One of the major highlights of the recently held Hack in the Box conference was QuarksLab presenting a white paper on how a ‘man in the middle’ intrusion can be used to decrypt messages. It was further highlighted that Apple had the capacity to initiate man in the middle attack due to its control of the ESS servers. Furthermore, it is common knowledge that iMessages are routed to Apple PUSH server.
According to QuarksLab, Apple can do this by first sending a fake RSA/ECDSA key to the sender. Then Apple can alter the payload of the message before it reaches its final destination. The conclusion was that since Apple can change a key whenever they want, it is possible to read the content of iMessages at will.
The news gained further traction when an independent security researches acknowledged the claim to be authentic.
Now, what does Apple have to say?
Trudy Muller, spokesperson for Apple has addressed the concern and highlighted that iMessages has not been coded in a manner to allow privacy overrides. According to him, the research from QuarkLabs is theoretical and has no basis in reality.
In order to execute such an attack as mentioned earlier, Apple would have to reengineer its iMessage system. Apple has no intentions or need for doing so.
Apple’s answer to the security concerns has been met with some skepticism. Some compare its case with that of Skype and Lavabit. Both of them were forced to add intrusion capacities in their system. So it is hard to imagine if Apple was not contacted by the government to do the same. QuarksLab believes that even if Apple doesn’t have the capability to do so, analysts at agencies such as NSA surely do.