Summary: Apple's iMessage is believed to be among the most secure, surveillance-proof messaging tools. But hackers have exposed a flaw that allows malicious interception, impersonation, and the viewing of private messages.
(Image: Violet Blue/ZDNet)KUALA LUMPUR, MALAYSIA — Hackers this week showed security conference attendees findings and demonstrations directly contradicting Apple's public claim that it can't read iMessages.
Even though the messages are encrypted end-to-end as Apple claims, according to QuarksLab researchers showed a packed room at Hack In The Box Kuala Lumpur, due to the lack of certificate pinning, "Apple can technically read your iMessages whenever they want."
More worryingly, in the presentation "How Apple Can Read Your iMessages and How You Can Prevent It," the researchers also showed that iMessages can be intercepted and instantly changed via a man-in-the-middle (MiTM) attack.
The message interception allows a third-party attacker to seamlessly change the sent message before it arrives — and with the sender impersonated, the iMessage recipient is none the wiser.
(Image: QuarksLab)The researchers followed through with their claims on Thursday in a 90-minute presentation, including detailed, step-by-step slides and descriptions, and two demonstrations.
The second demonstration was unsuccessful due to conference network issues. But after the talk, ZDNet was given an exclusive demo on video when the network was back at full operation.
French security researchers "
Even though the messages are encrypted end-to-end as Apple claims, according to QuarksLab researchers showed a packed room at Hack In The Box Kuala Lumpur, due to the lack of certificate pinning, "Apple can technically read your iMessages whenever they want."
More worryingly, in the presentation "How Apple Can Read Your iMessages and How You Can Prevent It," the researchers also showed that iMessages can be intercepted and instantly changed via a man-in-the-middle (MiTM) attack.
The message interception allows a third-party attacker to seamlessly change the sent message before it arrives — and with the sender impersonated, the iMessage recipient is none the wiser.
The second demonstration was unsuccessful due to conference network issues. But after the talk, ZDNet was given an exclusive demo on video when the network was back at full operation.
French security researchers "