Apple reiterates: iMessage is not architected to allow us to read messages

“Touting its commitment to user privacy in the wake of the NSA surveillance scandal earlier this year, Apple said that the end-to-end encryption protecting its iMessage instant-messenger service is so secure that even the company itself cannot decrypt it,” John Paczkowski reports for AllThingsD.

“But, on Thursday, security outfit QuarksLab disputed that claim, arguing that Apple could intercept iMessage communications if it wanted to,” Paczkowski reports. “‘Apple can read your iMessages if they choose to, or if they are required to do so by a government order,’ QuarksLab said in a white paper presented Thursday at the Hack in the Box conference.”

“Apple disagrees — vehemently,” Paczkowski reports. “Apple says that QuarksLab’s theory is just that — a theory, and one that would require a rearchitecting of iMessage for it ever to be a threat in the real world. ‘iMessage is not architected to allow Apple to read messages,’ said Apple spokeswoman Trudy Muller said in a statement to AllThingsD. ‘The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.'”

Read more in the full article here.

Related articles:
Are Apple’s iMessage and FaceTime really secure from U.S. government’s prying eyes? – June 18, 2013
Nine companies, including Apple, tied to PRISM, Obama to be smacked with class-action lawsuit – June 12, 2013
U.S. lawmakers urge review of ‘Prism’ domestic spying, Patriot Act – June 10, 2013
PRISM: Do Apple, Google, Facebook have an ethical obligation not to spy on users? – June 8, 2013
Plausible deniability: The strange and unbelievable similarities in the Apple, Google, and Facebook PRISM denials – June 7, 2013
Google’s Larry Page on government eavesdropping: ‘We had not heard of a program called PRISM until yesterday’ – June 7, 2013
Seecrypt app lets iPhone, Android users keep voice calls, text messages away from carriers, government eyes and ears – June 7, 2013
Obama administration defends PRISM data-collection as legal anti-terrorism tool – June 7, 2013
Facebook, Google, Yahoo join Apple in sort-of denying PRISM involvement – June 7, 2013
Report: Intelligence program gives U.S. government direct access to customer data on Apple servers; Apple denies – June 6, 2013

35 Comments

    1. There’s no way to verify this, but one thing to remember is that Apple did say they’d never even heard of PRISIM when that whole thing came out. They also said that they only comply with valid warrants, like in the case of stolen phones. Assuming all that’s true – and I hope it is – they can be trusted.

      1. They’re not hearing of, or knowing the name of, the program under which they cooperated/were compelled to do things is not the same as not cooperating/being compelled to do things.

        Similarly, Apple’s use of language in their non-denial denials conveniently slip the issue. They say iMessage was not specifically built to do what QuarksLabs indicates is possible, but they do not say it can’t be done. Apple says they don’t want to read anyones iMessages, but they don’t say they wouldn’t (say, if compelled to by a National Security Letter, which they could not even admit to, as per the terms of the letter), or that they would/could actively prevent another entity from doing so.

        It’s all a very carefully crafted statement, allowing them to disavow nothing in a public way, that makes it sound as if they are disavowing everything.

        Apple is being permitted to carve out this niche for itself, as having the possibly more trustworthy communications system. The reason is to a] lull the vast majority of the public into a sense of complacency about the ugly reality – that you are under the microscope 24/7 when online in any capacity, on any system, and b] to get the ‘low hanging fruit’ so to speak – those idiots dumb enough to believe that there is a place where they can say & do things without concern. Maybe these people are future leaders in business or government that the NSA wants to get dirt on in order to control them eventually. Maybe they are nothing more than fools who can be hoovered up & used as statistics for justifying the existence of the the spying organizations, when public pressure amps up to eliminate them. Maybe they are simply opposed to the system, effective in their legal opposition & swaying public opinion, but also human with weaknesses that can be found & exploited, thus silencing them. Maybe they are actual criminals.

        There’s no way to know which way the sword will be pointed or why, is there? And no way to base your trust in either the system, or those who build & administer it.

        If Apple wants that trust, they have to say more than these mealy pronouncements do. They have to do more to prove they are on the side of those using their good & services, as opposed to turning a ‘blind’ eye to the alphabet organizations the world over as they use Apple’s goods & services for their own controlling ends.

        Otherwise, these stories are as relevant as the ones my grandmother used to watch on weekday afternoons – melodramatic statements made by fake characters to service a fictional storyline.

      1. English is a living language. We don’t speak the words of Shakespeare any more.

        In 200 years, if mankind is still alive, we won’t be speaking your English either.

        1. unfuck you, a thousand apologies, sahib:

          architect |ˈärkiˌtekt|
          noun
          a person who designs buildings and in many cases also supervises their construction.
          • a person who is responsible for inventing or realizing a particular idea or project: a chief architect of the plan to slash income taxes.
          verb [ with obj. ] (usu. be architected) Computing
          design and make: few software packages were architected with Ethernet access in mind.
          ORIGIN mid 16th cent.: from French architecte, from Italian architetto, via Latin from Greek arkhitektōn, from arkhi- ‘chief’ + tektōn ‘builder.’

        2. … “English is a living language”, I wish you wouldn’t use Shakespeare as your totem for a “classical language basis”. He invented hundreds of words and usages, most not imagined before he wrote them down.
          While I can fully understand that foul-mouth ultra-conservative botvinnik’s point of view – the language is codified, don’t fsck with it – he’s an ultra-conservative and wishes we were all safe in our caves, protected by our clubs and fist – fergit them-that new-fangled stone axes.

          1. them-THAR! And fistS is plural – not the checkers’ fault.

            On-Topic: Apple has said several things that are “questionable”, but we need to decide who we want to trust. Do we want Apple to be creating un-openable puzzle-boxes that can be used against governments and terrorists alike? Or do we want the government – say, the demonized Bush II or Obama administrations – to be able to use our words against us without the benefit of a warrant. While I am opposed to “the authorities” (the NSA, for example … blow up a whale for Christ) gathering my postings – such as THIS one – without so much as a warrant, I’m not sure I want to block a criminal investigation, backed by well-considered warrants, because a code can’t be breached.

      2. When tech-speak takes over. English is a living language, but it has rules and conventions that provide for standards and norms out of which it grows organically. What drives this desire to take nouns and distort them into unnecessary new verbs when perfectly good verbs already exist is the desire in every profession and specialty to create their own language. The same happens in medicine, law, art, government, etc. It may rightly sound jarring to the ear, but English itself is a jumble of words and phrases from multiple languages, with incredible malleability and capacity for neologisms.

    1. I don’t know who funds them but Cyril Cattiaux works there and is an avid iOS hacker and webkit hacker.

      Most of his work finds its way into almost every jail breaking tool that has been released.

        1. I’m only guessing that he is the one working on iMessage.

          If anyone is seriously concerned apple will start decoding their iMessage data then QuarkLabs has already released a tool to record the encryption keys used in iMessage communications for the purpose of detecting if someone is changing the keys around on you.

          iMITMProtect – https://github.com/quarkslab/iMITMProtect

            1. These guys do this stuff for fun mostly.

              I wouldn’t be concerned personally. They’ve found that iMessage is suceptible to a man in the middle attack – big deal most cryptographic systems out there are prone to this.

              It would take time, money and skill to redirect the traffic and perform the attack. You’d have to be a pretty big target for the government to spend the resources to get your data.

              I’d wager for the everday user iMessage is pretty solid for protecting your communications.

            2. Apple is dead serious in it’s comminment and dedication .

              Though the result is fun products, there’s a huge difference between that and ” doing things for fun” let’s call a hack a hack and never compare the two, please.

            3. Hacking is fun. For a lot of people in the field its downright addictive.

              Security, hacking, penetration testing and cryptography take just as much passion and dedication as making a finished product.

              I’d rather groups like this found any security shortcomings in the products I use and advertising them so that they can be fixed vs. no one having a clue and finding out later they were exploited.

              the findings by this group so far actually re-enforce apple’s stance that imessage is secure.

  1. People can snidely suggest what they like but the evidence that iMessage and Facetime are encrypted and sealed off from the NSA is that they have been complaining in Memos about message trails going dark at Apple. From April 2013: A recent Justice Department memo revealed by CNET shows law enforcement’s frustration with Apple’s encrypted iMessage software. The internal memo, sent by the Drug Enforcement Administration, calls iMessages “a challenge to DEA intercept” and notes that messages sent between two Apple devices — the ones that turn blue in users’ chat windows — cannot be captured by monitoring devices.”

    Do these Quarkslab people think the NSA is playing dumb to make Apple look secure? I think not!

    1. Is the Justice Department chasing down the person who leaked that memo? If not, then it was a deliberate leak, meant to sow disinformation.
      The media helps the government “leak” whatever story they WANT to get out, even if it is technically illegal. When the leak is ordered by someone for propaganda reasons, that person is not prosecuted. When the leak is to uncover things that make the government look bad (and/or reveal criminal behavior by officials), the leaker is crucified in the press, chased down, arrested, silenced, held in solitary confinement for years (i.e. tortured), and eventually given a sham trial where he/she may be bullied into a plea deal to avoid maximum charges that equate to a life sentence.

      So, I think it is certainly possible that a memo that may have been intentionally leaked might be a trick similar to that of Br’er Rabbit : “Oh, please, Br’er Fox, don’t throw me into the briar patch!”
      http://en.wikipedia.org/wiki/Br'er_Rabbit

      That said, I hope Apple is right. Don’t forget two things, though:
      1) Apple is a corporation, not a saint, and not even a human being.
      2) Apple might be forced to lie publicly by the government agencies that want to access its information secretly.

      So, even if you think Apple is great in many ways, as I do, don’t think it won’t lie or mislead in specific situations.

  2. I trust Apple here, and not the government – and I don’t like that one bit.

    The government is supposed to represent public interest and be held accountable by its citizens, and a company like Apple is just supposed to make money and be held accountable by its shareholders. This is fundamental to how democracy and capitalism function in society. But things are so fucked up now that this has been turned upside down and backwards. I should be more trusting of the government – but nearly every communication system (cell phone networks, email, skype, the web) is known to be spied on by the government. This is completely unconstitutional and against public interest, but it goes on regardless. I should be more suspicious of Apple – but they are literally the only entity with the technical capabilities AND the integrity to operate a spy-free communication network. Trusting a single company better than nothing at all, but this is small conciliation to me when the entire system is fucked.

  3. Architected is not a word. Architect is a licensed architectural professional. Architecture is the built environment within which we live & experience life.
    Designed is the word you should have used.

    1. As botvinnik himself was forced to admit after retracting an uncalled for personal attack, architect is also a verb. It’s jarring to see and hear because you don’t come across it often, but dictionaries agree “architected” is a valid past-tense of the verb.

      Engineer is also a licensed professional noun, but is also a verb since you can engineer (v) something, be in the process of engineering (v) something, after which it is engineered (v) and may be a fine example of engineering (n).

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.