from slate.com: Apple says
that when people communicate using its iMessage service, their chats
are secured using strong encryption. But security researchers are
questioning the company’s claims after uncovering what they say is a
flaw that enables the messages to be spied on.

Back in April, Apple’s iMessage service attracted attention
after a document showed that the Drug Enforcement Agency (DEA) was
complaining internally about not being able to snoop on communications
sent using the service. Apple has consistently said that the messages
are exchanged using “secure end-to-end encryption,” meaning it can’t
hand them over to authorities. Even after the technology giant was
linked to the National Security Agency ‘s PRISM surveillance program in June, it put out a statement
reiterating that iMessage conversations “are protected by end-to-end
encryption so no one but the sender and receiver can see or read them.
Apple cannot decrypt that data.”

However, it seems that the service is not as secure as Apple would
like to have you believe. Two researchers at the security firm Quarkslab
claim that they have been studying the protocol used by iMessage, and
that “Apple can technically read your iMessages whenever they want.” The
researchers, who are due to present their findings at the HITB Security Conference in Asia
in October, have apparently found a way to circumvent the encryption
using a so-called “man-in-the-middle” attack, which usually involves a
hacker covertly bypassing the encryption by using a fake security
certificate.

That this may be possible with iMessage is not evidence that Apple has
been covertly reading people’s messages, but it does mean that the
company’s encryption is vulnerable to being exploited by a sophisticated
hacker group or spy agency. One of the Quarkslab researchers told Techcrunch
that “the iMessage protocol is strong,” though added that “Apple or a
powerful institution (NSA is randomly chosen as an example) could tamper
with it.” The researchers say that they are planning to release a tool
that will shield against potential iMessage snooping attacks, and hope
to work with Apple to strengthen the security of the service. Apple had
not responded to a request for comment at time of publication.