Is iMessage really secure? Apple says the encryption on its Wi-Fi-enabled messaging service is unbreakable, but at the Hack in the Box computer security conference in Kuala Lumpur Oct. 14-18, researchers painted a different picture.
Here's the backstory: On June 6, a top-secret document leaked by former NSA contractor Edward Snowden suggested that several major communication companies, including Apple, were part of a government surveillance program called PRISM.
Apple denied that it worked with the NSA to spy on its users in a June 16 statement, in which it also emphasized iMessage's security.
MORE: NSA Leaks 2013: A Timeline of NSA Revelations
"Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data," wrote Apple in its statement.
Apple's iMessage encryption
End-to-end encryption means that the message is encrypted as soon as it leaves the sender's phone, and doesn't get decrypted until it reaches the recipient's phone. That way, not even the company doing the delivery — in this case, Apple — can read the message.
No hacker worth his or her salt takes a statement like that at face value, so two researchers with Paris-based security firm Quarkslab decided to do a bit of digging into iMessage and how it implements its encryption.
What did they find? Apple's boasts of iMessage's security are "just basically lies," said Quarkslab researcher Cyril Cattiaux at the Hack in the Box presentation.
iMessage uses an encryption protocol called public-key encryption, which means that each iMessage user has two encryption keys: the public key is used to encrypt messages so that only people who possess the corresponding private key can decrypt and read them.
But iMessage users don't actually possess their encryption keys — Apple manages them, and the means by which it does that is unclear.
Can you trust Apple's security?
That means that it's entirely possible for Apple to switch the keys and their corresponding users, or add another private key to a given public key and intercept the contents of an iMessage conversation.
So when you use iMessage, you aren't relying on the proven math of Apple's encryption implementation. You're trusting the company to properly manage your encryption keys.
What does that mean for you? For most users, iMessage is probably secure enough. But messaging apps with more secure encryption implementation do exist, such as Wickr and SilentText.
Email email@example.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.
Makes you wonder why BBM is free... what a stupid statement.
Just as much as you can trust iPhone 5s' borked sensors... not at all.
In truth, there is no surprise here. By now everyone should be used to Apple's lies when it comes to their products. "it just works"... what a load of bull (unless it's finished with "...like everything else").
Meh. Movin' on...
" He's out to make a quick buck and will just toss the phone. If you don't want your data being compromised don't put it out there to begin with"
Now thats the stupidest statement I've ever heard!
Yes but this is basically a shortcut around all of the roadblocks, you just need to ask the construction company for the key to the gate. The current implementation allows any government agency to ask for the keys and then read messages en masse. True end to end encryption would make it several orders of magnitude more difficult to decrypt a signal message, let alone a boatload.