A new study released by QuarksLab yesterday has made the claim that Apple can read iMessages at any time they like. Today, Apple said in a statement for AllThingsD that “iMessage is not architected to allow Apple to read messages”.
For quite some time, Apple has been insisting that they have no way of viewing iMessage communications thanks to the wall to wall encryption they have on the service. Their claim has always been that even if they wanted to (which they say they don’t), it would be completely impossible to break that encryption code.
QuarksLab disputes this, however. They say the encryption may be there, but the assertion that it stops them from viewing communications is misleading. All it would take is a small adjustment and that content would be open to them and anyone they chose to hand over access to.
“The weakness is in the key infrastructure as it is controlled by Apple: They can change a key anytime they want, thus read the content of our iMessages,” the study asserts.
Here is how it basically works:
Apple has full control of the keys that are used to protect the data going from one sender to another. If they were to change that key, which they could do at any time, it would effectively put them in the middle of that data. As it passed from one to the other, the third party is now monitoring all communications with the two sides having no idea.
QuarksLab was quick to point out that they have no evidence that this has occurred, or that Apple plans to do so in the future. However, the capability is there, and the company has been dishonest about the true protection of information on iMessages. Apple spokeswoman Trudy Muller said that iMessage was not built to be exploited:
The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.
With the NSA scandal still hot on everyone’s minds, and surveillance continuing largely unchecked from various agencies despite exposure, this is a concern. All it would take is a court order for this back door to be exploited.
Do we really trust Apple, or any other company, not to use this access? Is it likely they haven’t done so already? Given the cooperation of various tech brands with the government in their shady citizen monitoring, it would be ridiculous not to assume otherwise. Even without an ounce of an accusatory tone from QuarksLab, there is a note of disbelief there.
The good news is that this exploitation would make it near impossible for outside hackers to gain access. Unfortunately for Apple users, the threat might come from their own government.