Update: Fresh Apple statement added
The immunity of iMessages from government surveillance has been cast into doubt by QuarksLab security researchers presenting at the Hack in the Box conference in Kuala Lumpur.
A leaked DEA document had pointed to the impossibility of intercepting iMessages even with a court order, a point that was confirmed by an apparently categorical Apple statement:
Conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.
The researchers reverse-engineered the iMessage protocol and confirmed that the claim was true. However, they identified that Apple needed to hold the encryption keys on its own servers, and that simply by changing these keys, it could enable access to the message content.
They can change a key anytime they want, thus read the content of our iMessages.
The researchers were keen to stress that they do not believe Apple is doing, or has ever done, this – but rather that it could do so if the NSA or another government agency were to require it. Only messages sent after Apple changed the keys would be accessible.
Apple has since issued a statement to AllThingsD:
“iMessage is not architected to allow Apple to read messages,” said Apple spokeswoman Trudy Muller said (sic) in a statement to AllThingsD. “The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”
This is, though, merely a weaker version of its earlier statement. Then, it said it couldn’t read iMessages, now it is saying that it could, but it would require work and it has no intention of doing so. That Apple would not willingly do so was never in doubt: the point is that the NSA could force it to. A demonstration from QuarksLab is below:
When the NSA PRISM story broke, it led to a raft of denials in what some security researchers say was carefully-crafted language. Apple, among other companies, was clearly unhappy about the secrecy imposed on it and gained permission to reveal some numbers on government requests for customer data. A meeting was subsequently held at the White House in which Tim Cook and other tech CEOs met with President Obama to discuss the issue. Details of the discussions were not made public.