Security experts have long suspected that iMessage is not as safe and impenetrable as Appleclaims. But a group of researchers says it has proof that Apple can indeed eavesdrop on your iMessages — and the NSA can, too.
The researchers, through a careful and thorough study of the iMessage protocol, conclude that Apple has the ability to intercept and decrypt iMessages. Even though the messages are encrypted end-to-end, Apple manages the keys needed to encrypt and exchange the messages, the researchers found.
"Yes, there is end-to-end encryption as Apple claims, but the weakness is in the key infrastructure as it is controlled by Apple: They can change a key anytime they want, thus read the content of our iMessages," reads a blog post published on Thursday by Cyril Cattiaux, an iOS jailbreak hacker known as "pod2g," and "gg" (who doesn't want to reveal his full name), two security researchers who exclusively shared the post in advance with Mashable.
UPDATE — Oct. 18, 10:33 a.m.: Apple says the issue uncovered by the security researchers is just theoretical, and that the iMessage system is not designed to allow Apple to eavesdrop on its users' communications.
"iMessage is not architected to allow Apple to read messages," says Trudy Muller, an Apple spokesperson. "The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
The researchers discovered that when an Apple device sends an iMessage to another device, instead of exchanging the encryption keys directly — as other encryption apps do — the keys are managed by a directory called "ESS server.
