Know your equipment

You own a lot of equipment. From your stove to your iPhone, your TV to your Mac and some of them connect to the internet in one way or another. Knowing how your equipment works is not just knowing which button to push to get something done, it means knowing everything it can do. I’m not saying you have to become an expert on every piece of tech you own but to at least be aware of possible security risks it’s use or features may present. Why should you care? In a very interesting post i read by Matthew Green which talks about iMessage and the fact noone knows how it secures your messages under the hood, he sums it up really nice “I rely on these devices and want to know how secure they are.”
Most people trust almost every aspect of their life to electronic equipment but know almost nothing about it. “If it breaks i’ll just call support”, “It wouldn’t be sold if it wasn’t safe” and my personal favorite (sarcasm) “That’s why we have you!”. While i can give a ton of examples (and my mind often wanders, so i just might), let’s stick with the iMessage example.

iMessage is popular, véry popular, moving a few billion messages a day. Apple states that iMessage uses end-to-end encryption that even they can’t read, only the sender and receiver. Mr. Green raises an interesting point “encrypted to whom?”. Does the encrypted iMessage you send just end up on Apple’s server, which looks up where to find the receiver, and then pass it along on the receiver’s phone which then decrypts it and displays the message? It’s possible. Or does the encrypted iMessage you send get decrypted by Apple’s server, then encrypted again and forwarded to the receiver? As Mr. Green mentions, to allow encrypted communication between two parties, you each need eachother’s keys to be able to decrypt the message. I don’t recall ever handing out a key to my wife, yet she is able to read every iMessage i send to her on her iPhone, iPad and iMac.

If Apple’s server holds all the keys (and we have Apple’s key programmed into our phone straight out of the factory), then they are perfectly able to decrypt my message, lookup the encryption key associated with my wife’s phone number, encrypt it again and send it on it’s way. My wife’s phone will be able to decrypt and show the message, because her iPhone also knows Apple’s decryption key. It’s just a theory but in my mind, a viable one. But why would Apple decrypt it?

A while ago i read reports about iMessage leaving out words from sentences that had the word ‘Obama’ in it (or the word ‘Obama’ itself). Let’s say a government program like PRISM (or PRISM itself) keeps an eye out for certain key words, like ‘Obama’. The word gets flagged, the context analyzed. If Apple’s servers do indeed decrypt and re-encrypt iMessages on the fly, that split second the message exists in plain text is enough for PRISM to read it, flag it and analyze it before it is sent along to the receiver. Maybe it was a test phase with iMessage integration server side that experienced a hiccup? According to the NSA slides, Apple joined PRISM in October 2012, the first report as far as i know of this issue was December 2012. I’m sure some kind of testing had to be done. Again, just a theory.

So, are those few billion iMessages sent and received every day really secure? Can Apple not read them but someone else can? I don’t know and the problem is, noone knows. This is why Mr. Green wrote about it a year ago and again yesterday. I would love to know how iMessage encrypts my data, i’d love to know how my privacy is being protected (or violated), don’t you?

As my family and friends can attest, i always say ‘if you own it, know it’. Again, you don’t have to become an expert on your stove, microwave, Mac or iPhone but at least look into it to see if one of it’s features may raise concerns. Did you know you should keep your phone away from your head while you use it and away from your body while you carry it? Do you know about SAR ratings, the many studies that prove it’s negative effects? Did you know not using a firewall puts your network at risk? Did you know…. I think you should.

Anyway, enough of my rant. Have a look at Mr. green’s article, it’s an interesting read and i promise his grammar is much better than mine 😉

Comments welcome.