No; iMessage isn’t intercept-proof.

*** (April 5, 2013) Update: TechDirt has a nice post about the whole affair. They summarize the counterarguments against the DEA memo and the original CNET story; and they line up quite nicely with mine 🙂 They also include snippets from Julian Sanchez that offer more details and some possible motives for this whole exercise. Woot!

Argh. This story is traveling around the OMGosphere. A DEA office sent an internal notice among its agents and investigators. The notice was meant to warn them about the inability of pen registers and trap and trace devices to log Apple iMessages. The devices in question work like the call list on your phone; every call you make and every call you receive are logged. Extend that idea to include SMS messages (mobile texts) and you get the idea. It’s a form of wiretapping, but it doesn’t necessarily include logging the content of the communication.

The DEA uses these devices to record evidence of contact and communication between suspects. If they’re logging the phone calls made and received by gang members, the record of their intercommunication history could be used in court to show collusion in criminal activity, for example. RICO Act type of stuff.

Most of this equipment is installed and maintained by the phone companies to meet their legal disclosure requirements; when an agency comes knocking and asks for a full bidirectional record of calls for a certain phone number, the company is required to produce it.

The DEA warning was issued because agents discovered that the communication records they received weren’t always complete. The missing events were iMessages sent between two Apple devices; two iPhones, an iPhone and an iPad, two iToilets, etc.

So, that means that Apple iMessages have unbreakable encryption and are so amazingly great that EVEN THE DEA CAN’T TRACK THEM!  Right?

NO

NO NO NO

Internet, there are times when I want to hit you with an atomic hockey stick.

DEA foiled again!

Why are SMS messages logged while iMessages are not? A few reasons that have nothing do with super Apple encryption framice plates.

1. SMS messages are handled by the phone company network. The capability to transport text messages between mobile phones is built right into the specifications of the mobile phone networks. When you send a mobile text message, the message protocol includes source and destination headers telling the tower where the message originated and who it’s for. The logging equipment at the phone company can simply take those headers and add them to the record.

2. iMessage is not a standard adopted by the Mobile Phone Industry. Apple handles the routing of iMessages. When you send an iMessage from your iPhone — assuming you send it via mobile data and not Wifi — the cell tower treats it like a bunch of ordinary data packets; you might as well be uploading a photo or streaming some music. The packets will have source and destination headers of their own, but only to move the packets to an Apple server. The actual source and destination of the iMessage will be part of the data packets’ content, not as cleartext metadata on the outside of an SMS message.

3. Pen registers and traps aren’t psychic. There are people in the world who think that a virus scanner is capable of identifying any kind of virus. Surprisingly, the scanner is not an oracle; it’s just pattern matching to a list of known patterns. Have you ever been bothered by anti-virus software begging you to update your virus definitions? The software needs to have the latest set of known virus patterns (or signatures) so that it can detect known threats. If the definitions haven’t been updated in 2 years, there are lots of new virussessesesesssii the scanner will miss. The wiretaps can work in a similar fashion. They can sit in the network and look for SMS-shaped things, voice call-shaped things, etc. They have been told how to identify those events; they don’t get a tingling spidey-sense when an SMS is nearby. It’s entirely possible that the wiretap equipment could be given an update allowing it to identify the signature of an iMessage, if not the ability to decode it. Depending on the iMessage spec, messages may have a structure that is observable even when encrypted; messages may have a specific preamble; all packets heading to a set of identified iMessage servers could be flagged, etc.

4. It is almost certain that Apple IS maintaining a log of iMessages in order to comply with legal requirements. If so ordered, they would be required by law to produce activity logs for individual iMessage accounts. In this case, the DEA agents weren’t aware that the Apple-held data wouldn’t be logged by the phone company. This wasn’t a triumph of Apple tech against evil government privacy violations. This was a temporary ignorance of modern communications tech.

Thus endeth the lesson.

Amen.