Following the Snowden scandal, Apple Inc. and others are fighting back against claims that it is complicit in offering governments access to your communications. Earlier this year, the Cupertino company claimed that its end-to-end encryption that protects its iMessage service is so secure that the company can’t decrypt it. This claim, however, was quickly refuted by the security company QuarksLab on Thursday.
Apple can read your iMessages
“Apple Inc. can read your iMessages if they choose to, or if they are required to do so by a government order,” QuarksLab said in a white paper presented Thursday at the Hack in the Box conference.
As I’m not a hacker, I’ll quickly summarize the byzantine findings. QuarksLab claims that because Apple Inc. controls the keys used in encryption on both ends, the company could launch a “man-in-the-middle attack” that would leave both parties believing that they are chatting directly with each other when they are not. This would, therefore, allow Apple Inc. to read iMessage communications.
There is no end-to-end encryption
“As Apple Inc. claims, there is end-to-end encryption,” QuarksLab explains. “The weakness is in the key infrastructure as it is controlled by Apple Inc. They can change a key any time they want, [and] thus read the content of our iMessages.” QuarksLab, it should be noted, has no evidence that Apple Inc. does or has done this. Its presentation begins with this explicit statement: “What we are not saying: Apple reads your iMessages. What we are saying: Apple Inc. can read your iMessages if they choose to, or if they are required to do so by a government order.”
So far, the security community seems to agree with QuarksLab’s claims.
Apple’s iMessages security
“I think what their presentation demonstrates is that it’s very difficult, but not impossible, for an outside attacker to intercept messages if they’re able to control key aspects of the network,” independent security researcher Ashkan Soltani told AllThingsD. “Probably not something that just any actor can do, but definitely something a state/government actor or Apple Inc. themselves could do, if motivated.”
Apple Inc. has recently fired back by sticking to the claims it made earlier this year.
“iMessage is not architected to allow Apple Inc. to read messages,” said Apple spokeswoman Trudy Muller in a statement to AllThingsD. “The research discussed theoretical vulnerabilities that would require Apple Inc. to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”
At the end of the day, it’s just a matter of how much you trust Apple Inc.
0 comments:
Post a Comment