(Image: blue violet/ZDNet)KUALA LUMPUR, Malaysia - Hackers this week showed attendees at the Conference security results and demonstrations which directly contradicts the public statement from Apple that does not read iMessages.
Although the messages are encryption-to-end as it says Apple, according to the researchers QuarksLab displayed a roomful Hack in The Box Kuala Lumpur, due to lack of certificate of nails, "Apple can technically read your iMessages whenever they want".
More worrisome, in the presentation "how Apple can read your iMessages and how you can avoid it," the researchers also showed that iMessages can be intercepted and changed instantly via a man-in-the-middle (MiTM) attack.
The interception of messages allows that a third attacker perfectly change the sent message before you arrive - and supplanted the sender, the recipient iMessage is not the wisest.
(Image: QuarksLab)The researchers followed through with their claims on Thursday at a presentation of 90 minutes, including detailed, step-by-step slideshow and descriptions and two manifestations.
The second manifestation succeeded due to problems of network Conference. But after the talk, ZDNet gave a unique demonstration video when the network was in full operation.
Security researchers "Pod2G" in France (Cyril Cattiaux) and "GG" allowed hackers of the movie while he intercepted, read and changed the content of iMessages between two iPhones.
However, in a statement to AllThingsD, Apple spokeswoman Trudy Muller said: "iMessage is not designed to allow Apple to read messages. Research discussed theoretical vulnerabilities that would require Apple to reorganize the iMessage system to exploit it, and Apple has no plans or intentions to do so."
However, "theoretical" as it may be, demonstration of QuarksLab shows that iMessage can be exploited or manipulated.
ZDNet has come to Apple for additional comment and will update this article if we hear back.
On June 6, Apple - among others, including Facebook, Google, Microsoft and Yahoo - were linked to the programs of mass surveillance carried out by the United States Agency for national security (NSA) and the Prism now-infamaous program. Name the seven large technology companies were alleged in some way involved in monitoring programmes administered by the Government of the United States legally and ethically dubious.
Apple responded publicly saying a statement on its website that iMessages, "they are protected by end-to-end encryption so that no one, but the sender and the receiver can see or read."
The statement added: "Apple can not decrypt such data".
Involvement of the giant of Cupertino, California-based technology was that third parties, such as the NSA, can not intercept messages with their peaceful cooperation, because according to Apple, the system made this impossible to intercept.
"Apple claim that can't read iMessage encrypted end-to-end [s] definitely is not true", read the white paper from QuarksLab. "As everyone suspected: Yes you can!"
Hackers told ZDNet that each iMessages-compatible Apple product is affected.
"Basically, almost all current products Apple: iMac, Mac Pro, MacBook Pro, MacBook Pro Retina, iPhone, iPod Touch, iPad." We will be launching a tweak to Jailbreak iOS devices and an application for OS X only after the presentation."
Before his presentation yesterday at Hack In The Box, QuarksLab had hinted to media that they had discovered weaknesses stressing that its results showed that Apple could actually read posts by user if it wanted to.
Pod2G and GG said that hacking iMessage to impersonate users, intercept messages and read private message content was in fact possible.
But on several occasions made stressed this was only possible if the third is a skillful attacker, citing Apple and NSA as examples of able to skill level.
(Image: QuarksLab)Researchers explained that break encryption iMessage (AES, RSA and ECDSA algorithms) displayed fashion would require the attacker to take physical control of the device - once.
Then, the attacker to install fraudulent certificates in it and run deceived counterfeit servers mimic Apple servers. The essence of the failure, as described in QuarksLab, lies in lack of certified locking protocol.
Although performing this man-in-the-middle attack is hard work and can only be made in limited circumstances, QuarksLab said that the safety of attendees that if they needed a secure messaging system, you must choose a different one. Especially, they warned in joke tone, if the messages contain discussion of Apple related to zero days or explodes.
Hackers concluded its bombing of talk - a full crowd, standing-only - sharing a tool created offering iMessage in iPhones ability users essentially cover the defect themselves and make your posts really private and secure.
Your tool "iMTM Protect" (available for download on GitHub) is a useful, superlative approach to empower users to protect themselves from an issue of serious privacy posed many questions unanswered at this time.
It is also a refreshing result to the revelation of a security flaw in a product from a company known for staying silent about its product safety problems--and tends to count users that is fix security holes "sometime" in the next update cycle.
The appliance is ready for skilled computer users, although unfortunately it is likely that outside the scope of level of technical skill of the average Apple user iMessage - and only works on iPhones released at this time.
But it is a step in an interesting direction.
As QuarksLab summed up in "How Apple can read your iMessages" user iMessage can not be at risk with this theme of an average malicious attacker.
Needless to say, the QuarksLab revealed yesterday to enter the picture continues to be a serious problem for all users of iMessage with concerns about threats with resources such as nation-States. And now, the situation casts a shadow over earlier claims of Apple.
More than QuarksLab iMessage results:
Aucun commentaire:
Enregistrer un commentaire