In Apple We Trust, Blindly - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
9/25/2012
10:33 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

In Apple We Trust, Blindly

How secure are Apple products like iMessage and FaceTime? We have no idea. The protocols in those products have never been documented or scrutinized by outside experts.

In August there was a security story in the news about a vulnerability in the Apple iOS iMessage handling of SMS text messages. The vulnerability itself was not trivial, but there was more to the problem than just the vulnerability: It raised the issue of the opacity of Apple's protocol security.

If you use iMessage for a while on an iPhone you notice that it mixes actual SMS text messages and purely IP-based iMessage instant messages in the same message window. The vulnerability allowed the sender of an SMS text message to an iMessage user to spoof the name of the source. This might seem relatively minor, but it could be a major element of a larger, more sophisticated social engineering attack.

Apple actually recommended that users use iMessage instant messages instead of SMS as a workaround, as if that's a solution for people who don't have iOS devices. But why should we trust iMessage? Just because Apple asserts that iMessage is a secure protocol? We can't trust that unless the protocol is documented and challenged.

This approach is old news for Apple. In his keynote at the 2010 WWDC, Steve Jobs introduced FaceTime (that segment begins at 1:29:22). At 1:36:44, he talks about the standards used in FaceTime and declares, "We're going to take it all the way. We're going to the standards bodies starting tomorrow, and we're going to make FaceTime an open industry standard." Apple never followed through on this, nor has it been seriously challenged on it.

FaceTime is an infamously-closed system, unavailable to other networks for interconnection. To open it up Apple would have to document at least some interfaces or conform to standards. That's not the Apple way.

Cryptographer Matthew Green expressed these concerns well in a blog around the time of the iMessage vulnerability disclosure. The gist of his post is that iMessage is really important. Lots of people use it and rely on it and assume it's secure. But we don't know and we can't know. The same goes for FaceTime.

The Apple Way, sad to say, seems to be to resist openness. One day this will likely blow up and users will suffer more than Apple.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll