Apple Says It Would Need to Re-Engineer iMessage to Exploit It

Apple Says It Would Need to Re-Engineer iMessage to Exploit It

Posted by · 35723 views · Translate

Apple has issued a comment on research from QuarksLab that claims 'Apple can read your iMessages if they choose to, or if they are required to do so by a government order.'

QuarksLab presented a white paper at the Hack in the Box conference detailing how a man-in-the-middle attack would work to decrypt messages. They note that since Apple controls ESS servers, and all iMessages are routed to Apple's PUSH servers, Apple is able to perform MITM:
● Apple sends fake public RSA / ECDSA key to the sender
● Apple can then decipher, alter the payload of the message and sign it before sending to its final destination.

They conclude, "So, yes, there is end-to-end encryption as Apple claims, but the weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages."

Independent security researcher Ashkan Soltani tells AllThingsD that while it would be difficult for outside attackers, the research appears sound.

“I think what their presentation demonstrates is that it’s very difficult, but not impossible, for an outside attacker to intercept messages if they’re able to control key aspects of the network,”said Soltani. “Probably not something that just any actor can do, but definitely something a state/government actor or Apple themselves could do, if motivated.”

Apple spokesperson Trudy Muller addressed concerns with the following statement:

“iMessage is not architected to allow Apple to read messages,” said Apple spokeswoman Trudy Muller. “The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

Despite Apple's statement, Soltani remarked, “We’ve recently seen indication of companies like Skype or Lavabit being forced to enable interception capabilities in their system, so it would be naive to think that Apple wasn’t at least approached by the government at some point.”

In addition, QuarksLab hinted that it might be possible for the NSA to replace Apple to perform the MITM. "Clearly, not the many people have such capabilities. Maybe 3 letters agencies... Who knows."

The full report can be found at the link below...

Read More [via AllThingsD]

Apple Says It Would Need to Re-Engineer iMessage to Exploit It

Apple Says It Would Need to Re-Engineer iMessage to Exploit It

Rich - October 21, 2013 at 3:17am
There seems to be a big issue on hacking iMessage when Apple actually backup deleted iMessages and stre them in plain text. So everyone who things when they delete a SMS or iMessage they are gone they are not gone they are stored on the phone and then stored in a backup on the pc. So the bigger question is why do apple backup deleted SMS,iMessages and call history.?
Paul - October 19, 2013 at 10:44am
Apple says it cant read your iMessages. QuarksLab says Apple can.
Camfella - October 18, 2013 at 6:54pm
I'm sure it's possible for Apple to access our iMessages if they wanted, just like the telephone company could listen to our phone calls if they wanted too, and the Post Office could read our letters if they wanted too. Nothing has really changed, so what's the big deal?
Really!!! - October 18, 2013 at 8:44pm
I agree with you. Just about any company that provides services to you could intercept the very services they offer you "if they were motivated"
MaKI - October 18, 2013 at 11:31pm
In these "nsa" days no company can afford that. Apple, Microsoft, noone. Its simple not good for their cloud services. Whole Europe and rest of the world is really upset about American behaviors, and trust me even evil google can simply not afford such a thing. Otherwise rest of the world will just reject to use their ecosystems - no money for you. 250 millions of Americans are nothing compare to 6 billion of potential customers. We all are aware, that most of the cloud services and biggest software companies are coming from USA and we do not have something comparable. But trust me, as im European guy, we do not need you big brother, even if we are so socialist... We can eat our bread and drink our milk... Till now we didn't care that you have been watching our network traffic, going through your servers, but remember everything you use now is not made in USA, so you should be scared, if we are not watching you from China... Btw back to the subject, as far as I remember, imessages are peer2peer, what data can apple hold? Mr. this, was communicating with Mr. This. At this time? Don't eat this hoaxes, otherwise you will become too paranoiac :-)
3 More Comments