Contrary to public claims, Apple employees can read communications sent with its iMessage service, according to researchers who have reverse engineered it.

The finding, delivered Thursday at a Hack in the Box presentation titled How Apple Can Read Your iMessages and How You Can Prevent It, largely echoes the conclusion Ars reached in June. It contrasts sharply with assurances that Apple gave following revelations of an expansive surveillance program by the National Security Agency. iMessage conversations, Apple said at the time, "are protected by end-to-end encryption so no one but the sender and receiver can see or read them." It added: "Apple cannot decrypt that data."

Researchers from QuarksLab who delivered Thursday's talk, begged to differ.

"Apple's claim that they can't read end-to-end encrypted iMessage[s] is definitely not true," researchers from QuarksLab wrote in a white paper summarizing their findings. "As everyone suspected: yes they can!"

The good news

To the credit of Apple engineers, the researchers said that it would be hard for most would-be eavesdroppers to defeat the cryptography protecting iMessages. The encryption is based on the time-tested AES, RSA, and ECDSA algorithms that are used to authenticate parties to a conversation and prevent their contents from being read by anyone able to monitor a Wi-Fi network or other connection. Breaking the encryption would generally require an eavesdropper getting physical control of an iPhone or other Apple device, installing fraudulent certificates on it, and then setting up rogue servers that masquerade as those Apple uses to transmit iMessages. (The ability to use counterfeit digital credentials, interestingly, is made much easier by the lack of the kind of certificate pinning used by Google and Twitter to require this type of attack.)

Ultimately, the QuarksLab researchers said that such man-in-the-middle exploits against the iMessage infrastructure require so much effort that they could probably be carried out only by three-letter agencies, and even then only under limited circumstances. But they went on to say there's no technical measure stopping Apple employees, working under a secret court order or otherwise, from performing the same kind of attack and making it completely transparent to the parties exchanging iMessages. Unlike third-party attacks, these insider exploits would require no tampering of end-user devices.

iMessage contents are encrypted with a random AES key that's encrypted with an RSA key belonging to the recipient. A separate ECDSA key is used for authentication. The payload is sent to one or more Apple servers and ultimately delivered to one or more devices belonging to the recipient. Since Apple controls the entire infrastructure, there's nothing preventing company employees from swapping out the proper keys with ones controlled by Apple or other parties.

"So yes, there is end-to-end encryption as Apple claims, but the key infrastructure is not trustworthy," the researchers wrote. "So Apple can decrypt your data, if they want, or more probably if they are ordered to."

In fairness to Apple, most other commercial messaging systems are also vulnerable to man-in-the-middle or similar attacks mounted by insiders. The difference is that few if any of those other providers have issued public statements claiming the messages sent over their services can be read only by the sender and receiver. The researchers have developed a Mac OS X app they call IMITMProtect that is designed to prevent such attacks. They also called on Apple to fully document the way the popular messaging service works.

Update: An Apple representative has issued a statement to AllThingsD.