updated 10:51 am EDT, Fri October 18, 2013
Research group says mad-in-the-middle attack could be used
Apple is denying that it could or would want to intercept iMessage traffic, according to an official statement. In a white paper issued Thursday, security firm QuarksLab argued that despite Apple assurances in the past, Apple could use a man-in-the-middle attack to provide US agencies like the NSA or the FBI with demanded information. The attack would exploit the company's control of encryption keys to convince senders and recipients that they're communicating with each other, when in reality they're passing information through an unsecure point where Apple can listen. QuarksLab says it's not suggesting that Apple does listen, simply that it has the option if compelled.
The paper is reportedly being well-received by other security researchers. "I think what their presentation demonstrates is that it's very difficult, but not impossible, for an outside attacker to intercept messages if they're able to control key aspects of the network," says one researcher, Ashkan Soltani. "Probably not something that just any actor can do, but definitely something a state/government actor or Apple themselves could do, if motivated."
In its new statement, Apple claims that QuarksLab's theory is just a theory, and would require reprogramming the iMessage system. "iMessage is not architected to allow Apple to read messages," says spokeswoman Trudy Muller. "The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
The truth of Apple's statement is difficult to verify, since US agencies have gone after services like Lavabit and Skype to intercept communications, despite their promises of secure connections. Lavabit chose to shut down before handing over encryption information.