How secure is Apple iMessage?

Posted by on Oct 23, 2013

Image from http://www.imore.com

Image from http://www.imore.com

After the revelations made about NSA’s PRISM program by Edward Snowden in June, Apple claimed that conversations taking place over iMessage and FaceTime  “are protected by end-to-end encryption, so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, map searches or Siri requests in any identifiable form.”

However according to the recent findings of the security researchers at QuarlsLab, Apple’s iMessage is not as secure as it claims to be. “Apple can read your iMessages if they choose to, or if they are required to do so by a government order,” QuarksLab said in a white paper presented last Thursday at the Hack in the Box conference. Since Apple controls the encryption keys to encrypt the iMessage communication between the sender and receiver, it can theoretically conduct a “Man-in–the-Middle attack” on the two. While the sender and receiver will be chatting with each other assuming that the communication is secured, Apple can monitor their communications. Apple’s iMessage uses public-private key encryption system, where the public key is stored in Apple’s server and the private key on each device is linked to their accounts. The public and private key pair is generated when you create an account in iCloud. So, if you want to send a iMessage to someone then the message is encrypted using the public key of the recipient, which is retrieved from Apple’s server. The receiver who has the private key can only decrypt and read the message.

The problem with this system is that you do not have the control over the public key of the receiver that is used to encrypt the message. You are accessing the keys through Apple’s server, so it is possible for someone from Apple to monitor your communications or to send your messages to third parties like the NSA.

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

The researchers emphasized that hacking iMessage to impersonate users, read and intercept private messages is only possible if the third party is a very skilled attacker. In this slide presented at Hack in the Box the conference it is discussed how it is technically possible to break into iMessage encryption?

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

Independent security researcher Ashkan Soltani said, “I think what their presentation demonstrates is that it’s very difficult, but not impossible, for an outside attacker to intercept messages if they’re able to control key aspects of the network. Probably not something that just any actor can do, but definitely something a state/government actor or Apple themselves could do, if motivated.”

Quarkslab also shared information regarding a tool called “iMTM protect” (available for download on GitHub) that will allow the iMessage users to protect themselves from security issues. Unfortunately, this tool is ready for highly skilled computer users only. At this point, it might be difficult for average iMessage users to use this tool properly.

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

Responding to the findings of QuarksLab, Apple clarified that it is not possible for them to break into the iMessage encryption and read user messages. “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

True Privacy with SpiderOak

The findings of QuarksLab revealed that in order to keep your data completely secured it is extremely important to have a properly implemented public/private key management system. Also even if the public key is available to the third party, there should be proper security controls to prevent unauthorized access to any plaintext data. At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.




5 Responses to “How secure is Apple iMessage?”

  1. Scott says:

    Wow, this is a little scary. Everyone uses iMessage now since iPhones are so ubiquitous in today’s society. To be honest, I don’t think Apple having access to your iMessages is too big of a deal (I assume cell phone providers have the same access to text messages), but an outside hacker being able to intercept messages? That has real security and privacy concerns. I wonder if it’s just a matter of time before privacy online is just a myth.

  2. Jessica says:

    Wow, it’s always scary to read all of the ways that our data might not be secure, especially since smartphones are becoming more and more of a norm when it comes to managing our lives. I try to never assume that my text messages are safe or private, or anything else that I do on a computer or smartphone. I TRY to be thoughtful of the things I post, but I also know that you can never be too careful either. So, if there’s a way to improve security on my device I’m all for it. Thanks for the recommendation. I’ll have to give SpiderOak a test drive.

  3. Darcy Harris says:

    I have followed the news about the NSA’s various surveillance programs and can say that I honestly feel torn on the issue. On one hand, I think everyone should have a reasonable expectation that their data is protected and this article’s description of SpiderOak’s services certainly sounds like a foolproof way of accomplishing this. Part of what makes America great is our freedom and a big part of that freedom is privacy. In fact, there can be no freedom without privacy and the watchful eyes of a government bureaucracy is akin to a ball and chain. Nevertheless, I still like the idea of the government taking serious steps to ensure our safety which may mean that we as citizens have to give up a portion of our privacy. I honestly don’t know where the line should be drawn and maybe this public debate is part of the process of figuring out what we are willing to sacrifice to ensure our safety. I do think that this line should not be drawn in secret by government bureaucrats and our elected officials should definitely be involved in the process. Hopefully all of this will this will result in security for ourselves and for our iPhone messages.

  4. Andra says:

    I’ve often wondered about iMessage’s security, especially if you’ve specifically chosen a carrier that isn’t part of the PRISM program (to your knowledge anyway). But I guess it’s pretty much the same. I would be interested in knowing to what extent SpiderOak offers protection on newer Apple messaging features like AirDrop — which uses the Apple ID network as iMessage.

  5. Rick says:

    Interesting, considering apple ripped off this technology from VirnetX

Leave a Reply