Black-box testing reveals Apple can provide users’ iMessage or FaceTime conversations to NSA

“Ever since the National Security Agency’s secret surveillance program came to light three weeks ago, implicated companies have issued carefully worded statements denying that government snoops have direct or wholesale access to e-mail and other sensitive customer data. The most strenuous denial came 10 days ago, when Apple said it took pains to protect personal information stored on its servers, in many cases by not collecting it in the first place,” Dan Goodin reports for Ars Technica. “‘For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them,’ company officials wrote. ‘Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.'”

“Some cryptographers and civil liberties advocates have chafed at the claim that even Apple is unable to bypass the end-to-end encryption protecting them,” Goodin reports. “After all, Apple controls the password-based authentication system that locks and unlocks customer data. More subtly, but no less important, cryptographic protections are highly nuanced things that involve huge numbers of moving parts. Choices about the types of keys that are used, the ways they’re distributed, and the specific data that is and isn’t encrypted have a huge effect on precisely what data is and isn’t protected and under what circumstances.”

Goodin reports, “I spent the past week weighing the evidence and believe it’s an overstatement for Apple to say that only the sender and receiver of iMessage and FaceTime conversations can see and read their contents. There are several scenarios in which Apple employees, either at the direction of an NSA order or otherwise, could read customers’ iMessage or FaceTime conversations, and I’ll get to those in a moment. But first, I want to make it clear that my conclusion is based on so-called black-box testing, which examines the functionality of an application or service with no knowledge of their internal workings. No doubt, Apple engineers have a vastly more complete understanding, but company representatives declined my request for more information.”

Much more in the full article here.

[Thanks to MacDailyNews Reader “CognativeDisonance” for the heads up.]

16 Comments

    1. In other words, you made up your comment based on not reading the article.
      Did anyone who up-voted this comment actually read the article?
      If you need to know anything what it means for something to be “encrypted,” know this: there are often a LOT of places where a slight engineering mistake can make something secure into something that can be broken.
      Apple isn’t perfect, and any mistake or bad decision in building a completely secure system can result in something that can be broken, especially by those who actually run the service. The article pointed out some likely ways that an engineer at Apple might be able to break into iMessages if they are stored in a user’s iCloud backup. So, it’s one thing to say that the iMessages can’t be intercepted as they are sent. That doesn’t mean they couldn’t potentially be accessed after the fact by breaking into the backup copy in either the sender or recipient’s iCloud backup. That’s one example of what the article talks about. You could do one of two things: 1) read it and know that Apple might have been disingenuous about your safety, or 2) put your head in the sand and yell “La La La, I can’t hear you!” when someone points out that you might not be completely safe.

  1. So, when Apple says they can’t read the messages, then we must assume they are lying. However third party speculation and logical magic black boxes, says oh they “should” be able to read all messages, therefore they are.

    One fact, Apple DOES know what’s going on and release a reassuring statement.

    Second fact, columnist/blogger, doesn’t know what’s going on, and rejects reality and inserts their own.

    How do you compete with insanity?

  2. And you could say anything because you want too. Still doesn’t mean it’s true. Government already said it was frustrated because the encryption of iMessage is so good they couldn’t decode it. Another FUD story to try and make Apple look like the bad guy or something.

  3. Baloney. Apple may not actively let the NSA, etc in (but probably do).
    I DO believe however that at the point where Apple data enters the WWW, NSA and others have the ability to capture ALL info. Irregardless of their complaining that iChat is too secure.

  4. Either this guy is a genius – who knows how to force break end-to-end AES-256 encryption, leapfrogging all the technical capabilities of the all digital security, cryptography, and espionage communities as a whole by hundreds of years – or this guy is full of shit.

  5. And what is even more shocking is, “company representatives declined my request for more information.”
    Imagine that!!! A blogger asks for details on how their encrypted communications channels work, and they won’t tell him!

  6. In military, cryptographic, or espionage terms, “threat” is “what your opponent CAN do to you,” not what they WANT or WILL do. In order to demonstrate the THREAT, all the reviewer had to do was demonstrate that a path to third-party access to the messages exists, and it seems to me that he demonstrated that path probably exists.

  7. If Apple does the encryption then they have the key. They can also hand that over to the NSA.

    Thanks Tim Cook, for betraying all your customers, you spineless sack of $hit. You wold have Mande a great Concentattion Camp commandant.

    Thanks to all you assholes who voted for that Kenyan Hitler scum.

    1. Yeah, no.

      Apple does not have the key, because new keys are generated for each call and never sent to an Apple server.

      Now, quickly, get back in your cave, before the socialists try to steal it!

    2. I didn’t vote for the creep from Hawaii (whose mom is a distant cousin of Bush and Cheney – really) but I hope the right wingers who don’t like the Democrats were equally annoyed by the Republicans violating the Constitutional protections of civil liberties.

      Democrats and Republicans are two sides of a Mobius strip.

  8. The question is not whether Apple or the NSA “could” read iMessages or FaceTime chats.

    Apple stated it provides encryption that only the involved devices can decrypt, and Apple cannot simply look at your account and read your messages. That’s correct.

    However, to say that the NSA or Apple could never open your iMessage or FaceTime chat is simply stupid. Of course they can. It’s a matter of resources to decrypt.

    Apple may have the ability to decrypt messages if it is properly served a warrant to do so. The NSA certainly could break encryption given enough time and resources. Apple’s point is that anything it stores is encrypted and cannot be simply opened and read by Apple.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.