Apple added Contact Key Verification

Yesterday, Apple released iOS/iPadOS 17.2 and macOS 14.2. A new security feature was added in that release: “Contact Key Verification”.

What is it? How do you activate it? How does it increase your security?

End-to-End Encryption (E2EE)

Apple’s iMessage is secured with end-to-end encryption (E2EE).

This means the cryptographic keys are stored inside the Apple devices of the sender and recipient and not anywhere else. That means even Apple is not able to decrypt the content of the messages that are stored on their servers. In other words, no one except the sender and recipient can read the messages. Even the government can’t compel Apple to reveal them because it is technically impossible.

How can an adversary crack E2EE?

E2EE brings a new problem for adversaries (notably entities with resources of a nation-state). How can they eavesdrop on the conversations secured with E2EE? How can they circumvent E2EE?

One way is to introduce a middle person between the two parties having a conversation. This is called the man-in-the-middle (MITM) attack. How does this work?

Let’s say Alice and Bob are having a conversation on iMessage. Mallory, the adversary, inserted himself between both of them. He pretends to be Bob to Alice and pretends to be Alice to Bob. When Alice sends an encrypted message to Bob, she’s actually sending it to Mallory. Since the message is secured with E2EE, Apple will not be able to read it. Mallory then reads the message, pretends to be Alice and forwards it to Bob. When Bob replies to Alice’s message, he sends it to her via Mallory.

All this while, both Alice and Bob think that their messages to each other are private since it is secured with E2EE. But unbeknown to them, they are sending their messages to Mallory as the intermediary. Although all their messages to Mallory are secured with E2EE, it does not protect them because Mallory is the adversary who can read everything. If Mallory wants to, he can even modify the messages between Alice and Bob.

How does Contact Key Verification stops MITM attack?

The worry is, what if an adversary (with the resources of a nation-state) hacks Apple’s iMessage servers and conducts an MITM attack against their iMessage users?

Subscribe to continue reading

Become a paid subscriber to get access to the rest of this post and other exclusive content.