Security experts: Real-time wiretapping a possibility on iMessage

Apple, in theory, could have done more.

This summer, in a major case involving drugs and guns, the Cupertino company told the FBI that it couldn’t wiretap iMessages sent in real time between suspects’ iPhones, according to a New York Times account this week.

It was impossible, the company insisted.

Simply stated, Apple encrypts those communications, scrambling them and making them unreadable to people outside the digital conversation.

However, some experts say that, while incredibly difficult to implement, such real-time spying isn’t inconceivable.

“The FBI claims that iPhones are ‘bricks’ containing no useful information and Apple claims that iMessage is ‘end-to-end’ secure,” wrote Nicholas Weaver in an August post on the LawFare Blog, recently noticed by Wired in the wake of the news. “Neither is the case.”

He’s a computer security researcher at the International Computer Science Institute in Berkeley.

In the past, Apple has responded to such conjecture as just that: “iMessage is not architected to allow Apple to read messages. The research is discussing theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so,” the company told the Washington Post in 2013.

Apple declined to comment and the FBI did not immediately respond to a request.

Encryption, such as the type Apple uses when you FaceTime your mom and iMessage your boyfriend, relies on public and private keys.

Public keys, which are meant to be shared, lock information. Private keys, which are supposed to be kept secret, unlock that info.

And because the two are mathematically related, whatever is encrypted by one can only be decrypted by the other.

Each person in the conversation owns a pair of keys.

“The problem with all of these systems, whether it’s iMessage, TextSecure or WhatsApp, is that fundamentally I need to get your public key,” said Matthew Green, an assistant professor at Johns Hopkins University’s Department of Computer Science.

The way Apple handles the issue is by public keys on a central server. Most people have multiple public keys: on laptops, smartphones and tablets, said Green, who has researched Apple’s encryption methods.

Apple attaches them all to a single message, ensuring that each iMessage or FaceTime call arrives on all a user’s devices.

Therein, though, says Weaver in the post, lies a critical flaw: Today, there is no way someone sending a message can verify the recipient’s public keys, or vice versa.

That means mom doesn’t know whether you’re the only one seeing her message — or if the FBI is on the chat, too.

Apple could also be attaching its own public key to a message. That does not appear to be the case.

“This may be why Apple has become the focus of the FBI’s ire ... Apple’s architecture for iMessage supports wiretapping, yet Apple refuses to support the FBI,” Weaver wrote.

But implementing such broad changes to delicate source code that wasn’t designed to allow spying could crash the entire system, said Steven Bellovin, a computer science professor at Columbia University.

“This is not something you’d do lightly, because you can take (iMessage) off the air,” he said.

“The other thing that makes it more complicated is that, right now, if you add another device to your Apple ID, all the other devices get a warning message, you’d get: ‘FBI iPad is now using this Apple ID.’”

That’s not something that many people want to see.

“Depending on how they did the implementation disabling that could be an even more delicate operation,” said Bellovin. “So it’s not necessarily that easy a thing to do. It sounds easy from 30,000 feet, but depending on what the code looks like, it might be very hard to do reliably.”

Since the digital privacy disclosures revealed by former National Security Administration contractor Edward Snowden, Apple has insisted that it is dedicated to privacy and security

It’s also something, executives say, that differentiates it from its competitors. But that doesn’t mean the federal government couldn’t compel Apple to make wholesale changes.

“If the government is savvy, they’ll say: ‘We need you to insert our public key so we can decrypt messages,’” said Green, who adds that today there is no legislation or litigation that would force the company to do so.

Legally, “that really hasn’t been answered yet.”

Still, the FBI could, and in this recent case did, according to the Times, compel Apple to hand over archived iMessages on iCloud. Those communications, which are not encrypted, are still valuable.

Easier still would be using phishing techniques in order to steal a person’s user name and password, said Marcus Carey, the chief technology officer of network attack simulation company vThreat.

“The fact that you can use a user name and password to access iCloud,” which often stores backed-up iMessages, “should be a concern,” said Carey, who says he spent eight years in the U.S. Navy and National Security Agency as a cryptographic technician.

“There might be people that can argue nuance, but the simple thing is that with just user name and password, you can get access.”

In a majority of cases, he said, that would be more than enough.