Feeds

Leaked memo: Apple's iMessage crypto has DEA outfoxed

Feds want more back-door access

High performance access to file storage

Analysis An investigation by the Drug Enforcement Administration (DEA) in February was temporarily thwarted when the surveillance targets began using Apple's encrypted iMessage system, according to a document leaked to Cnet.

The intelligence note entitled "Apple's iMessages: A Challenge For DEA Intercept," reported on an investigation by the DEA's San José branch office found that it was "impossible to intercept iMessages between two Apple devices" using "traditional trap and trace devices, pen register devices, or wiretapping data collection through Title III interceptions."

Messages between iMessage and non-Apple products are sometimes tappable because they are transmitted via SMS protocols the memo states, but the most efficient method in such cases is to eavesdrop on the non-Apple end of the communication. The memo warns that records obtained from cooperative network providers may not show iMessage traffic.

"Think Criminal"

So is Apple's latest iPhone going to be the smartphone of choice with those bent on a life of crime? Possibly, but before Apple Stores are flooded with shady types buying multiple handsets with cash, there's a lot left out of this leaked intelligence report – and the canny criminal might want to hold off for a second.

Apple's been rather quiet about iMessage since its launch in 2011 as a point-to-point encrypted communications system outside of carrier control. Based on the company's sole Black Hat briefing on the topic, the iOS system uses a unique identifier burned into the processor for identification, has full AES and SHA support, and uses a hardware encryption engine to save on battery life.

That's a lot of grunt under the hood, but the math has to be there to back it up. Cupertino started hiring a lot of security talent for the last few years and the company has obviously seen benefits to its setup.

But even if the iMessage encryption is bulletproof, then what? The DEA will simply go to Apple with a court order and ask for its cooperation, and it's highly probable that Apple will give it up. We don't know, because unlike Google, Twitter, and Microsoft, Apple doesn't have a transparency report showing how often it gets – and complies with – these requests.

But this is also the DEA we're dealing with, and while it has some good techies, the best computer talent lies elsewhere in the federal government, and the agents were most likely using tools they were given. El Reg wonders how the spooks at the National Security Agency are handling this iMessage decryption.

Cloud still outside CALEA's clasp

The problem for federal authorities is that iMessage isn't covered by the 1994 Communications Assistance for Law Enforcement Act (CALEA).

CALEA was originally set up to require telecommunications companies to provide law enforcement with the ability to tap into a target's calls with a court order. In 2006 this was extended to cover VoIP and broadband traffic, but it doesn't cover companies such as Apple.

Law enforcement would like to change that, and there's a concerted push on to extend CALEA to include such wiretap facilities in any communications software that is used in the US. Last month FBI general counsel Andrew Weissmann told the American Bar Association he wanted CALEA extended to cover everything down to the chat function on a game of online Scrabble.

"Those communications are being used for criminal conversations," he said.

Weissmann said that the intelligence community is currently drafting proposals for new spying powers to be built into national legislation, and that these would be introduced as "a top priority this year." He declined to give specifics about the laws, but said it was "something that there should be a public debate about."

It's not just Apple in the firing line if this happens. Private startups such as Silent Circle are using similar systems for hardened communications on a subscription basis. The demand is certainly there, not just from nefarious types but also from people who want privacy no matter where they travel.

Those companies may now have to provide a backdoor if legislation does go ahead, and that's going to make their products a lot less appealing if the US government has full access. As for the rest of us, well if you've done nothing wrong then you've nothing to hide – right?

Wrong. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.