Yesterday, Apple released iOS/iPadOS 17.2 and macOS 14.2. A new security feature was added in that release: “Contact Key Verification”.

What is it? How do you activate it? How does it increase your security?

End-to-End Encryption (E2EE)

Apple’s iMessage is secured with end-to-end encryption (E2EE).

This means the cryptographic keys are stored inside the Apple devices of the sender and recipient and not anywhere else. That means even Apple is not able to decrypt the content of the messages that are stored on their servers. In other words, no one except the sender and recipient can read the messages. Even the government can’t compel Apple to reveal them because it is technically impossible.

How can an adversary crack E2EE?

E2EE brings a new problem for adversaries (notably entities with resources of a nation-state). How can they eavesdrop on the conversations secured with E2EE? How can they circumvent E2EE?

One way is to introduce a middle person between the two parties having a conversation. This is called the man-in-the-middle (MITM) attack. How does this work?

Let’s say Alice and Bob are having a conversation on iMessage. Mallory, the adversary, inserted himself between both of them. He pretends to be Bob to Alice and pretends to be Alice to Bob. When Alice sends an encrypted message to Bob, she’s actually sending it to Mallory. Since the message is secured with E2EE, Apple will not be able to read it. Mallory then reads the message, pretends to be Alice and forwards it to Bob. When Bob replies to Alice’s message, he sends it to her via Mallory.

All this while, both Alice and Bob think that their messages to each other are private since it is secured with E2EE. But unbeknown to them, they are sending their messages to Mallory as the intermediary. Although all their messages to Mallory are secured with E2EE, it does not protect them because Mallory is the adversary who can read everything. If Mallory wants to, he can even modify the messages between Alice and Bob.

How does Contact Key Verification stops MITM attack?

The worry is, what if an adversary (with the resources of a nation-state) hacks Apple’s iMessage servers and conducts an MITM attack against their iMessage users?

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Apple added Contact Key Verification

End-to-End Encryption (E2EE)

How can an adversary crack E2EE?

How does Contact Key Verification stops MITM attack?

DON'T GET HACKED!

End-to-End Encryption (E2EE)

How can an adversary crack E2EE?

How does Contact Key Verification stops MITM attack?

Subscribe to continue reading

DON'T GET HACKED!

Related Post