Apple says that when people communicate using its iMessage service, their chats are secured using strong encryption. But security researchers are questioning the company’s claims after uncovering what they say is a flaw that enables the messages to be spied on.
Back in April, Apple’s iMessage service attracted attention after a document showed that the Drug Enforcement Agency was complaining internally about not being able to snoop on communications sent using the service. Apple has consistently said that the messages are exchanged using “secure end-to-end encryption,” meaning it can’t hand them over to authorities. Even after the technology giant was linked to the National Security Agency ‘s PRISM surveillance program in June, it put out a statement reiterating that iMessage conversations “are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.”
However, it seems that the service is not as secure as Apple would like to have you believe. Two researchers at the security firm Quarkslab claim that they have been studying the protocol used by iMessage, and that “Apple can technically read your iMessages whenever they want.” The researchers, who are due to present their findings at the HITB Security Conference in Asia in October, have apparently found a way to circumvent the encryption using a so-called “man-in-the-middle” attack, which usually involves a hacker covertly bypassing the encryption by using a fake security certificate.
That this may be possible with iMessage is not evidence that Apple has been covertly reading people’s messages, but it does mean that the company’s encryption is vulnerable to being exploited by a sophisticated hacker group or spy agency. One of the Quarkslab researchers told Techcrunch that “the iMessage protocol is strong,” though added that “Apple or a powerful institution (NSA is randomly chosen as an example) could tamper with it.” The researchers say that they are planning to release a tool that will shield against potential iMessage snooping attacks, and hope to work with Apple to strengthen the security of the service. Apple had not responded to a request for comment at time of publication.