Apple's iMessage encryption claims refuted (again)

Apple has claimed iMessage and FaceTime are protected by end-to-end encryption. But encrypted to whom?

Image: CNET

In June, Apple released a statement with details on the number of requests it receives from government agencies for customer records (answer: about 1,000 per month). In the statement, Apple claimed that iMessage – which lets users send free texts over Wi-Fi – uses end-to-end encryption and therefore cannot be decrypted by Apple:

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.

The claim was almost immediately refuted by security researchers, including Matthew Green, a cryptographer and research professor at Johns Hopkins University, who wrote: "If you use the iCloud backup service to back up your iDevice, there's a very good chance that Apple can access the last few days of your iMessage history." 

More recently, researchers at the Hack in the Box conference in Kuala Lumpur showed it would be possible for someone inside Apple, either a rogue employee or one compelled by the NSA, to intercept iMessages.

iOS jailbreak developer Cyril Cattiaux (via Macworld) explains that "Apple has full control over this public key directory" trading off ease-of-use for the user for transparency about the pubic keys. Traditional public servers (like MIT's PGP Public Key Server) allow the sender to see information, like when a key changed, so they can decide whether or not to trust it.

Cattiaux explains:

The biggest problem here is you just cannot control that the public key you are using when you are ciphering the message is really the key of your recipient and not, for example, the public key of some guy in Apple.

A solution would be for Apple to store public keys in a protected database on the iOS device so that they could be compared, according to Cattiaux. A proof-of-concept application called MITM Protect was released for jailbroken devices that does just that.

Is the sky falling? No, not exactly.

Paul Kocher, president and chief scientist of Cryptography Research, tells Macworld that "People generally can’t assess or control of the risks of cloud-based services since the data is maintained on systems that can’t be audited." He goes on to say that "it isn’t fair to criticize Apple too heavily since other services aren’t better (and most are worse)."

It's simple, really. Don't say anything illegal on iMessage or Facetime and assume that the NSA is always watching.