[Noisebridge-discuss] The Real Reason The Feds Can't Read Your iMessages

Thu Apr 4 17:44:40 UTC 2013

they mention TextSecure!

It sounds like they are revealing an authentication flaw in iMessaging:

  But just because iMessages aren't immediately available for intercept
  doesn’t provide complete protection. "With the right kind of system,"
  said Soghoian. "Apple messages could be intercepted." At issue is that
  Apple provides no indication to the parties in an iMessage chat that a
  new device has been introduced. Soghoian said that if you went to the
  apple store, got a new phone and had your password reset, you could chat
  with your friends as if nothing had happened. "That means apple could do
  that for the government, too."

http://securitywatch.pcmag.com/none/310015-the-real-reason-the-feds-can-t-read-your-imessages

The Real Reason The Feds Can't Read Your iMessages

Apr 04, 2013 12:29 PM EST 2 Comments
By Max Eddy

A DEA report obtained by CNet has revealed that law enforcement has been 
stumped by communications sent over Apple's encrypted iMessage system. It 
turns out that encryption is only half the problem, and it's really 
legislation that keeps iMessages invisible to law enforcement.

According to the ACLU's Principal Technologist Christopher Soghoian, 
Ph.D., the real issue lies in the Communications Assistance for Law 
Enforcement Act or CALEA which was passed in 1994.

Soghoian told SecurityWatch this law, "mandated that industries build in 
intercept capabilities to their networks." These industries included phone 
and broadband companies, but not companies like Apple. iMessage is also 
different from normal text messaging because it both encrypts the message 
and sends it peer-to-peer between iPhones, without touching a carrier's 
network.

  In the two decades since the law passed, the communications landscape has 
changed dramatically. Apple wasn't in the communications game in 1994, and 
most instant communications were carried out by phone companies.

"Traditionally, the US government has performed the vast majority of 
surveillance with the assistance of the phone companies," said Soghoian, 
who called phone companies a "trusted partner" of law enforcement.

Encryption Means Exempt
Another critical aspect of CALEA deals with encrypted messaging, mainly 
that it is exempt from all wireless surveillance. Soghoian explained that 
communications, "encrypted with a key not known to the company […] cannot 
be intercepted." So in a situation where the decryption keys are handled 
on the device, and not by whomever is delivering the messages, then law 
enforcement must ignore the message entirely.

This issue was mentioned in the DEA report, quoted by CNet: "iMessages 
between two Apple devices are considered encrypted communication and 
cannot be intercepted, regardless of the cell phone service provider." H 
The service was recently used in a denial of service attack because it has 
little or no limits on how many messages can be sent and no means to block 
offending messagers.

While Apple may have just been working to build the best product it could, 
other companies like TextSecure and Silent Circle have set out to be free 
from interception by design. These systems feature end to end encryption 
handled, like iMessage, over networks managed by the apps' creators. 
Meaning that under CAELA, the messages are completely invisible to law 
enforcement in addition to being all but impossible to decrypt.

Acceptable Risk
The way CAELA addresses these issues might seem problematic, and the DEA 
complaints certainly highlight the issue. However, Soghoian points out 
that making systems easy to monitor does not make them safer. "A service 
that is easy for the FBI to monitor is also easy for the Chinese to hack," 
said Soghoian. "When you leave one back door open you leave it open for 
everyone."

In a time of major data breaches in popular companies and cyber warm-war 
between nations, Washington will likely have to accept not having it both 
ways.