Quarkslab researchers Cyril Cattiaux has revealed Apple lied when it claimed it could not intercept iMessages sent by its users.
“For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data,” Apple declared in a statement on its website.
“Apple’s claim that they can’t read end-to-end encrypted iMessage is definitely not true,” they said. Apple has no reason to do so. But what of intelligence agencies?” they said.
It is clear the reference to the case PRISM and the revelation made by Snowden on the collaboration offered by Apple to NSA for surveillance activities. When the user sends a iMessage to someone, he takes the receiver’s public key from Apple, and encrypts the message. Once the message is received by recipient he is able to decrypt the message with his private key according classic asymmetric encryption scheme. Apple acts as a Certification Authority of any PKI architecture, public keys were managed on a server called ESS that could be not publicly inspected. The researchers created its own bogus Certification Authority and inserted its reference into the iPhone Keychain to be able to access to SSL encrypted traffic acting as a proxy. Cattiaux noted that Apple ID and password was being transmitted in clear text during iMessage transmission. Apple actually controls public key repository this means that it could perform a MITM to intercept users’ messages.
They exploited the lack of mechanisms to tell devices to trust a given certificate, for PUSH and iMessage servers, allowing a fake certificate authority to be added to the user Keychain. 
“Firstly, it means that Apple [and intelligence agencies] can replay our password using for instance our email on many websites. Secondly, it also means that anyone capable of adding a certificate and able to [proxy] the communications can get user’s Apple ID and password, thus get access to include accounts, backups” and app purchasing.
There is the concrete risks that enterprise IT managers when assigning Apple devices with mobile device management platforms could intercept sensitive Apple user account details including iCloud usernames and passwords.
“If the device is connected to iPhone Configuration Utility, Apple’s enterprise solution for management of iPhones, a trusted CA (Certificate Authority) is added. The consequence is that all subsequent certificates signed by that CA will be trusted to create the SSL communication. It means all companies using that are able to retrieve their employee’s AppleID and password by simply [proxying] the SSL communication.”
I suggest to read the interesting analysis published in the blog post of the researchers.
(Security Affairs – Apple, Privacy, iMessage)
Share On
