In June, Apple said that communication over iMessage is protected by "end-to-end encryption," and so secure that even the company itself "cannot decrypt that data." But on Thursday, security researchers disputed that claim.
At the Hack in the Box conference in Kuala Lumpur, Quarkslab -- a Paris-based security firm -- presented findings that said people at Apple would in fact be able to decrypt messages, either because of a government request or on an employee's own accord, according to multiple reports.
"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true," QuarksLab wrote in a white paper about their findings. "As everyone suspected: Yes they can!"
Apple made those comments following information leaks by National Security Agency contractor Edward Snowden, who this summer detailed classified information about the agency's practices.
Apple did not respond to a request for comment.
To be clear, the researchers did not say there is any indication Apple or the government is reading anyone's messages, only that it would in fact be possible -- despite claims to the contrary.
The good news, Ars Technica notes, is that it would be very difficult for a potential eavesdropper to unscramble the encryption, something that requires, among other things, physical control of the device and the installation of malicious software such as fake certificates. Therefore, the real threat could come from an employee, working under a court order, carrying out such an attack since Apple controls the entire infrastructure and wouldn't have to tamper with a device.
"The weakness is in the key infrastructure as it is controlled by Apple," Quarkslab's white paper concludes. "They can change a key anytime they want, thus read the content of our iMessages."