Apple Sets Trap to Catch iMessage Impersonators

The company activated a new feature called iMessage Contact Key Verification in another attempt to block impersonators and sophisticated threat actors abusing its iMessage server infrastructure. With the activation, fully patched iPhones and macOS-powered devices adds an ON/OFF toggle for users to verify they’re messaging only with the people that they intend and receive alerts if there’s a hiccup in the verification process.

Apple first announced the feature in October and is positioning it as another roadblock to raise the cost for advanced threat actors and mercenary hacking companies that target its iMessage service. In the past, surveillance spyware vendors like NSO Group have been caught using iMessage zero-days and zero-click exploits against high-profile targets around the world. Apple previously rolled out ‘Lockdown Mode’ to remove attack surfaces and block state-sponsored malware exploits on its platform for the company continues to struggle to contain a surge in in-the-wild zero-days.

The company has published guidance on turning on the new feature to help users to automatically they’re messaging with the intended person. Devices must be running iOS 17.2, macOS 14.2 or watchOS 9.2 on all devices signed in to iMessage.

In addition, iPhone and macOS  users can manually verify contacts by comparing verification codes. “When you manually verify a contact, iMessage Contact Key Verification verifies that the code you have saved matches the one provided by the iMessage servers for that contact and notifies you if the verification code changes,” the company explained.

Security Week 12/12/2023