iMessage may not be as secure as Apple claims
Apple’s iMessage feature, which lets users trade free texts between iOS devices over Wi-Fi, was supposed to be entirely secure. The company insisted in June, around the time of the initial National Security Agency spying disclosures, that it could not read users’ messages, which are scrambled by end-to-end encryption. If Apple didn’t have access, the logic ran, the government didn’t either.
Today, however, a pair of researchers at the Hack in the Box, a security conference in Kuala Lumpur, demonstrated that it was possible for Apple to intercept and decrypt one’s messages—which also means that intelligence agencies could compel them to do so.
The Quarkslab authors of the study, Cyril Cattiaux and GG, were careful to point out that this doesn’t mean Apple is pawing through your private correspondence, only that the company had misled the public about opportunities for intrusion. A file leaked by Edward Snowden indicates Apple joined the PRISM program in October 2012, so presumably it's handed over some customer metadata already.
What Cattiaux and GG discovered was a weakness in “the key infrastructure as it is controlled by Apple.” Public key cryptography is what obscures the content of a message, but with Apple maintaining full control over the public key directory through a nonpublic server, users are vulnerable to middle-man attacks and eavesdropping.
“The biggest problem here, Cattiaux said, is you cannot be certain “that the public key you are using when you are ciphering the message is really the key of your recipient and not, for example, the public key of some guy in Apple.”
But don’t ditch your iPhone just yet. Macworld quoted Paul Kocher, president and chief scientist of Cryptography Research, on what this discovery means in the grand scheme: “In practice, iMessage is only as secure as Apple chooses to make it, but it isn’t fair to criticize Apple too heavily since other services aren’t better (and most are worse).”
Apple, asked for comment, simply stuck with the language of the June press release that underscored a “commitment to customer privacy” and stated that the company had not become aware of PRISM until media outlets began reporting on it.
Photo by travisdodson/Flickr