Apple’s claims about the security of its iMessage service might not be totally true

Researchers: “If the informations being exchanged are sensitive to the point that you don’t want any government agencies to look into them, don’t.”
Researchers: “If the informations being exchanged are sensitive to the point that you don’t want any government agencies to look into them, don’t.”
Image: Reuters/Lucas Jackson
We may earn a commission from links on this page.

Remember when Apple said it couldn’t read your iMessages? It turns out that isn’t necessarily true.

Apple, it appears, could potentially read texts sent via its iMessaging service, according to a presentation given by security researchers at Quarkslab on Thursday (Oct. 17) titled “How Apple Can Read Your iMessages and How You Can Prevent It.” While iMessages, as Apple has rightfully claimed, are encrypted and therefore difficult to read, they aren’t as impossible to read as Apple’s claims might strictly suggest. (IMessage is an instant messaging service developed by Apple that allows iPhone, iPad and iPod and Mac users to send messages back and forth over the internet.)

This is what the company said back in June:

Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.

The claim is essentially that while Apple can see who is sending a message, and to whom that message is being sent, it cannot see what the message contains. The researchers, however, came to a rather different conclusion:

Apple’s claim that they can’t read end-to-end encrypted iMessage is definitely not true. As everyone suspected: yes they can!

The catch, according to researchers, has to do with encryption keys used by Apple’s iMessaging service. When a user decides to send an iMessage to someone, the recipient’s key is fetched from Apple’s servers so that the recipient can see the message, rather than a codified encryption of it. Apple, however, can not only change a key at any time, but also, presumably, switch or include other keys without a sender or receiver knowing, say the researchers. “The weakness is in the [encryption] key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages,” they said. We actually noted the possibility of this back in June.

But just because Apple could potentially read iMessages doesn’t mean the company is actually actively doing so. Apple claims it isn’t, and there’s no evidence to suggest it is at present. Apple’s iMessage system has roughly 300 million users worldwide. Apple didn’t immediately reply to a request for comment. “The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so,” the company told AllThingsD.

As we’ve all learned over the past year, any claim that privacy is absolute and surveillance is limited is likely to have an exception.