iMessage Security and Encryption Improved in new iOS
If you haven’t already, take a break and update your Macbooks and iPhones to the latest versions released Monday afternoon by Apple, OS X El Capitan 10.11.14 and iOS 9.3. Caution: this one takes a bit of time, but it’s worth it.
Another vulnerability that is receiving much attention for its current-events timeliness may allow an attacker to bypass Apple’s certificate pinning, intercept TLS connections and inject messages. They may also be able to read the attachments of encrypted attachment-type messages (such as photos and videos), according to Apple’s security update document.
A group of graduate students led by cryptographer and professor Matthew Green found flaws in the iMessages’ encryption process last year. The team found a slight oversight in the encryption protocol described in a diagram in the iOS Security Guide, as reported by ThreatPost.
Apple signs the encrypted portion of an iMessage with an ECDSA (Elliptic Curve Digital Signature Algorithm) signature instead of authenticating the encrypted portions.
If these signatures are attacked, messages being transmitted and stored can be at risk of compromise. By brute-forcing the encryption key, attackers could access iMessage content stored in Apple’s iCloud and decrypt the photo or video attachments of the messages.
Apple retains encrypted, undelivered messages on its servers for up to 30 days, which may be vulnerable to any attacker that compromises Apple’s globally distributed server infrastructure.
An attacker that intercepts TLS using a stolen certificate may also be able to intercept iMessages on certain older versions of iOS and Mac OS X that don’t employ certificate pinning, according to the Johns Hopkins research paper.
Certificate pinning is a practice in which software refuses to accept as valid any certs other than a specific set, or those issued by a particular CA, according to MacWorld.com.
Apple addressed the cryptographic issue by rejecting duplicate messages on the client. Apple also released updates for nearly all of its products, including Safari, Apple tvOS and watchOS. One Safari issue could have let a site track user information by the way it handled attachment URLs.
The key takeaways: Update your Apple devices ASAP, and require your users to update their devices too, before they connect to your apps, networks and systems.
Outdated operating systems on both laptops and mobile devices can leave your company at risk of an exploit carried out using a known vulnerability, such as those discussed above.
One way to quickly close the security gap between old and new versions is to notify any users running outdated Apple operating systems and browsers using Duo’s Self-Remediation tool. It checks which version your users are running before they authenticate into your environment using Duo’s two-factor authentication, then provides a link to update.
Better yet, you can warn them to update before they are blocked after a certain number of days - or just block them immediately until they update by creating a custom authentication policy with Duo’s Endpoint Remediation feature.