Saturday, October 19, 2013

'Apple can read your iMessages' claims security firm

Apple's iMessage system could be decrypted by employees on government orders, according to claims from security researchers.
Apple's iMessage system may not be as secure as they claimed 
 
Earlier this year, Apple said: "Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data."
But Quarkslab, a Paris-based security firm, disputed those claims at a Hack in the Box conference in Kuala Lumpur on Thursday, according to Ars Technica.
Quarkslab claimed, on its blog: "Apple can read your iMessages if they choose to, or if they are required to do so by a government order."
The researchers explained that there is no evidence iMessages are being decrypted by Apple or the government, but that it would be possible.
It wrote: "There is end-to-end encryption as Apple claims, but the weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages."

The messages could not be read by hackers, as they would require physical control of the device and the installation of malicious software such as fake certificates.
Apple employees would not need this as, if they were working under a court order, could control the infrastructure without tampering with the device.
Apple made their claims about security encryption in June, following information leaks by National Security Agency contractor Edward Snowden, who classified information about the agency's practices.
An Apple spokesman said: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
The messages could not be read by hackers, as they would require physical control of the device and the installation of malicious software such as fake certificates.
Apple employees would not need this as, if they were working under a court order, could control the infrastructure without tampering with the device.
Apple made their claims about security encryption in June, following information leaks by National Security Agency contractor Edward Snowden, who classified information about the agency's practices.
An Apple spokesman said: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
 
Source: Telegraph

No comments: