Researchers Show Apple Can Read iMessages

Trailrunner7 writes "The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol [original analysis] and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users' text messages–or decrypt them and hand them over at the order of a government agency. ... The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system. One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users' messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users' iMessages, but it's possible that the company could. Users' AppleID passwords also are sent in clear text to the Apple servers."

Terrible summary

[AmiMoJo]

The fact that Apple can read iMessages and hand them over to the authorities is hardly surprising, especially given that we know they co-operate with the NSA. TFS leaves the last and far more interesting bit right until the end: Usernames and passwords sent in cleartext.

In other words all those people using Starbucks' free wifi are broadcasting their Apple ID and password to everyone else in range.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Terrible summary

[Ash Vince]

The fact that Apple can read iMessages and hand them over to the authorities is hardly surprising, especially given that we know they co-operate with the NSA.

Excuse me, but how do we know this? Except for your prejudice and paranoia, do you have any actual evidence?

Any US based executive that refused to co-operate with an NSA request can be sent to prison. You can try challenging them in the relevant (secret) mickey mouse course of rubber stamps or you can look for the odd work around like just disclosing what you have from the logs then closing down your entire service so you do not have to do it again.

Re:Terrible summary

[Anonymous Coward]

From TFA: "we saw our AppleID and password going through this SSL communication".

The password is cleartext over an SSL connection. So, no, all the people in Starbucks are not broadcasting to everyone else in range. Apple just isn't hashing, encrypting or otherwise obscuring the password when sent through the SSL connection. So they have access to the password in iMessage; they have access to the password when someone uses icloud.com, appleid.apple.com, or any other Web based access to Apple Services so, it isn't much different.

No fingerprint sharing

[MikeMo]

I'm sorry, but part of your comment is just plain wrong. Firstly, Apple is not collecting your fingerprint, only something similar to a hash of the fingerprint's characteristics. Secondly, it isn't shared with anyone. Thirdly, the explicitly state in this article [apple.com] that your actual fingerprint can not be reverse engineered from the data the store on the phone.

In addition to this, the NYPD's stated reason for pushing the iPhone 5s is that it makes iPhone theft a thing of the past, which it clearly, demonstrably does. The link you posted saying NYPD is after the fingerprints is clearly, demonstrably false. Now, I'm sure you can find folks that say something different, but I can also show you pictures of Obama shaking hands with space aliens - you can find anything you like, but it doesn't make it true.

Finally, Apple (and Google) outright deny [allthingsd.com] sharing data with the NSA.

You can continue to believe that they are sharing if you like, but stating that they have admitted they are sharing is incorrect.