Tag Archives: iMessage

Encryption – The Devil Is In The Details – Listen Up Whatsapp and iMessage

Jonathan Zdziarski wrote about an implementation challenge for the security conscious among us.  While Whatsapp does delete the message when you tell it to, it leaves artifacts behind.  Whatsapp and other phone apps use the SQLLite database.  SQLLite, likely to reduce wear in your phone’s memory, doesn’t actually delete the message, but rather just marks it deleted.  If you create more new messages after you delete old ones, the old messages may be overwritten in the database, but then again, may not – at the whim of how the database works.

Worse yet, on an iPhone, that database is backed up to the cloud, which as we all know, Apple will turn over to law enforcement if asked.

The question for me then became – but I thought there were doing end to end encryption.  Well the answer APPEARS to be, kind of, sort of.  It is end to end meaning that from the sender to the recipient it is encrypted, but it appears that locally, it is not stored encrypted.  This means that anyone who has access to your phone or your iCloud backup may be able to read your messages, deleted or not.

Maybe you want to use iMessage instead.  Turns out it has the same problem.  The iMessage database is copied to the cloud and to your PC if you back up your phone to your PC and even if you encrypt it, if you use a weak password, that can be easily cracked with tools available to hackers and others.

Curiously, according to Jonathan, Signal, the free chat and call app designed by famed hacker Moxie Marlinspike and others leaves almost no forensic traces behind.  This is due to design choices they made.

What can you do?

If you use iTunes backup, use a long, complex password and do not store password in the keychain or PC, otherwise it could be recovered using forensics tools.

Disable backups with iCloud as it does not honor your backup password – nice huh?

Really, the only effective way is to periodically uninstall the app as this will delete the database.  Then you can reinstall it.  Sounds like a bit of a pain.

Alternatively, you can use Signal.  It works just as well and leaves almost no artifacts.

BUT – and it is a big butt – both sender and recipient have to use Signal in order for it to do its magic.  Signal will send a regular SMS message if the person at the other end is not a Signal user and won’t tell you that it is not secure. Those are not encrypted.

For the developers in the crowd, Jonathan does suggest several ways for developers to fix this problem in their app – it really isn’t hard, just requires some advance planning.

Just some food for thought.

Information for this post came from Jonathan Zdziarski’s blog.

Update Your iPhones and Macs to Fix This HUUUGE Bug

About a year ago, Android users were fighting something called the Stagefright bug.  Buried deep in the bowels of the operating system was a series of bugs that would allow an attacker to send you a specially crafted text message and take over your Android phone.  Stagefright affected close to a billion phones in the worst case scenario, but more likely about half that number – still a HUUUGE problem.

This week it is Apple’s turn. Cisco’s security research arm, Talos, discovered what is really a similar problem to Stagefright.  All an attacker needs is your phone number – likely not hard to get.  Then they send a specially crafted iMessage or MMS message.

The attack could be exploited via Safari by getting the user to visit an infected web site.

In any case, no user interaction is required.

So what can the attack do for the hacker?

Nothing important.  Just leak your authentication credentials stored in memory to the hacker.  Forbes says this includes any credentials the target is using in the browser such as website credentials or email logins.

Due to other security mechanisms in the iPhone, the attacker can’t completely take over the phone, but this is sufficiently bad.  Apparently, on a Mac, the problem is worse because the Mac sandbox works differently.

And, this even affects WatchOS.

In addition to this bug, the researchers at Talos also found a memory corruption bug.

And a security engineer at Salesforce found a flaw in FaceTime that would allow hackers who were located on the same network as the user (i.e., they came from outside but already compromised some other PC on your network) to spy on your FaceTime conversations.  Apple says “an attacker in a privileged network position (which they don’t define) may be able to cause a call to continue transmitting audio while appearing as if the call was hung up.

In total, 43 bugs were fixed in the new version of iOS.

If you are not running iOS 9.3.3 which was released on July 18th or MAC OS El Capitan 10.11.6, released on the same day, you should update now.

Given the complexity of computers and phones these days, it is not completely surprising that serious bugs are found.  This means we need to make sure that researchers are not hampered by Washington’s lack of understanding of technology – but that is a whole ‘nother post.

Like Stagefright, this bugs affect all versions of iOS before the one that was released 4 days ago.

According to Apple, 14% of iPhones run iOS 8 or earlier.  Likely these are older phones that might not be able to run iOS 9 for some reason.  Those phones will never be patched unless the upgrade to iOS 9.  Talk about a ‘target rich environment’.  That represents close to a hundred million phones that may never be patched – like older Android phones.

How many of the more than 1 billion iPhones are running a version of iOS older than 4 days ago?  Likely a large number.  Probably several hundred million.

This just reinforces the fact that we really need to figure out, with the billions of phones and tablets out there, how to get people to upgrade to the MOST CURRENT version of the OS.  That means that old phones need to crushed and melted.  I know people don’t want to spend the money to replace phones that still function, but the alternative is to use a phone with bugs that allow attackers to, in this case, steal your passwords.  I guess you could sell your old unsupported phone on eBay and make it someone else’s problem 🙂

Information for this post came from Forbes and Quartz.