If the government laid a subpoena to get iMessages, we can’t provide it. It’s encrypted and we don’t have a key.
It's encrypted and they don't have the key, but since the user does not have any control over the public keys being added, they could add a trusted public key and get it anyway. So they can actually provide messages if they really wanted to.
I don't believe they really want to. But the thing we should've learnt from last year's revelations is (1) that companies can be forced to do so anyway via secret courts; and (2) the NSA is willing to make a 'technical solution' otherwise.
So, Tim Cook is not being completely honest here. Apart from what hardware can do, the only way to trust such an application is if you had the source code, the source code of the operating system and the source code to firmware blobs, and some way to prove that everything was compiled from public source code without modifications. Since that is not going to happen, iMessage should be considered as secure as unencrypted e-mail when it comes to governments. Of course, it does provide more protection than e-mail against less equipped actors.
They can't create trusted public keys after the fact, they'd have to already have them. So there's no half truth. Either they currently create and store such public keys or they don't. Tim Cooke is saying they don't. That statement can't be half true. It's either true or false.
tl;dr: Apple can send you a public key of Bob's new device. Apple can pretend to send you a public key of Bob's new device. And since it's proprietary software, they can trigger a resend of your recent messages to Bob.
Moreover, if you use iCloud backups, they have the keys to your kingdom, since it fails the 'mud puddle test':
So this ends up being as "simple" as answering the question: Do you trust Apple? Given they control the operating system and all around it, having the directory server controlled by someone else (or distributed) doesn't solve the problem as they have access to anything they want in your device, meaning they don't need any keys to begin with.
I wouldn't trust any company that blatantly dodges the question of security with a half truth. It's clear he's playing word games for PR points.
You can reset your password and redownload all of your messages to a new device if you use iCloud backup. Cook is full of shit when he says that Apple doesn't have the capability. They own the system.
Even a dedicated civilian could reset your password, associate a device with your account and receive all messages going forward. To state that Apple cannot is such a laughable claim that it becomes clear that it's just a PR game. Which calls into question how sincere he is in his feelings about privacy.
For the record, you cannot redownload old messages in iMessage; if you use iCloud Backup, a civilian could fetch messages from there, but if not, they're out of luck.
Fair enough, I was mistaken. Security is hard, but no one should get a pass playing games like this when it comes to security.
A civilian could still associate another key (device) to the account if they're dedicated with the password or a password reset (not as stealthy) assuming 2FA is disabled. And Apple could surely do it stealthily since they own the system.
They have the capability, and it's too kind to his statement by calling it a half-truth in that respect because it's really a lie when he says "[Apple doesn't] have the capability."
>And since it's proprietary software, they can trigger a resend of your recent messages to Bob.
Apple control iOS so they could just release an update that disables crypto and leaks all the messages - your point is irrelevant since they can't trigger a resend without an update to iOS.
They can't create them for old messages, but they could theoretically add them for messages going forward. So it could work like an old-fashioned wiretap, where you get the subpoena, install a bug and start listening -- but can't go back in time and listen.
How? iMessage encrypts and sends a copy of every message to every device registered to a recipient (iPads, iPhones, Macs, etc.), each of which has distinct public keys. It's actually a pretty ingenious aspect of iMessage, that it can support multiple devices without any private key exchange.
But..... those recipient public keys are provided by Apple. So in theory Apple could add itself or law enforcement as another "device" -- let's call it "fbiPad" -- completely bypassing all that security.
However the "good" news is whether Apple is actually doing that in a given instance could theoretically be detectable by analyzing network traffic, since it would result in an additional copy being sent. Even though it's encrypted you could probably tell by the amount of data.
True. But they can replace any program on any iPhone with an NSA/Justice system version, and give the replacement access to any keys stored on the iPhone.
There can never be any security on a closed system where a central party has all the control. That means apple's system is a lost cause for user security.
Apple can silently slipstream applications onto a users iPhone ? That would means dozens of employees would be involved in a conspiracy with the US government. And over all the years none of them has leaked anything ? Sounds far fetched.
Also better not use a phone. Because Android and Windows Phone would have the same problem.
Of course Apple can "silently slipstream applications onto a user's iPhone". Whether they'd risk getting caught doing it (even for non-all-powerful law enforcement agencies) without a court order or for anything less indefensable than a kiddie porn investigation is less clear. (And whether the NSA would even need Apples help to do it themselves is questionable - I suspect whoever owns the baseband has as much access as you'd even need, so now you're relying on AT&T/Comcast/Verizon/TMobile to put protecting your privacy above keeping the corporation on-side with powerful government agencies...)
Apple can remotely delete apps on iPhones. They've used it to delete apps that were removed from the app store. Apple can force your phone to download the latest U2 album. Upgrading your apps silently is probably not outside their control if they wanted to.
My phone certain did not automatically download Songs of Innocence. For those users whose phones DID automatically download it, they must have enabled the "automatically add purchased content to this phone" feature.
According to my research, Apple has NEVER used the "kill switch", unlike Google: 'Google also possesses a remote "kill switch" for Android apps, but unlike Apple, it has made use of the feature before. In 2010 the Android security team deleted two apps created by a security researcher after they "misrepresented their purpose in order to encourage user downloads." Its kill switch is referred to by the company as the "Remote Application Removal Feature.' [1]
The point is they have the capability and because of your government's secret court system the general public very well may never find out whether or not the capability has been taken advantage of.
I can guarantee you that the "automatically add purchased content to this phone" check box does absolutely nothing to protect your phone from downloading and integrating data from Apple silently if they should choose to target you. And you would likely never know if they choose to target you.
iPhones by default are set to automatically download purchased content from the iTunes Store. It's a feature so purchases made on one device automatically appear on others. All Apple did was "buy" the U2 for everyone. Nothing magical about it.
To bring that up in the context of iMessage security shows either ignorance or stupidity.
And remote deleting is quite a bit different to silently upgrading apps for the purpose of spying.
Even if a new public key is added to the keybag, the NSA wouldn't get old messages, only messages from that point forward.
Still troublesome, and I wish there was some way to see what keys are being used and cross verify them with the remote user, so that if a new key is added you would be notified.
But there is no way for Apple to retrieve old messages and send them to the NSA.
Euhm, no, it would have access to any message you can see from the phone, old or new. Plus I don't think there's a per-message key at all. So they could have logged the messages, then install a patched iMessage on your phone to send them the key.
That is assuming Apple's claim is true at all, and they need this in the first place.
If the government laid a subpoena to get iMessages, we can’t provide it. It’s encrypted and we don’t have a key.
It's encrypted and they don't have the key, but since the user does not have any control over the public keys being added, they could add a trusted public key and get it anyway. So they can actually provide messages if they really wanted to.
I don't believe they really want to. But the thing we should've learnt from last year's revelations is (1) that companies can be forced to do so anyway via secret courts; and (2) the NSA is willing to make a 'technical solution' otherwise.
So, Tim Cook is not being completely honest here. Apart from what hardware can do, the only way to trust such an application is if you had the source code, the source code of the operating system and the source code to firmware blobs, and some way to prove that everything was compiled from public source code without modifications. Since that is not going to happen, iMessage should be considered as secure as unencrypted e-mail when it comes to governments. Of course, it does provide more protection than e-mail against less equipped actors.