back to article Apple accused over 'secure' iMessage encryption

A security researcher has suggested that Apple's claim that its iMessage app is spook-proof and secure does not stand up to scrutiny. Cyril Cattiaux, who works at the research firm QuarksLab, made his claims during a speech to the Hack in the Box conference, which were quoted by PC World – the tech news site, rather than the …

COMMENTS

This topic is closed for new posts.

You had me at "public key"

1
2
Bronze badge

Meh

Nice Soft Apple.......All your bases are ours!

0
4
Anonymous Coward

Apple accused and apple responded last week, for a much more complete and accurate story see;

http://allthingsd.com/20131018/apple-no-we-cant-read-your-imessages/

3
8
Anonymous Coward

> for a much more complete and accurate story see

Hmm... I fail to see how the story on that link was "much more complete and accurate" than this one. They repeat essentially the same content.

On the other hand, if you think El Reg's comments section is full of cluelessness, you only have to head over to that site to see how much worse things could be. :-(

3
2

"Apple accused and apple responded..."

Apple implied that interception would require a redesign of their imessage system, where they actually only need to send updated certificates. They then send "they had no plans to do this", which is not the same as "this is not possible". Their plans could be changed by a court order.

6
0

Fixed it for you

Their plans have already been changed by secret court order, the existence of which may not be revealed or even alluded to under any circumstances.

Not really any point posting as an AC, is there?

1
0
Joke

Whatever . . .

it's iMessage. Where's the need for HQ encryption? To make sure that Tracy doesn't find out that Sharon has told Lauren that she's given Trevor Clamydia and that she should go and pick up another dose of Doxycycline for herself and her other boyfriends [imagine randomly intersecting Venn diagramm here]?

Her older sister will spread the news to her mates in year 8 in school anyway . . .

4
6
Joke

Re: Whatever . . .

All the downvoters use iMessage now because they found out during the London Riots that BBMessenger wasn't all that secure and that JD Sports suddenly wanted those Nikes back.

Won't be different with Apple. Be careful!

1
1
Anonymous Coward

Apple's security is so poor it couldn't keep drunks in a brewery.

6
3
Silver badge

"Apple's security is so poor it couldn't keep drunks in a brewery."

Don't you mean OUT of a brewery? No matter, it doesn't make a difference either way...

0
0
Anonymous Coward

Not a credible position anyway..

It doesn't really matter how much crypto Apple adds - as a company with its HQ in the US it's not like they have much of a choice when compelled to provide access.

4
0

Umm...

How does the fact that Apple can change the public key mean that it can read the historical messages?

0
2

Wow non-news

Every software company producing software that requires admin privileges to install and uses cloud services can potentially create opportunities for man-in-the-middle attacks. Even the suggestion of local public keys isn't an answer. These can be compromised since the overall system/application architecture is controlled by Apple, MS, Adobe etc - and with sufficient political and legal pressure these companies can be made to implement measures. ISPs can be compelled to keep logs of transmissions (with or without knowledge of content) at any time. I don't trust any company that says its cipher solution is completely secure. Lastly, current SSL implementations may already be broken - in that event cooperation of Apple et al is superfluous. The real issue here is not Apple's ability or not to access iMessage it is the complete intrusion of governments in the secure free exchange of ideas - all under the premise of public "safety". Russia created the KGB almost 70 years ago to spy on "subversives" but ran out of money - the US just found a cheaper way to implement those policies.

1
0

The NSA can force a company to categorically state they are NOT supplying data to the government, even when they absolutely are. In order to comply with such orders a company not only can say that no one can snoop on their security but is essentially forced to make those statements.

Apple itself could very well be telling the truth that they have not developed plans to snoop, while letting the NSA develop those plans for them.

Point is: you can't trust any statements about the security of data made by any company doing business in the US. Instead, you just have to assume that whatever you send is being monitored and stored for future reference. The only real question is whether non state actors can get to it.

4
0

too harsh

>The NSA can force a company to categorically state they are NOT supplying data to the government, even when they absolutely are.

Not true.

>Point is: you can't trust any statements about the security of data made by any company doing business in the US.

Again, not true. Companies might not be able to tell you the whole truth. But they cannot be compelled to tell lies.

>Instead, you just have to assume that whatever you send is being monitored and stored for future reference.

Goes for GCHQ too, I might add. And, it's just good security practice.

0
3
Anonymous Coward

Re: too harsh

I think you need to brush up on what the NSA+FISA have been compelling companies to do and say.

3
0

transport

>Apple's iMessage is a text-messaging service which allows fanbois to send free messages over Wi-Fi.

True, but not the whole truth. It can send the messages using cell network connections as well as WiFi.

0
0
Anonymous Coward

The real point here...

The real point is that (yet again) yet another company (that should know better) is claiming that their products are secure when the law (let alone its secret amendments) clearly state that all customer data transmitted by it is open to whomever successfully claims they have the power) to demand it.

IOW, that they are lying, because once the data is transferred over compromised systems (such as those run by so many Government agencies), let alone cross referenced, indexed and filtered. if it is of any value anywhere, it may as well be considered public.

1
0
This topic is closed for new posts.

Forums