Security researchers shoot down Apple's claim of 'unbreakable' iMessage encryption
Researchers at a security conference have rebuffed the idea that Apple's iMessage offers unbreakable encryption. In the wake of the disclosures that the NSA's data collection activities have been more widespread than acknowledged, Apple in June said that its iMessage service is protected by end-to-end encryption. The company had asserted at that time that this makes it "impossible" for Apple or anyone else to descramble the messages.
As reported on MacWorld however, Cyril Cattiaux, a developer of iOS jailbreaking software and a researcher for Quarkslab, a penetration testing and reverse engineering company in Paris, called the claims "just basically lies." According to Cattiaux, "The biggest problem here is you just cannot control that the public key you are using when you are ciphering the message is really the key of your recipient, and not, for example, the public key of some guy in Apple."
"If you're concerned about trusting Google or Apple with your data, but still want to use their hosted services, you need to use another layer of encryption," suggested Zak Dehlawi to CSO Online. Dehlawi is a senior security engineer for Security Innovation, a provider of products and services geared towards developing secure software. Suggestions include encrypting emails with S/MIME or PGP certificates, or using encryption plug-ins to protect their messages going out on public IM networks.
The Fierce Take: The crux of the issue here has to do with the inherent complexity of computer security. Organizations such as banks and commercial entities want their customers to have confidence in their security measures, and are hence not above touting their use of "industry-standard" SSL encryption. The devil is often in the details, unfortunately, and an encrypted service may not necessarily protect against all hackers and secret court orders.
As users gain a false sense of assurance that does not correlate with reality, the result is that they may transmit privileged information across a medium that is less secure than they think.