Skip to main content

Researchers: Apple's claim that it cannot read encrypted iMessages is "definitely not true"

Researchers from QuarksLab have called a number of Apple's statements regarding its users' security into question. The team has shown that Apple can, in theory, read the contents of its users' iMessages, an assertion that Apple has strongly denied in the past.

The team is careful to state that Apple probably isn't reading your iMessages. But they can, if they want to. Let's back up and take a look at why this is significant.

Since the NSA's PRISM spying operation was revealed in June by mega-leaker Edward Snowden, the security concerns of Internet users have shifted. Our suspicion, once directed at third-party hackers and criminal elements intent on stealing our data, has now turned to the very people who provide us with online services.

As revelations have emerged over the last year, a picture has steadily taken form – of Internet firms as illustrious as Google, Facebook and Apple quietly cooperating with government agencies to hand over vast amounts of data on their everyday users.

In many cases, backdoors to users' information were deliberately programmed into popular messaging apps and social networks, so that a user's data could be retrieved quickly and noiselessly if a three-letter agency issued such an order.

So, corporate-government cooperation was widespread and normalised, allowing agencies to spy on Internet users. But that isn't the end of the story. The downfall of encrypted email service Lavabit is a good example on the other end of the spectrum of cooperation.

Lavabit's founder and operator, Ladar Levison, chose to shut down his secure messaging service rather than hand over its encryption keys to the FBI, which appears to have tried to access Edward Snowden's emails in the wake of his mass leaking campaign. Despite a protracted campaign of non-compliance (at one point handing the agency a printed-out version of the encryption keys, in unreadable 4-point font), Levison eventually cracked under the pressure and shut down the service.

Levison's example was a clear one: despite Lavabit's tightly-secured encryption protocols, someone still held the keys to that encryption. That means they could, in theory, decrypt users' emails. Or be forced to.

In this shifting landscape, users are now faced with the reality that if a company is able to read their communications, that same company may, at some point in the future, be forced to.

Which brings us to Apple.

Since the revelations that exploded into the press in June, reports have alleged that multinationals like Apple allowed the NSA and other government agencies "direct access" to its servers full of user information; accusations that the Cupertino-based company denied vociferously in the press.

"We do not provide any government agency with direct access to our servers," said Apple in June, "and any government agency requesting customer data must get a court order."

This statement has been shown, in the interim, to be largely true. The NSA does seem to have to go through a number of quite involved applications and legal hurdles before it can get an order to access a company's servers under the Foreign Intelligence Surveillance Act (FISA). That would be reassuring news, if the NSA hadn't turned the acquisition of such orders into a form of mass-production industry.

It was reported in June that Facebook was ordered to hand over information to government agencies as many as 10,000 times in a six-month span. This involved the accounts of between 18,000 and 19,000 users. Microsoft fared little better, receiving as many as 7,000 orders affecting over 31,000 accounts. Apple was targeted as many as 5,000 times, specifying up to 10,000 accounts or devices.

But that's not the point. What has caused consternation in recent days is the second part of that statement.

"Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption," Apple's spokesperson went on to say, "so no one but the sender and receiver can see or read them. Apple cannot decrypt that data."

This is the assertion that the team of researchers at QuarksLab has recently called into question.

The whitepaper released by the team on Thursday concluded that while the layers of end-to-end encryption surrounding iMessage communications were solid, Apple was in theory capable of decrypting those messages, simply because they controlled the keys, and all traffic passed through their servers.

The team found that under certain circumstances "we saw our AppleID and password going through this SSL communication. Yes, the clear text password." This could hypothetically allow intelligence agencies to gain access to other communication records, if the account holder uses the some password elsewhere.

Not only that, but "Apple's claims that it can't read end-to-end encrypted iMessage is definitely not true. As everyone suspected: yes they can!"

In fact, although there is end-to-end encryption, Apple "can change a key anytime they want, thus read the content of our iMessages."

The research team concludes "If the informations being exchanged are sensitive to the point that you don't want any government agencies to look into them, don't [share them over iMessage]". Good advice, it seems.

The evidence that Apple is capable of reading the messages doesn't, of course, amount to evidence that it has been. But with the acquisition and enforcement of FISA orders veiled in secrecy, it's hard to say whether Cupertino can hold out for long.

Image: Flickr (davnull); Facebook (Ladar Levison)