Apple had recently released a statement on customer privacy stating that the company was unable to access or decrypt iMessage and FaceTime conversations. Researchers have refuted the company’s claim at the Hack the Box conference in Kuala Lumpur.
Researchers in a recent study of the iMessage protocol found that Apple has the ability to intercept and decrypt iMessages. Despite the fact that the messages are encrypted end-to-end, Apple handles the keys needed to encrypt and exchange the messages. Security researchers are claiming that it is actually possible for someone inside the company to intercept messages as the company has access to public iMessage keys. However, researchers emphasised that their is no indication whether Apple or the government is actually doing so.
Researchers state, “With a public server, such as MIT’s PGP Public Key Server, the sender can at least see more information, such as whether a key has changed. At that point, the sender can decide whether they want to trust it or not if they suspect a man in the middle attack. Apple’s key server is not public.”
A blog post published by Cyril Cattiaux, an iOS jailbreak hacker states,” Yes, there is end-to-end encryption as Apple claims, but the weakness is in the key infrastructure as it is controlled by Apple: They can change a key anytime they want, thus read the content of our iMessages.”
“The biggest problem here is you just cannot control that the public key you are using when you are ciphering the message is really the key of your recipient and not, for example, the public key of some guy in Apple,” Cattiaux said.
Source: Mashable