Archive for June 26, 2013

Wednesday, June 26, 2013 [Tweets] [Favorites]

Can Apple Read Your iMessages?

Apple:

There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.

Matthew Green:

All you need to do is run the following simple experiment: First, lose your iPhone. Now change your password using Apple’s iForgot service (this requires you to answer some simple security questions or provide a recovery email). Now go to an Apple store and shell out a fortune buying a new phone.

If you can recover your recent iMessages onto a new iPhone -- as I was able to do in an Apple store this afternoon -- then Apple isn’t protecting your iMessages with your password or with a device key. Too bad.

This seems to be confirmed by this Ask Different answer and Hacker News. In other words, the end-to-end encryption is beside the point if iCloud backups are involved. Apple’s privacy statement seems to be strictly true but misleading.

Update (2013-10-19): Dan Goodin:

Ultimately, the QuarksLab researchers said that such man-in-the-middle exploits against the iMessage infrastructure require so much effort that they could probably be carried out only by three-letter agencies, and even then only under limited circumstances. But they went on to say there's no technical measure stopping Apple employees, working under a secret court order or otherwise, from performing the same kind of attack and making it completely transparent to the parties exchanging iMessages. Unlike third-party attacks, these insider exploits would require no tampering of end-user devices.