Posted by Kalyani M. on Oct 23, 2013
After the revelations made about NSA’s PRISM program by Edward Snowden in June, Apple claimed that conversations taking place over iMessage and FaceTime “are protected by end-to-end encryption, so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, map searches or Siri requests in any identifiable form.”
However according to the recent findings of the security researchers at QuarlsLab, Apple’s iMessage is not as secure as it claims to be. “Apple can read your iMessages if they choose to, or if they are required to do so by a government order,” QuarksLab said in a white paper presented last Thursday at the Hack in the Box conference. Since Apple controls the encryption keys to encrypt the iMessage communication between the sender and receiver, it can theoretically conduct a “Man-in–the-Middle attack” on the two. While the sender and receiver will be chatting with each other assuming that the communication is secured, Apple can monitor their communications. Apple’s iMessage uses public-private key encryption system, where the public key is stored in Apple’s server and the private key on each device is linked to their accounts. The public and private key pair is generated when you create an account in iCloud. So, if you want to send a iMessage to someone then the message is encrypted using the public key of the recipient, which is retrieved from Apple’s server. The receiver who has the private key can only decrypt and read the message.
The problem with this system is that you do not have the control over the public key of the receiver that is used to encrypt the message. You are accessing the keys through Apple’s server, so it is possible for someone from Apple to monitor your communications or to send your messages to third parties like the NSA.
The researchers emphasized that hacking iMessage to impersonate users, read and intercept private messages is only possible if the third party is a very skilled attacker. In this slide presented at Hack in the Box the conference it is discussed how it is technically possible to break into iMessage encryption?
Independent security researcher Ashkan Soltani said, “I think what their presentation demonstrates is that it’s very difficult, but not impossible, for an outside attacker to intercept messages if they’re able to control key aspects of the network. Probably not something that just any actor can do, but definitely something a state/government actor or Apple themselves could do, if motivated.”
Quarkslab also shared information regarding a tool called “iMTM protect” (available for download on GitHub) that will allow the iMessage users to protect themselves from security issues. Unfortunately, this tool is ready for highly skilled computer users only. At this point, it might be difficult for average iMessage users to use this tool properly.
Responding to the findings of QuarksLab, Apple clarified that it is not possible for them to break into the iMessage encryption and read user messages. “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”
True Privacy with SpiderOak
The findings of QuarksLab revealed that in order to keep your data completely secured it is extremely important to have a properly implemented public/private key management system. Also even if the public key is available to the third party, there should be proper security controls to prevent unauthorized access to any plaintext data. At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.
SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.