Researchers challenge Apple's claim of unbreakable iMessage encryption
A famed iPhone jailbreak software developer says Apple could easily decrypt iMessages despite the company's claims
IDG News Service - A close look at Apple's iMessage system shows the company could easily intercept communications on the service despite its assurances to the contrary, researchers claimed Thursday at a security conference.
Apple asserted in June, following disclosures about the NSA's data collection programs, that iMessage, which lets users send texts over Wi-Fi for free, is protected by end-to-end encryption that makes it impossible for Apple or anyone else to descramble the messages.
But researchers at the Hack in the Box conference in Kuala Lumpur showed it would be possible for someone inside Apple, of their own volition or because they were forced to by a government, to intercept messages.
The company's claim that iMessage is protected by unbreakable encryption is "just basically lies," said Cyril Cattiaux, who has developed iOS jailbreak software and works for Quarkslab, a penetration testing and reverse engineering company in Paris.
The researchers emphasized they have no indication that Apple or the government is reading iMessages, only that it would be possible to do so.
Asked to comment, Apple didn't directly address the claims about iMessage and pointed instead to a statement it issued in June after the disclosures about the NSA's Prism data collection program.
The statement says in part that Apple first heard about Prism only when it was asked about it by news organizations. "We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order," the statement says.
One document revealed by former NSA contractor Edward Snowden indicated Apple became part of Prism in October 2012.
Apple uses public key cryptography to encrypt iMessages between the sender and the recipient. But its system for managing public keys is opaque, the researchers said, making it impossible to know if iMessages are being sent to a third party such as the NSA.
When someone sends an iMessage, the iOS device pulls the recipient's public key from Apple's non-public key server to create the ciphertext, or encrypted message. The iMessage is decrypted by the recipient using their private key.
The problem is "Apple has full control over this public key directory," Cattiaux said.
Trust has always been an issue with public keys. To send an encrypted message, the sender frequently has to trust that the key listed on the key server used to relay the message actually belongs to the recipient.
With a public server, such as MIT's PGP Public Key Server, the sender can at least see more information, such as whether a key has changed. At that point, the sender can decide whether they want to trust it or not if they suspect a man in the middle attack. Apple's key server is not public, the researchers say.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- ESG Lab Report: Virident FlashMAX Connect Performance Advantage with vCache on a single Oracle instance View Now>>
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Cyberwarfare White Papers | Webcasts