|Is Apple Reading Your iMessages?|
|By JOANNA STERN (@joannastern)||Oct 18, 2013, 1:43 PM|
Apple has long said that it cannot read or see the messages you send using its iMessage service, but new evidence from security researchers seems to fly in the face of that claim.
Presenting at a Hack in the Box Conference in Kuala Lumpur, Malaysia, Quarkslab has found that Apple's encrypted iMessages could be read by the company or a third party.
"As Apple claims, there is end-to-end encryption," Quarkslab wrote in a white paper published on its website. "The weakness is in the key infrastructure as it is controlled by Apple: They can change a key anytime they want, thus read the content of our iMessages."
The extremely technical paper details how Apple's uses well-known algorithms in its cryptography, and how the company uses the same servers and Push protocol as other services. In short, it says that because Apple controls what happens between the sender and the receiver of the message, it could see messages. A new video posted on tech website ZDNet also shows off how the exploit would work. The researchers extracted the iMessage keys so they were able to see the messages that were sent in real time on a computer. They were also able to decrypt the messages.
Still, while Quarkslab demonstrates the vulnerability, it specifically states that Apple does not do this.
"What we are not saying: Apple reads your iMessages," the report states. "What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order."
The issue was raised in relation to Apple's reported involvement with the National Security Agency and the PRISM spying program, which claims that the government was tapping into its servers as well as the servers of other major technology companies, including Microsoft, Google and Facebook. Apple, however, maintains, just as it did when PRISM was first reported, that its iMessage service has been built to restrict even Apple from reading messages.
"iMessage is not architected to allow Apple to read messages," Apple spokeswoman Trudy Muller told ABC News. "The research discussed theoretical vulnerabilities that would require it, and Apple has no plans or intentions to do so." AllThingsD first reported on Apple's response.
Security expert Robert Siciliano added, though, that there "will never be any guarantee" that these companies don't have access to your messages, regardless if they make assurances like the ones Snapchat or Apple has. Users shouldn't expect that level of security for their sent or received messages, but, still, he said general users shouldn't be worried about this particular iMessage issue.
"If you are a high-profile drug dealer or high on the FBI watch list, then maybe you would want to watch out," Siciliano told ABC News, but regular users shouldn't be on alert about this. Just be aware."