Sign in with
Sign up | Sign in

iMessage May Not Be as Secure as Apple Claims

By - Source: Tom's Guide US | B 10 comments
Tags :

Security researchers questions Apple's claims about iMessage. Courtesy AppleSecurity researchers questions Apple's claims about iMessage. Courtesy AppleIs iMessage really secure? Apple says the encryption on its Wi-Fi-enabled messaging service is unbreakable, but at the Hack in the Box computer security conference in Kuala Lumpur Oct. 14-18, researchers painted a different picture.

Here's the backstory: On June 6, a top-secret document leaked by former NSA contractor Edward Snowden suggested that several major communication companies, including Apple, were part of a government surveillance program called PRISM.

Apple denied that it worked with the NSA to spy on its users in a June 16 statement, in which it also emphasized iMessage's security.

MORE: NSA Leaks 2013: A Timeline of NSA Revelations

"Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data," wrote Apple in its statement. 

Apple's iMessage encryption

End-to-end encryption means that the message is encrypted as soon as it leaves the sender's phone, and doesn't get decrypted until it reaches the recipient's phone. That way, not even the company doing the delivery — in this case, Apple — can read the message.

No hacker worth his or her salt takes a statement like that at face value, so two researchers with Paris-based security firm Quarkslab decided to do a bit of digging into iMessage and how it implements its encryption.

What did they find? Apple's boasts of iMessage's security are "just basically lies," said Quarkslab researcher Cyril Cattiaux at the Hack in the Box presentation.

iMessage uses an encryption protocol called public-key encryption, which means that each iMessage user has two encryption keys: the public key is used to encrypt messages so that only people who possess the corresponding private key can decrypt and read them.

But iMessage users don't actually possess their encryption keys — Apple manages them, and the means by which it does that is unclear.

Can you trust Apple's security?

That means that it's entirely possible for Apple to switch the keys and their corresponding users, or add another private key to a given public key and intercept the contents of an iMessage conversation.

So when you use iMessage, you aren't relying on the proven math of Apple's encryption implementation. You're trusting the company to properly manage your encryption keys.

What does that mean for you? For most users, iMessage is probably secure enough. But messaging apps with more secure encryption implementation do exist, such as Wickr and SilentText.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Display 10 Comments.
This thread is closed for comments
  • 8 Hide
    monsta , October 18, 2013 4:18 PM
    Makes you wonder why iMessage is free....
  • 3 Hide
    otacon , October 18, 2013 4:23 PM
    So?.. anything sent over the air or stored electronically, given enough time and resources, can be decrypted and read. The only thing the average user or even large corporation can do is put up enough road blocks that the time needed to decrypt information doesn't make it financially viable. This goes back to the finger print scanner on the 5S...so it can be circumvented. You think the person stealing it is going to take the time to try to bypass it? He's out to make a quick buck and will just toss the phone. If you don't want your data being compromised don't put it out there to begin with.
  • -4 Hide
    otacon , October 18, 2013 4:25 PM
    @monsta

    Makes you wonder why BBM is free... what a stupid statement.
  • 2 Hide
    house70 , October 18, 2013 4:54 PM
    "Can you trust Apple's security?"

    Just as much as you can trust iPhone 5s' borked sensors... not at all.
    In truth, there is no surprise here. By now everyone should be used to Apple's lies when it comes to their products. "it just works"... what a load of bull (unless it's finished with "...like everything else").
    Meh. Movin' on...
  • 2 Hide
    monsta , October 18, 2013 7:12 PM
    @ otacon
    " He's out to make a quick buck and will just toss the phone. If you don't want your data being compromised don't put it out there to begin with"

    Now thats the stupidest statement I've ever heard!
  • 1 Hide
    jldevoy , October 18, 2013 7:55 PM
    Apple can't win on this point, it's now a crime in the USA to tell anyone you're being coerced by the NSA etc.
  • 2 Hide
    rantoc , October 19, 2013 4:44 AM
    If you believed apple in the first place there is one way to get help - A shrink!
  • 2 Hide
    wopr11 , October 19, 2013 9:41 AM
    Apple lying? when haven't they
  • -1 Hide
    IreneRDubose , October 19, 2013 12:08 PM
    <B>my buddy's step-sister makes <$82> an hour on the computer. She has been laid off for 8 months but last month her payment was <$17918> just working on the computer for a few hours. Here's the site to read more

    ========================
    WWW.Works23.COM
    ========================
    <B>
  • 0 Hide
    ddpruitt , October 21, 2013 6:06 AM
    Quote:
    So?.. anything sent over the air or stored electronically, given enough time and resources, can be decrypted and read. The only thing the average user or even large corporation can do is put up enough road blocks that the time needed to decrypt information doesn't make it financially viable.


    Yes but this is basically a shortcut around all of the roadblocks, you just need to ask the construction company for the key to the gate. The current implementation allows any government agency to ask for the keys and then read messages en masse. True end to end encryption would make it several orders of magnitude more difficult to decrypt a signal message, let alone a boatload.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter