[Noisebridge-discuss] The Real Reason The Feds Can't Read Your iMessages
Jake
jake at spaz.org
Thu Apr 4 17:44:40 UTC 2013
they mention TextSecure!
It sounds like they are revealing an authentication flaw in iMessaging:
But just because iMessages aren't immediately available for intercept
doesn’t provide complete protection. "With the right kind of system,"
said Soghoian. "Apple messages could be intercepted." At issue is that
Apple provides no indication to the parties in an iMessage chat that a
new device has been introduced. Soghoian said that if you went to the
apple store, got a new phone and had your password reset, you could chat
with your friends as if nothing had happened. "That means apple could do
that for the government, too."
http://securitywatch.pcmag.com/none/310015-the-real-reason-the-feds-can-t-read-your-imessages
The Real Reason The Feds Can't Read Your iMessages
Apr 04, 2013 12:29 PM EST 2 Comments
By Max Eddy
A DEA report obtained by CNet has revealed that law enforcement has been
stumped by communications sent over Apple's encrypted iMessage system. It
turns out that encryption is only half the problem, and it's really
legislation that keeps iMessages invisible to law enforcement.
According to the ACLU's Principal Technologist Christopher Soghoian,
Ph.D., the real issue lies in the Communications Assistance for Law
Enforcement Act or CALEA which was passed in 1994.
Soghoian told SecurityWatch this law, "mandated that industries build in
intercept capabilities to their networks." These industries included phone
and broadband companies, but not companies like Apple. iMessage is also
different from normal text messaging because it both encrypts the message
and sends it peer-to-peer between iPhones, without touching a carrier's
network.
In the two decades since the law passed, the communications landscape has
changed dramatically. Apple wasn't in the communications game in 1994, and
most instant communications were carried out by phone companies.
"Traditionally, the US government has performed the vast majority of
surveillance with the assistance of the phone companies," said Soghoian,
who called phone companies a "trusted partner" of law enforcement.
Encryption Means Exempt
Another critical aspect of CALEA deals with encrypted messaging, mainly
that it is exempt from all wireless surveillance. Soghoian explained that
communications, "encrypted with a key not known to the company […] cannot
be intercepted." So in a situation where the decryption keys are handled
on the device, and not by whomever is delivering the messages, then law
enforcement must ignore the message entirely.
This issue was mentioned in the DEA report, quoted by CNet: "iMessages
between two Apple devices are considered encrypted communication and
cannot be intercepted, regardless of the cell phone service provider." H
The service was recently used in a denial of service attack because it has
little or no limits on how many messages can be sent and no means to block
offending messagers.
While Apple may have just been working to build the best product it could,
other companies like TextSecure and Silent Circle have set out to be free
from interception by design. These systems feature end to end encryption
handled, like iMessage, over networks managed by the apps' creators.
Meaning that under CAELA, the messages are completely invisible to law
enforcement in addition to being all but impossible to decrypt.
Acceptable Risk
The way CAELA addresses these issues might seem problematic, and the DEA
complaints certainly highlight the issue. However, Soghoian points out
that making systems easy to monitor does not make them safer. "A service
that is easy for the FBI to monitor is also easy for the Chinese to hack,"
said Soghoian. "When you leave one back door open you leave it open for
everyone."
In a time of major data breaches in popular companies and cyber warm-war
between nations, Washington will likely have to accept not having it both
ways.
More information about the Noisebridge-discuss
mailing list