Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan, Johns Hopkins University https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/garman
This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4
Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX nc ng on t e of t e olc no osen erte t Att cks on A le ess ge
Christina Garman Matthew Green Gabriel Kaptchuk Johns Hopkins University Johns Hopkins University Johns Hopkins University cgarman cs hu edu mgreen cs hu edu gkaptchuk cs hu edu Ian Miers Michael Rushanan Johns Hopkins University Johns Hopkins University imiers cs hu edu micharu cs hu edu
A str ct Justice accused Apple of thwarting an investigation by refusing to turn over iMessage plaintext [11]. iMes- Apple’s iMessage is one of the most widely-deployed sage has been at the center of a months-long debate end-to-end encrypted messaging protocols. Despite its initiated by U.S. and overseas officials over the imple- broad deployment, the encryption protocols used by mentation of “exceptional access” mechanisms in end- iMessage have never been subjected to rigorous crypt- to-end encrypted communication systems [7, 26, 33], and analysis. In this paper, we conduct a thorough analy- some national ISPs have temporarily blocked the proto- sis of iMessage to determine the security of the proto- col [32]. Throughout this controversy, Apple has consis- col against a variety of attacks. Our analysis shows that tently maintained that iMessage encryption is end-to-end iMessage has significant vulnerabilities that can be ex- and that even Apple cannot recover the plaintext for mes- ploited by a sophisticated attacker. In particular, we out- sages transmitted through its servers [10]. line a novel chosen ciphertext attack on Huffman com- pressed data, which allows retrospective decryption of Given iMessage’s large installed base and the high some iMessage payloads in less than 218 ueries. The stakes riding on its confidentiality, one might expect practical implication of these attacks is that any party iMessage to have received critical attention from the re- who gains access to iMessage ciphertexts may poten- search community. Surprisingly, there has been very lit- tially decrypt them remotely and after the fact. We ad- tle analysis of the system, in large part due to the fact that ditionally describe mitigations that will prevent these at- Apple has declined to publish the details of iMessage’s tacks on the protocol, without breaking backwards com- encryption protocol. In this paper we aim to remedy this patibility. Apple has deployed our mitigations in the lat- situation. Specifically, we attempt to answer the follow- est iOS and OS X releases. ing uestion: how secure is Apple iMessage Our contributions In this work we analyze the iMessage ntrod ct on protocol and identify several weaknesses that an attacker may use to decrypt iMessages and attachments. While The past several years have seen widespread adoption of these flaws do not render iMessage completely insecure, end-to-end encrypted text messaging protocols. In this some flaws reduce the level of security to that of theTLS work we focus on one of the most popular such proto- encryption used to secure communications between end- cols: Apple’s iMessage. Introduced in 2011, iMessage user devices and Apple’s servers. This finding is surpris- is an end-to-end encrypted text messaging system that ing given the protection claims advertised by Apple [10]. supports both iOS and OS X devices. While Apple does Moreover, we determine that the flaws we detect in iMes- not provide up-to-date statistics on iMessage usage, in sage may have implications for other aspects of Apple’s February 2016 an Apple executive noted that the system ecosystem, as we discuss below. had a peak transmission rate of more then 200,000 mes- To perform our analysis, we derived a specification for sages per second, across 1 billion deployed devices [12]. iMessage by conducting a partial black-box reverse engi- The broad adoption of iMessage has been controver- neering of the protocol as implemented on multiple iOS sial, particularly within the law enforcement and national and OS X devices. Our efforts extend a high-level pro- security communities. In 2013, the U.S. Drug Enforce- tocol overview published by Apple [9] and two existing ment Agency deemed iMessage “a challenge for DEA partial reverse-engineering efforts [1, 34]. Armed with a intercept” [22], while in 2015 the U.S. Department of protocol specification, we conducted manual cryptanal-
USENIX Association 25th USENIX Security Symposium 655 ysis of the system. Specifically, we tried to determine our work primarily considers the iMessage instant mes- the system’s resilience to both back-end infrastructure at- saging system, we note that the vulnerabilities identified tacks and more restricted attacks that subvert only client- here go beyond iMessage. Apple documentation notes local networks. that Apple’s “Handoff” service, which transmits per- Our analysis uncovered several previously unreported sonal data between Apple devices over Bluetooth Low vulnerabilities in the iMessage protocol. Most signifi- Energy, encrypts messages “in a similar fashion to iMes- cantly, we identified a practical adaptive chosen cipher- sage” [9]. This raises the possibility that our attacks on text attack on the iMessage encryption mechanism that iMessage encryption may also affect inter-device com- allows us to retrospectively decrypt certain iMessage munication channels used between Apple devices. At- payloads and attachments, provided that a single Sender tacks on this channel are particularly concerning because or Recipient device is online. To validate this finding, these functions are turned on by default in many new we implemented a proof of concept exploit against our Apple devices. We did not investigate these attack vec- own test devices and show that the attack can be con- tors in this work but subsequent discussions with Apple ducted remotely (and silently) against any party with an have confirmed that Apple uses the same encryption im- online device. This exploit is non-trivial and required plementation to secure both iMessage and inter-device us to develop novel exploit techniques, including a new communications. Thus, securing these channels is one chosen ciphertext attack that operates against ciphertexts side effect of the mitigations we propose in 7. containing gzip compressed data. We refer to this tech- nique as a gzip format oracle attack, and we believe it Res ons le d sclos re may have applications to other encryption protocols. We discuss the details of this attack in 5. In November 2015 we delivered a summary of the results We also demonstrate weaknesses in the device reg- in this paper to Apple. Apple acknowledged the vulner- istration and key distribution mechanisms of iMessage. ability in 5 and has initiated substantial repairs to the One weakness we exploit has been identified by the re- iMessage system. These repairs include: enforcing cer- verse engineering efforts in [34], while another is novel. tificate pinning across all channels used by iMessage,1 As they are not the main result of this work, we include removing compression from the iMessage composition them in Appendix A for completeness. (for attachment messages), and developing a fix based Overall, our determination is that while iMessage’s on our proposed “duplicate ciphertext detection” mitiga- end-to-end encryption protocol is an improvement over tion (see 7). Apple has also made changes to the use of systems that use encryption on network traffic only (e.g., iMessage in inter-device communications such as Hand- Google Hangouts), messages sent through iMessage may off, although the company has declined to share the de- not be secure against sophisticated adversaries. Our re- tails with us. The repairs are included in iOS 9.3 and OS sults show that an attacker who obtains iMessage cipher- X 10.11.4, which shipped in March 2016. texts can, at least for some types of messages, retrospec tively decrypt traffic. Because Apple stores encrypted, Att ck odel undelivered messages on its servers and retains them for up to 30 days, such messages are vulnerable to any party Our attacks in 5 require the ability to obtain iMessage who can obtain access to this infrastructure, e.g., via ciphertexts sent to or received by a client. Because Apple court order [11] or by compromising Apple’s globally- Push Network Services (APNs) uses TLS to transmit en- distributed server infrastructure [36]. Similarly, an at- crypted messages to Apple’s back-end servers, exploit- tacker who can intercept TLS using a stolen certificate ing iMessage requires either access to data from Apple’s may be able to intercept iMessages on certain versions of servers or a forged TLS certificate. We stress that while iOS and Mac OS X that do not employ certificate pinning this is a strong assumption, it is the appropriate threat on Apple Push Network Services (APNs) connections. model for considering end-to-end encrypted protocols. Given the wide deployment of iMessage, and the at- A more interesting objection to this threat model is tention paid to iMessage by national governments, these the perception that iMesssage might be too weak to sat- threats do not seem unrealistic. Fortunately, the vulnera- isfy it. For example, in 2013 Raynal et al pointed out bilities we discovered in iMessage are relatively straight- a simple attack on Apple’s key distribution that enables forward to repair. In the final section of this paper, we a TLS MITM attacker to replace the public key of a re- offer a set of mitigations that will restore strong crypto- cipient with an attacker-chosen key [34]. One finding of graphic security to the iMessage protocol. Some of these this work is that as of December 2015 such attacks have are included in iOS 9.3 and Mac OS X 10.11.4, which been entirely mitigated by Apple through the addition of shipped in March 2016. 1This feature was added to OS X 10.11 in December, as a result of Other uses of the iMessage encryption protocol While our notification.
656 25th USENIX Security Symposium USENIX Association certificate pinning on key server connections (see Ap- service, which is operated by Apple using both their own pendix A). More fundamentally, however, such attacks servers and virtual servers provisioned on Amazon AWS, are prospective – in the sense that they require the at- Microsoft Azure, and Google’s Cloud Platform. tacker to target a particular individual before the individ- ual begins communicating. By contrast, the attacks we The basic unit of identity in describe in this paper are retrospective. They can be run dent t nd reg str t on iMessage is the iCloud account name, which typically against any stored message content, at any point subse- consists of an email address or phone number controlled quent to communication, provided that one target device by the user. End-user devices are registered to the iCloud remains online. Moreover, unlike previous attacks which service by associating them with an account. The map- require access to the target’s local network, our attacks ping between client devices and accounts is not one-to- may be run remotely through Apple’s infrastructure. one: a single account may be used across multiple de- vices, and similarly, multiple accounts can be associated e ess ge rotocol with a single device. We give further information about the registration process in Appendix A. To obtain the full iMessage specification, we began with the security overview provided by Apple, as well as de- tailed previous software reverse-engineering efforts con- ess ge encr t on nd decr t on To transmit a ducted by Raynal [34] and others [1]. While these pre- message to some list of Recipient IDs, the Sender’s vious results provide some details of the protocol, they iMessage client first contacts the IDS to obtain the pub- omit key details of the encryption mechanism, as well lic key(s) P 1,...,P D and a list of APNs push to- as the complete key registration and notification mecha- kens associated with the Sender and Recipient identi- nisms. We conducted additional black-box reverse engi- ties.3 It then encodes the Sender and Recipient ad- neering efforts to recover these elements. Specifically, dresses and plaintext message into a binary plist key- we analyzed and modified protocol exchanges to and value data structure and compresses this structure using from several jailbroken and non-jailbroken Apple de- the gzip compression format. The client next gener- vices.2 In conformity to Apple’s terms of service, we ates a 128-bit AES session key and encrypts the re- did not perform any software decompilation. sulting compressed message using AES-CTR with IV = 1. This produces a ciphertext c, which is next parti- tioned as c =(c c ) where c represents the first 101 stem o er ew 1 2 1 bytes of c. The Sender parses each P i to obtain the public encryption key pk and for i = 1 to D, cal- iMessage clients iMessage clients comprise several E,i culates C = RSA-OAEP(pk , c ) and a signature pieces of software running on end-user devices. On iOS i E,i 1 σ = ECDSASign(sk ,C c ). For each distinct push to- and OS X devices, the primary user-facing component is i S i 2 ken received from IDS, the Sender transmits (C ,c ,σ ) the Messages application. On OS X computers, this ap- i 2 i to the APNs server. This process is illustrated in Fig- plication interacts with at least three daemons: , the apsd ure 1. daemon responsible for pushing and pulling application For each ciphertext, the APNs service delivers the tu- traffic over the Apple Push Notification Service (APNs) ple (ID ,ID ,C ,c ,σ ) to the intended desti- channel imagent, a daemon that pulls notifications even sender recipient i 2 i nation. The receiving device contacts IDS to obtain the if Messages is closed and identityservicesd, a dae- Sender’s public key P , parses for the signature veri- mon which maintains a cache of other users’ keys. iOS fication key vk , then verifies the signature σ. If veri- devices also contain an apsd daemon, while other dae- S fication succeeds, it decrypts C to obtain c , recon- mons handle the task of managing identities. i 1 structs c =(c c ) and decrypts the resulting AES-CTR 1 2 Apple services iMessage clients interact with multiple ciphertext using . It decompresses the resulting gzip back-end services operated by Apple and its partners. We ciphertext, parses the resulting plist to obtain the list focus on the two most relevant to our attack. The Apple of Recipient IDs, and verifies that each of IDsender and directory service (IDS, also known as ESS) maintains a IDrecipient are present in this list. If any of the preced- mapping between user identities and public keys and is ing checks fail, or if the Recipient is unable to parse or responsible for distributing user public keys on request. decompress the resulting message, the receiving device iMessage content is transmitted via the Apple Push No- silently aborts processing. tification Service (APNs). Long iMessages and attach- ments are transmitted by uploading them to the iCloud 3This list includes one entry for each device registered to each Sender and Recipient ID. The Messages client encrypts the message 2In this analysis we considered iOS 6, 8, and 9 devices, as well as with each Sender public key to ensure that message transcripts can be Mac clients running OS X 10.10.3, 10.10.5, and 10.11.1. read across all of the Sender’s devices.
USENIX Association 25th USENIX Security Symposium 657 Recipient PK sender ID iMessage binary plist Sender SK gzip compress AES key huffman table compressed payload CRC AES-CTR encrypt (IV=1) AES encrypted payload extract bytes 0:100 extract bytes 101:n concatenation RSA-OAEP encryption RSA ciphertext partial AES ciphertext signature ECDSA-SHA1 sign
Figure 1: The iMessage encryption mechanism. From the top, each iMessage is encoded in a binary plist key/value structure. The structure encodes a list of Sender and Recipient account identifiers, as well as the message contents. This payload is subse uently gzip compressed, and encrypted under a freshly-generated 128-bit message key using AES in CTR-mode. The AES key and the first 101 bytes of the AES ciphertext are concatenated and are encrypted to each Recipient’s public key using RSA-OAEP. The remaining bytes of the AES ciphertext are concatenated to the RSA ciphertext and the result is signed using ECDSA under the Sender’s registered signing key.
Att c ments nd long mess ges For long messages or large Internet service providers. and messages containing file attachments (e.g., images or video), iMessage delivers the encrypted data using a etwork o er tor