Slashdot Mirror
Researchers Show Apple Can Read iMessages
Trailrunner7 writes "The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol [original analysis] and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users' text messages–or decrypt them and hand them over at the order of a government agency. ... The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system. One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users' messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users' iMessages, but it's possible that the company could. Users' AppleID passwords also are sent in clear text to the Apple servers."
The fact that Apple can read iMessages and hand them over to the authorities is hardly surprising, especially given that we know they co-operate with the NSA. TFS leaves the last and far more interesting bit right until the end: Usernames and passwords sent in cleartext.
In other words all those people using Starbucks' free wifi are broadcasting their Apple ID and password to everyone else in range.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
"The upshot of this is that Apple has the ability to read users' messages if it so chooses."
I do not think upshot means what you think it means.
at no time should we have any expectation of privacy in a SaaS or PaaS environment that is controlled by an american company. the government has numerous laws that require corporations to preserve data for investigation both with and without a warrant provided, which in turn guarantees corporations will engineer systems to ensure they are compliant. Corporations do not exist to pick fights with the government or question legislation until it begins to impact their quarterly earnings, and as most people arent concerned about their privacy its only natural corporations in turn arent either. if snapchat users, gmail users, facebook users and paypal users en-masse boycotted their respective service providers, im certain the message would be clearly sent that spying on customers kills business.
but as customers are clearly powerless to do anything about the spying, and corporations are well aware of this, nothing will change. we need our gmail and our facebook if only because we're without alternative or uncomfortable with the idea of learning something new. You'll eventually need an app that resists snooping, which is hard when apple controls the platform and can simply engineer access to your messages through numerous means such as keylogging.
Good people go to bed earlier.
It seems to me that most of these big, high visibility companies haven't bothered waiting for "orders" from anyone. They've been just rolling over like good little bitches and turning information over based merely on requests.
All that schpeal about how they can decrypt your messages, but this gets a single sentance at the end: "Users' AppleID passwords also are sent in clear text to the Apple servers."? Would that pe the same AppleID that is tied to a credit card, so you can buy things in the Apple store?
That Apple can read your messages is not at all supriseing, THIS tidbit is shocking!
Yep. I just bought the entire Grateful Dead catalog on your credit card. Thanks!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
You're reverse-engineering it wrong.
Did these researchers offer any insight as to the religious tendencies of the pope or the defecatory habits of bears in woodland environments?
Now we're closer to an imessage SMS gateway...
It's "spiel."
You're welcome.
Bazinga.
One illegal unconstitutional agency to rule them all and in the darkness blind them.
-- Tigger warning: This post may contain tiggers! --
I'm sorry, but part of your comment is just plain wrong. Firstly, Apple is not collecting your fingerprint, only something similar to a hash of the fingerprint's characteristics. Secondly, it isn't shared with anyone. Thirdly, the explicitly state in this article that your actual fingerprint can not be reverse engineered from the data the store on the phone.
In addition to this, the NYPD's stated reason for pushing the iPhone 5s is that it makes iPhone theft a thing of the past, which it clearly, demonstrably does. The link you posted saying NYPD is after the fingerprints is clearly, demonstrably false. Now, I'm sure you can find folks that say something different, but I can also show you pictures of Obama shaking hands with space aliens - you can find anything you like, but it doesn't make it true.
Finally, Apple (and Google) outright deny sharing data with the NSA.
You can continue to believe that they are sharing if you like, but stating that they have admitted they are sharing is incorrect.
That last link is akin to reading Onion and considering it real news. Only the Chinese gov. will assume it to be true info.
It's a bit stronger than that. Yes, Apple can, but so can any man-in-the-middle. So you have to trust the entire chain of connections between you and Apple.
Now man-in-the-middle attacks aren't that common, but they also aren't that difficult. It would probably only affect a small group of people at a time, depending on where the compromise took place. But this would seem to mean that Apple may have been telling the truth when they denied sharing information with the NSA. The NSA didn't need to ask them.
I think we've pushed this "anyone can grow up to be president" thing too far.
And yet it is a word that has a meaning that fits with the way it was used in the sentence. Funny that.
He who controls the spice controls the universe.
Google can read your email!
Jabber servers can read your IMs! So can Yahoo! So can AOL!
Oh wait, this is Apple. Nevermind, carry on with the hysterics.
(FYI: No matter what scheme you devise, key management always gets you because if Apple doesn't have the keys, it makes iMessage much, much harder to use. If they do, then someone can snoop the messages. If you use a chain of trust, who ever sits at the top of the chain can be compromised. In an ideal world, people would learn about crypto keys and understand how to manage them, but you'd have to meet face to face to avoid mistaken identities).
Natural != (nontoxic || beneficial)
http://slashdot.org/story/13/04/04/1825231/want-to-keep-messages-from-the-feds-use-imessage These guys called it http://www.techdirt.com/articles/20130405/01485922590/dea-accused-leaking-misleading-info-falsely-implying-that-it-cant-read-apple-imessages.shtml So leaked documents are being used for disinformation. Hmm... http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
The system appears secure; hacking it requires injecting your own certificate into the trusted roots on the device.
Further, forging messages requires you compromise the private key which is only contained on the device (Apple doesn't know it). The public key is submitted to Apple's push CA which generates a certificate. The public part of your key is what other devices see when they get a copy of your certificate. So far, so good.
The issue is, of course, that Apple controls the CA so in theory if the government ordered them to issue a certificate in your name to the government, the gov could then monitor your communications or forge your identity.
Apple claims not to be able to read iMessages and that appears to be true, and as far as I'm aware not even the Patriot act requires them to issue forged certificates (aka allow the government to impersonate you digitally). So insofar as the law works and is followed, there is no legal authority to compel Apple to issue bunk certificates.
For the curious, when you send a message it contacts Apple and requests the list of public certs for a given URI (telephone number, email address, etc). Apple responds with a list of the public certs issued to each of your registered devices, which the client then uses to send messages encrypted with that public key to each, and also signed with your own private key. The receiver does a similar lookup and uses your public key to validate the signature (proving you sent the message and that it was sent from the correct device even), then uses its own private key to decrypt the message you encrypted with the public key.
I'm not sure how this could be improved. No matter what you do, someone has to be in charge of saying "The certificate for mobile number xxx-yyy-zzzz is ..." and that gives you a chain of trust problem. The alternative is requiring every iMessage user to meet face-to-face to exchange keys before sending any messages.
Natural != (nontoxic || beneficial)
Secured or not. Encrypted data have to be decrypted somewhere. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Theoretically the Constitution could be changed such that only dogs are allowed to have any control of the government, vote, run for office, piss on the sidewalk, etc. But it is unlikely. Trust me.
If your SSL connection is MITM'd you are boned anyway, and have far bigger problems. If the NSA is MITMing Apple (or microsoft/google) services, then they could just as easily deploy a signed keylogging trojan (if iOS or WinMobile or Android, etc. doesn't already have one pre-installed) to monitor everything via your device.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.