The 2016 Pwnie Nominee For Best Cryptographic Attack

Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage

Credit: Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, Michael Rushana

Your intuition is that this is a contender just for impact. They have a decryption attack against one of the most widely-used secure messaging protocols in the world. Done and done, on to the next one. Right?

Not so fast. iMessage is the least interesting thing about this attack. Here, let me spoil it for you: iMessage doesn’t properly authenticate ciphertexts. You can flip bits in encrypted iMessage messages and get responses to them. You don’t need to know much crypto to know why that’s a problem.

But here’s the catch: iMessage messages are DEFLATE compressed.

The exploit for this flaw could best be described as “acrobatic”. You’ve got to flip bits until you find a message that Huffman-decodes properly. But that’s not good enough: a random valid Huffman symbol will break the DEFLATE CRC, so you’ve got to XOR-compensate the CRC. And a known-valid symbol is only useful if you’ve got the DEFLATE Huffman table. Spoiler: you don’t. You have to infer it based on an HTTP side channel Apple managed to leave in iMessage.

This attack is hard to pull off and Apple fixed it already anyways. So what’s the big deal? Only that this attack will be a template for how to exploit other broken cryptosystems in the future. Also: a great read.

Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage