Feeds

Leaked memo: Apple's iMessage crypto has DEA outfoxed

Feds want more back-door access

Remote control for virtualized desktops

Analysis An investigation by the Drug Enforcement Administration (DEA) in February was temporarily thwarted when the surveillance targets began using Apple's encrypted iMessage system, according to a document leaked to Cnet.

The intelligence note entitled "Apple's iMessages: A Challenge For DEA Intercept," reported on an investigation by the DEA's San José branch office found that it was "impossible to intercept iMessages between two Apple devices" using "traditional trap and trace devices, pen register devices, or wiretapping data collection through Title III interceptions."

Messages between iMessage and non-Apple products are sometimes tappable because they are transmitted via SMS protocols the memo states, but the most efficient method in such cases is to eavesdrop on the non-Apple end of the communication. The memo warns that records obtained from cooperative network providers may not show iMessage traffic.

"Think Criminal"

So is Apple's latest iPhone going to be the smartphone of choice with those bent on a life of crime? Possibly, but before Apple Stores are flooded with shady types buying multiple handsets with cash, there's a lot left out of this leaked intelligence report – and the canny criminal might want to hold off for a second.

Apple's been rather quiet about iMessage since its launch in 2011 as a point-to-point encrypted communications system outside of carrier control. Based on the company's sole Black Hat briefing on the topic, the iOS system uses a unique identifier burned into the processor for identification, has full AES and SHA support, and uses a hardware encryption engine to save on battery life.

That's a lot of grunt under the hood, but the math has to be there to back it up. Cupertino started hiring a lot of security talent for the last few years and the company has obviously seen benefits to its setup.

But even if the iMessage encryption is bulletproof, then what? The DEA will simply go to Apple with a court order and ask for its cooperation, and it's highly probable that Apple will give it up. We don't know, because unlike Google, Twitter, and Microsoft, Apple doesn't have a transparency report showing how often it gets – and complies with – these requests.

But this is also the DEA we're dealing with, and while it has some good techies, the best computer talent lies elsewhere in the federal government, and the agents were most likely using tools they were given. El Reg wonders how the spooks at the National Security Agency are handling this iMessage decryption.

Cloud still outside CALEA's clasp

The problem for federal authorities is that iMessage isn't covered by the 1994 Communications Assistance for Law Enforcement Act (CALEA).

CALEA was originally set up to require telecommunications companies to provide law enforcement with the ability to tap into a target's calls with a court order. In 2006 this was extended to cover VoIP and broadband traffic, but it doesn't cover companies such as Apple.

Law enforcement would like to change that, and there's a concerted push on to extend CALEA to include such wiretap facilities in any communications software that is used in the US. Last month FBI general counsel Andrew Weissmann told the American Bar Association he wanted CALEA extended to cover everything down to the chat function on a game of online Scrabble.

"Those communications are being used for criminal conversations," he said.

Weissmann said that the intelligence community is currently drafting proposals for new spying powers to be built into national legislation, and that these would be introduced as "a top priority this year." He declined to give specifics about the laws, but said it was "something that there should be a public debate about."

It's not just Apple in the firing line if this happens. Private startups such as Silent Circle are using similar systems for hardened communications on a subscription basis. The demand is certainly there, not just from nefarious types but also from people who want privacy no matter where they travel.

Those companies may now have to provide a backdoor if legislation does go ahead, and that's going to make their products a lot less appealing if the US government has full access. As for the rest of us, well if you've done nothing wrong then you've nothing to hide – right?

Wrong. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.