Feeds

Leaked memo: Apple's iMessage crypto has DEA outfoxed

Feds want more back-door access

Using blade systems to cut costs and sharpen efficiencies

Analysis An investigation by the Drug Enforcement Administration (DEA) in February was temporarily thwarted when the surveillance targets began using Apple's encrypted iMessage system, according to a document leaked to Cnet.

The intelligence note entitled "Apple's iMessages: A Challenge For DEA Intercept," reported on an investigation by the DEA's San José branch office found that it was "impossible to intercept iMessages between two Apple devices" using "traditional trap and trace devices, pen register devices, or wiretapping data collection through Title III interceptions."

Messages between iMessage and non-Apple products are sometimes tappable because they are transmitted via SMS protocols the memo states, but the most efficient method in such cases is to eavesdrop on the non-Apple end of the communication. The memo warns that records obtained from cooperative network providers may not show iMessage traffic.

"Think Criminal"

So is Apple's latest iPhone going to be the smartphone of choice with those bent on a life of crime? Possibly, but before Apple Stores are flooded with shady types buying multiple handsets with cash, there's a lot left out of this leaked intelligence report – and the canny criminal might want to hold off for a second.

Apple's been rather quiet about iMessage since its launch in 2011 as a point-to-point encrypted communications system outside of carrier control. Based on the company's sole Black Hat briefing on the topic, the iOS system uses a unique identifier burned into the processor for identification, has full AES and SHA support, and uses a hardware encryption engine to save on battery life.

That's a lot of grunt under the hood, but the math has to be there to back it up. Cupertino started hiring a lot of security talent for the last few years and the company has obviously seen benefits to its setup.

But even if the iMessage encryption is bulletproof, then what? The DEA will simply go to Apple with a court order and ask for its cooperation, and it's highly probable that Apple will give it up. We don't know, because unlike Google, Twitter, and Microsoft, Apple doesn't have a transparency report showing how often it gets – and complies with – these requests.

But this is also the DEA we're dealing with, and while it has some good techies, the best computer talent lies elsewhere in the federal government, and the agents were most likely using tools they were given. El Reg wonders how the spooks at the National Security Agency are handling this iMessage decryption.

Cloud still outside CALEA's clasp

The problem for federal authorities is that iMessage isn't covered by the 1994 Communications Assistance for Law Enforcement Act (CALEA).

CALEA was originally set up to require telecommunications companies to provide law enforcement with the ability to tap into a target's calls with a court order. In 2006 this was extended to cover VoIP and broadband traffic, but it doesn't cover companies such as Apple.

Law enforcement would like to change that, and there's a concerted push on to extend CALEA to include such wiretap facilities in any communications software that is used in the US. Last month FBI general counsel Andrew Weissmann told the American Bar Association he wanted CALEA extended to cover everything down to the chat function on a game of online Scrabble.

"Those communications are being used for criminal conversations," he said.

Weissmann said that the intelligence community is currently drafting proposals for new spying powers to be built into national legislation, and that these would be introduced as "a top priority this year." He declined to give specifics about the laws, but said it was "something that there should be a public debate about."

It's not just Apple in the firing line if this happens. Private startups such as Silent Circle are using similar systems for hardened communications on a subscription basis. The demand is certainly there, not just from nefarious types but also from people who want privacy no matter where they travel.

Those companies may now have to provide a backdoor if legislation does go ahead, and that's going to make their products a lot less appealing if the US government has full access. As for the rest of us, well if you've done nothing wrong then you've nothing to hide – right?

Wrong. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.