Apple says it can’t decrypt your iMessages. These researchers say it can.

October 17, 2013

During the height of the Edward Snowden affair, Apple was among those companies that vociferously denied handing over user data to the government. In a statement, it suggested that the privacy-conscious might consider using iMessage, which offered "end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data."

There's still no evidence that Apple has tried, nor that the company has given any information to the government. But according to a handful of security researchers, Apple does have the ability to read the content of iMessages, contrary to its claims.

When you send an iMessage — say from one iPhone to another — the two devices perform a digital handshake, each using a private, secret key. Apple has exclusive control over those keys, which means that it can intercept a message signed by one key, unlock it with the recipient's key, read the message and then pass it along to the recipient without either sender or receiver  ever knowing it’s been read.

Quarkslab, the company that conducted the research and explained the man-in-the-middle exploit at a security conference in Kuala Lumpur this week, says it's notified Apple about the discrepancy and that Apple has requested more information from them. (An Apple spokesperson did not respond to a request for comment Thursday. If and when they do, I'll update this post with more details.)

This is one place where Apple's walled garden works in its favor; since only Apple is theoretically capable of leveraging iMessage this way, your messages are still safe from prying eyes outside the company. And again, we've no evidence to suggest that Apple itself has begun reading iMessages.

"It's a big deal for privacy, but not for security," Quarkslab CEO Fred Raynal told me in an interview.

Independent security researchers have verified Quarkslab's work, but whether Apple will update its statement remains to be seen.

Update, Oct. 18: Apple spokesperson Trudy Miller e-mails this morning with a statement: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

Brian Fung covers technology for The Washington Post, focusing on telecom, broadband and digital politics. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.
Comments
Show Comments
Most Read Business
Next Story
Andrea Peterson · October 17, 2013