mitm3
One of the slides used by QuarksLab to explain the issue the firm identified with Apple’s iMessage.

Security research firm QuarksLab recently dropped a bombshell on iOS users with a presentation at the Hack in the Box conference that described how Apple could read your encrypted iMessages.

While the method described is complex, what QuarksLab showed in a nutshell is that while messages sent through Apple’s text message replacement service are encrypted end-to-end, Apple controls the encryption keys that protect those messages, and can change those keys in order to get access to the content of the messages, if, for example, the government ordered the company to.

It’s worth noting that QuarksLab did not say that this was something Apple was currently doing, but that it was something they could do in the future. Unsurprisingly, that touched off a firestorm.

For its part, Apple says that they’re not interested in implementing what was described in the paper.

“iMessage is not architected to allow Apple to read messages,” Apple spokeswoman Trudy Miller told AllThingsD. “The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

Still, even with Apple’s theoretical ability to snoop, iMessage is still well-secured against outside attackers, which is better than other services, including SMS, which can be attacked just by setting up a fake cell tower.

Comments

  • Guest

    During the PRISM related allegations Apple claimed this was impossible. Now they call proof that it is possible a “theoretical vulnerability”? Laughable. As is your bending over backward to minimize this and defend them.

  • Vroo (Bruce Leban)

    The problem with this “theoretical” vulnerability is that Apple’s claim that it’s not possible are not verifiable. You just have to trust them that they don’t and can’t do it — and won’t change their minds. And you can’t tell if they ever do that. Maybe they already are but have been ordered by the NSA to not tell anyone. Not that that would ever happen, of course. http://en.wikipedia.org/wiki/National_security_letter

  • puggsly

    ok, so all private public key encryption is invalid because the key issuers could issue you false public keys that are always routed to the NSA, presto! go get your tin foil hat!

    Apple doesn’t intercept iMessage communication and has no system in place to comply with any request from anyone to do so because it is not the iMessage design. So as of today, apple can’t read your iMessages.

    As for complying with requests from the NSA? they do run other cloud services, like mail and document storage as well as having some information on iPhone’s, which is probably what they have shared with the NSA.

Job Listings on GeekWork