Apple Denies iMessage Flaw Discovered by Security Researchers
Apple has denied it can snoop on customers' iMessages after security researchers find the iPhone maker could decrypt conversations, something it previously claimed to be impossible.
The California company was forced to defend itself after a whitepaper report published by two QuarksLab researchers known as Pod2g and GG claimed Apple could intercept and read iMessages - something the company had previously stated was impossible, due to the encryption between users and the service.
The story dates back to June, when Apple published a statement on its website claiming, in the wake of the NSA snooping scandal, that the company protects iMessage and FaceTime conversations with "end-to-end encryption so no one but the sender and receiver can see or read them."
Apple went on to say it can't decrypt the data and therefore can't read the content of iMessage conversations. In the same statement, the company said it had never heard of the NSA's infamous Prism internet spying tool and does not provide any government agency direct access to its servers, as was stated by the leaked documents of NSA whistleblower Edward Snowden.
Government order
On 17 October, QuarksLab published its report into iMessage claiming the company "can read your iMessages if they choose to, or if they are required to do so by a government order." The report also said QuarksLab has no reason to suspect Apple of actively reading the iMessages of its customers.
QuarksLab summarises: "As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages."
In response to the lengthy report, an Apple spokesperson told AllThingsD: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
Passwords in plain text
Additionally, the researchers discovered Apple sends a user's Apple ID and password in plain text with every iMessage. "There can be a lot of good reason to send the password as clear text," the report states. "SSH does it for instance. But here, we don't see any reason for Apple to get our password."
Although beyond the skills of the average computer hacker, the researchers' reverse-engineering of iMessage could be used to steal Apple IDs and passwords, giving access to the user's iCloud account and device backups, and would let the attacker buy apps and iTunes content with the victim's account.
"Good enough for the average user"
There's no immediate reason for the average iMessage user to no longer trust Apple, and as for the possibility of a third party gaining access to the message data, QuarksLab says such attacks "are impractical to the average hacker, and the privacy of iMessage is good enough for the average user."
But the report still raises issues with iMessage and Apple's claim that it cannot be decrypted. The researchers believe that, if it was told to by a government agency such as the NSA or Britain's GCHQ, Apple would be able to record and hand over the iMessages of its users.
Speaking to All ThingsD, security researcher Ashkan Soltani commented: "We've recently seen indication of companies like Skype or Lavabit being forced to enable interception capabilities in their system, so it would be naive to think that Apple wasn't at least approached by the government at some point."
© Copyright IBTimes 2024. All rights reserved.