Feeds

Leaked memo: Apple's iMessage crypto has DEA outfoxed

Feds want more back-door access

The Power of One eBook: Top reasons to choose HP BladeSystem

Analysis An investigation by the Drug Enforcement Administration (DEA) in February was temporarily thwarted when the surveillance targets began using Apple's encrypted iMessage system, according to a document leaked to Cnet.

The intelligence note entitled "Apple's iMessages: A Challenge For DEA Intercept," reported on an investigation by the DEA's San José branch office found that it was "impossible to intercept iMessages between two Apple devices" using "traditional trap and trace devices, pen register devices, or wiretapping data collection through Title III interceptions."

Messages between iMessage and non-Apple products are sometimes tappable because they are transmitted via SMS protocols the memo states, but the most efficient method in such cases is to eavesdrop on the non-Apple end of the communication. The memo warns that records obtained from cooperative network providers may not show iMessage traffic.

"Think Criminal"

So is Apple's latest iPhone going to be the smartphone of choice with those bent on a life of crime? Possibly, but before Apple Stores are flooded with shady types buying multiple handsets with cash, there's a lot left out of this leaked intelligence report – and the canny criminal might want to hold off for a second.

Apple's been rather quiet about iMessage since its launch in 2011 as a point-to-point encrypted communications system outside of carrier control. Based on the company's sole Black Hat briefing on the topic, the iOS system uses a unique identifier burned into the processor for identification, has full AES and SHA support, and uses a hardware encryption engine to save on battery life.

That's a lot of grunt under the hood, but the math has to be there to back it up. Cupertino started hiring a lot of security talent for the last few years and the company has obviously seen benefits to its setup.

But even if the iMessage encryption is bulletproof, then what? The DEA will simply go to Apple with a court order and ask for its cooperation, and it's highly probable that Apple will give it up. We don't know, because unlike Google, Twitter, and Microsoft, Apple doesn't have a transparency report showing how often it gets – and complies with – these requests.

But this is also the DEA we're dealing with, and while it has some good techies, the best computer talent lies elsewhere in the federal government, and the agents were most likely using tools they were given. El Reg wonders how the spooks at the National Security Agency are handling this iMessage decryption.

Cloud still outside CALEA's clasp

The problem for federal authorities is that iMessage isn't covered by the 1994 Communications Assistance for Law Enforcement Act (CALEA).

CALEA was originally set up to require telecommunications companies to provide law enforcement with the ability to tap into a target's calls with a court order. In 2006 this was extended to cover VoIP and broadband traffic, but it doesn't cover companies such as Apple.

Law enforcement would like to change that, and there's a concerted push on to extend CALEA to include such wiretap facilities in any communications software that is used in the US. Last month FBI general counsel Andrew Weissmann told the American Bar Association he wanted CALEA extended to cover everything down to the chat function on a game of online Scrabble.

"Those communications are being used for criminal conversations," he said.

Weissmann said that the intelligence community is currently drafting proposals for new spying powers to be built into national legislation, and that these would be introduced as "a top priority this year." He declined to give specifics about the laws, but said it was "something that there should be a public debate about."

It's not just Apple in the firing line if this happens. Private startups such as Silent Circle are using similar systems for hardened communications on a subscription basis. The demand is certainly there, not just from nefarious types but also from people who want privacy no matter where they travel.

Those companies may now have to provide a backdoor if legislation does go ahead, and that's going to make their products a lot less appealing if the US government has full access. As for the rest of us, well if you've done nothing wrong then you've nothing to hide – right?

Wrong. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.