iMessage may not be as secure as Apple claims
Apple’s iMessage feature, which lets users trade free texts between iOS devices over Wi-Fi, was supposed to be entirely secure. The company insisted in June, around the time of the initial National Security Agency spying disclosures, that it could not read users’ messages, which are scrambled by end-to-end encryption. If Apple didn’t have access, the logic ran, the government didn’t either.
Today, however, a pair of researchers at the Hack in the Box, a security conference in Kuala Lumpur, demonstrated that it was possible for Apple to intercept and decrypt one’s messages—which also means that intelligence agencies could compel them to do so.
The Quarkslab authors of the study, Cyril Cattiaux and GG, were careful to point out that this doesn’t mean Apple is pawing through your private correspondence, only that the company had misled the public about opportunities for intrusion. A file leaked by Edward Snowden indicates Apple joined the PRISM program in October 2012, so presumably it's handed over some customer metadata already.
What Cattiaux and GG discovered was a weakness in “the key infrastructure as it is controlled by Apple.” Public key cryptography is what obscures the content of a message, but with Apple maintaining full control over the public key directory through a nonpublic server, users are vulnerable to middle-man attacks and eavesdropping.
“The biggest problem here, Cattiaux said, is you cannot be certain “that the public key you are using when you are ciphering the message is really the key of your recipient and not, for example, the public key of some guy in Apple.”
But don’t ditch your iPhone just yet. Macworld quoted Paul Kocher, president and chief scientist of Cryptography Research, on what this discovery means in the grand scheme: “In practice, iMessage is only as secure as Apple chooses to make it, but it isn’t fair to criticize Apple too heavily since other services aren’t better (and most are worse).”
Apple, asked for comment, simply stuck with the language of the June press release that underscored a “commitment to customer privacy” and stated that the company had not become aware of PRISM until media outlets began reporting on it.
Photo by travisdodson/Flickr
Homeless man plays best cover of Styx's 'Come Sail Away' you've ever heard
Are we sure this isn't really Dennis DeYoung?37k
Husky scarfs down pot-laced Rice Krispie treats, trips balls
It's both a funny and pitiful sight.11k
Kids reacting to the gay marriage decision is everything
We could all learn something from this video.6.1k
11-year-old badass rips out her loose tooth with a slingbow
Don't try this at home?
The 3 biggest questions heading into the ESL ESEA final
The first edition of the ESL ESEA Pro League is coming to a head this weekend with $250,000 on the line.29