Apple is pushing back against assertions that its iMessage system is open to hacking.
“iMessage is not architected to allow Apple to read messages,” Apple wrote in a message to AllThingsD. “The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”
In other words, Apple would need to actively build a way to hack into iMessage, something its engineers (reportedly) haven’t done.
Cyril Cattiaux, a French penetration-tester with extensive experience jailbreaking iOS, presented the “research” that detailed iMessage’s “theoretical vulnerabilities” at the recent Hack In the Box security conference in Kuala Lumpur. Those vulnerabilities are internal: Apple has full control over the key server used to encrypt text sent via iMessage, which means an employee (possibly under orders from a government agency such as the NSA) could set up a variation of a man-in-the-middle attack by changing the key, and either read a message or send it along to a third party.
Because Apple keeps its key management opaque (as opposed to public-key servers that display more information about their internal workings), it’s simply impossible for an iMessages user to really know whether the system is in line with the “end-to-end security” that Apple promised. In the end, as with so many things, it all comes down to trust.
This past summer, government whistleblower Edward Snowden leaked several top-secret documents to The Guardian that detailed the existence of an NSA project known as PRISM, which (reportedly) siphons information from the databases of nine major technology companies: Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL, and Apple. All those tech companies, including Apple, denied participating in PRISM.
“We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order,” Apple wrote in a press release soon after those revelations, and provided some data about government requests for user information. Between December 1, 2012 and May 31, 2013, the company received between 4,000 and 5,000 requests for data from between 9,000 and 10,000 accounts or devices.