer reviewed and skepticism is part of the process the whole time. At the end of the day it boils down to mathematics and computer science and these are provable things, so it's not hypothesis. The paper includes examples of how the attacks can be carried out and under specific conditions. It explains the protocols and the exact mechanisms used to extract the payloads in their settings. All the caveats are stated. Also, it does state that Apple implemented a lot of their recommendations in later versions of iOS and OS X/macOS (their paper references iOS 9.3 and OS X 10.11.4 or later)
Score: 31 Votes (Like | Disagree)
joe-h2o Avatar
67 months ago
I think I read this on news.google.com.au.... sounds like a beat up to me. Next....
You have to read more than just the title before you can make an informed comment.
Score: 19 Votes (Like | Disagree)
aplnub Avatar
67 months ago
I think I read this on news.google.com.au.... sounds like a beat up to me. Next....
Doesn't sound like a beat up to me. Sounds like good advice and it seems Apple has been favorable at receiving advice in the past. Hopefully, they address the concerns for all our sakes.
Score: 13 Votes (Like | Disagree)
aplnub Avatar
67 months ago
John Hopkins is a renowned medical school in Baltimore. What makes them the experts on cryptography?
A school cannot be great at more than one field?
Score: 11 Votes (Like | Disagree)

Top Stories

apple california streaming event

Apple Event Announced: 'California Streaming' on September 14 With iPhone 13, Apple Watch Series 7 Expected

Tuesday September 7, 2021 9:03 am PDT by
Apple today announced that it will be holding a special event on Tuesday, September 14 at 10:00 a.m. The event will take place at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with WWDC and last year's fall events, this new event will be held digitally with no members of the media invited to attend in person. Apple will likely provide pre-taped segments for...
Apple Prefer Lightning Over USB C Feature

iPhone Sticking With Lightning Port Over USB-C for 'Foreseeable Future'

Tuesday March 2, 2021 9:32 am PST by
Apple will retain the Lightning connector on the iPhone for the "foreseeable future," with no intention of switching to USB-C, according to reliable analyst Ming-Chi Kuo. In spite of much of the industry moving toward USB-C, Apple will not be using it to replace the Lightning connector on the iPhone 13, or indeed on any iPhone model for the time being. In a note seen by MacRumors yesterday,...
iphone 12 colors 2021

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived in October 2020 in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone...
it home ecommerce app iphone 13

iPhone 13 to Launch on September 17, AirPods 3 on September 30, Claims Report

Wednesday August 25, 2021 2:42 am PDT by
Apple may be planning to launch the iPhone 13 on Friday, September 17 and third-generation AirPods on Thursday, September 30, according to an image of an e-commerce app discovered by Chinese language site IT Home. The screenshot, originally posted by Weibo account @PandaIsBald, suggests all four iPhone 13 models will go on sale on September 17, followed by the AirPods 3 on September 30....
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
maroon5memories

Apple Collaborates With Maroon 5 to Add 'Memories' Song to Photos App

Wednesday September 25, 2019 12:02 pm PDT by
Apple has teamed up with Maroon 5 to add the group's new song "Memories" to the Memories feature in the Photos app, allowing it to be used for photo slide show creations, reports Billboard. "Memories" will be available as a soundtrack option for a limited time and it is available to iPhone and iPad users running the latest iOS 13 and iPadOS software. Memories in the Photos app are created ...
ulysses Blog Publishing

Ulysses 22 Brings New Blogging Options and Visual Customizations

Monday March 22, 2021 5:24 am PDT by
Popular writing app Ulysses today received its 22nd major release, introducing new publishing features and additional options for users to customize the visual appearance of their writing environment. As well as providing a focused writing environment, Ulysses offers ways to publish texts from within the app to various blogging platforms. Version 22 adds the ability to publish to Micro.blog, ...
affinity designer contour tool

Serif Updates Affinity Photo, Designer, and Publisher With New Tools and Functions

Thursday February 4, 2021 1:58 am PST by
Serif today announced across-the-board updates for its popular suite of Affinity creative apps, including Affinity Photo, Affinity Designer, and the Apple award-winning Affinity Publisher for Mac, all of which were among the first professional creative suites to be optimized for Apple's new M1 chip. "After another year which saw record numbers of people switching to Affinity, it's exciting to...