Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Show Apple Can Read iMessages

Posted by timothy on from the leetspeak-vs-panopticon dept.

Trailrunner7 writes "The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol [original analysis] and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users' text messages–or decrypt them and hand them over at the order of a government agency. ... The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system. One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users' messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users' iMessages, but it's possible that the company could. Users' AppleID passwords also are sent in clear text to the Apple servers."

5 of 124 comments (clear)

  1. Terrible summary by AmiMoJo · · Score: 4, Insightful

    The fact that Apple can read iMessages and hand them over to the authorities is hardly surprising, especially given that we know they co-operate with the NSA. TFS leaves the last and far more interesting bit right until the end: Usernames and passwords sent in cleartext.

    In other words all those people using Starbucks' free wifi are broadcasting their Apple ID and password to everyone else in range.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Terrible summary by Ash+Vince · · Score: 4, Insightful

      The fact that Apple can read iMessages and hand them over to the authorities is hardly surprising, especially given that we know they co-operate with the NSA.

      Excuse me, but how do we know this? Except for your prejudice and paranoia, do you have any actual evidence?

      Any US based executive that refused to co-operate with an NSA request can be sent to prison. You can try challenging them in the relevant (secret) mickey mouse course of rubber stamps or you can look for the odd work around like just disclosing what you have from the logs then closing down your entire service so you do not have to do it again.

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    2. Re:Terrible summary by Anonymous Coward · · Score: 2, Insightful

      From TFA: "we saw our AppleID and password going through this SSL communication".

      The password is cleartext over an SSL connection. So, no, all the people in Starbucks are not broadcasting to everyone else in range. Apple just isn't hashing, encrypting or otherwise obscuring the password when sent through the SSL connection. So they have access to the password in iMessage; they have access to the password when someone uses icloud.com, appleid.apple.com, or any other Web based access to Apple Services so, it isn't much different.

  2. of greater concern than TFA by nimbius · · Score: 4, Insightful

    at no time should we have any expectation of privacy in a SaaS or PaaS environment that is controlled by an american company. the government has numerous laws that require corporations to preserve data for investigation both with and without a warrant provided, which in turn guarantees corporations will engineer systems to ensure they are compliant. Corporations do not exist to pick fights with the government or question legislation until it begins to impact their quarterly earnings, and as most people arent concerned about their privacy its only natural corporations in turn arent either. if snapchat users, gmail users, facebook users and paypal users en-masse boycotted their respective service providers, im certain the message would be clearly sent that spying on customers kills business.

    but as customers are clearly powerless to do anything about the spying, and corporations are well aware of this, nothing will change. we need our gmail and our facebook if only because we're without alternative or uncomfortable with the idea of learning something new. You'll eventually need an app that resists snooping, which is hard when apple controls the platform and can simply engineer access to your messages through numerous means such as keylogging.

    --
    Good people go to bed earlier.
  3. No fingerprint sharing by MikeMo · · Score: 3, Insightful

    I'm sorry, but part of your comment is just plain wrong. Firstly, Apple is not collecting your fingerprint, only something similar to a hash of the fingerprint's characteristics. Secondly, it isn't shared with anyone. Thirdly, the explicitly state in this article that your actual fingerprint can not be reverse engineered from the data the store on the phone.

    In addition to this, the NYPD's stated reason for pushing the iPhone 5s is that it makes iPhone theft a thing of the past, which it clearly, demonstrably does. The link you posted saying NYPD is after the fingerprints is clearly, demonstrably false. Now, I'm sure you can find folks that say something different, but I can also show you pictures of Obama shaking hands with space aliens - you can find anything you like, but it doesn't make it true.

    Finally, Apple (and Google) outright deny sharing data with the NSA.

    You can continue to believe that they are sharing if you like, but stating that they have admitted they are sharing is incorrect.