'Encryption' Articles

Facebook Completes Rollout of Messenger App End-to-End Encryption

Facebook has announced that the rollout of cryptographic features for its massively popular Messenger chat service has completed, bringing end-to-end encryption to the largest messaging network in existence. Back in July, the social network company said it was testing the privacy feature on a limited basis which would eventually be rolled out to all 900 million users of the app. On Tuesday, Facebook told Wired that rollout had finished. Messenger now implements the same highly regarded cryptographic Signal Protocol that the company's WhatsApp platform uses to encrypt messages, but the Messenger app needs to be updated and the feature turned on for it to work. A new "Secret Conversations" option can now be found at the top-right of the app's New Message screen, provided that users have enabled the option from the Me profile settings screen. The encryption protocol covers one-to-one text chats and stickers used within threads, but does not currently support the use of videos and GIFs. Messenger users who update the app will also get to use a new Snapchat-style option that erases messages after a specified duration. Messenger is free on the App Store [Direct Link] for iPhone, iPad, and Apple

Tim Cook Tells Utah Tech Audience: Encryption 'Makes the Public Safe'

Apple CEO Tim Cook drew cheers from a Salt Lake City audience on Friday as he reiterated the company's unwavering commitment to encryption and privacy protections for its customers, according to local media reports. The comments were made during a Q&A session at the yearly meeting of the Utah Technology Council (UTC), a trade and advocacy group representing more than 5,000 technology and life-sciences companies across the U.S. state. The 55-year-old CEO was invited along with Utah senator Orrin Hatch to take the stage at the Grand America Hotel and field questions from a public audience. Tim Cook in Q&A with senator Orrin Hatch Calling encryption "one of the biggest issues we face," the CEO noted that most iPhone users have more personal data on their phones than in their homes. "Encryption is one of the things that makes the public safe," he said. "We feel we have a responsibility to protect our customers." "We believe the only way to protect both your privacy and safety from a cyberattack is to encrypt," Cook told about 1,400 industry executives, tech workers and Apple fans. "We throw all of ourselves into this and are very much standing on principle in this."Cook was responding to questions regarding the lingering impact of Apple's dispute with the FBI over the agency's demand that it build a "back door" into its software, following the use of a locked iPhone by the primary suspect in the San Bernardino mass shooting last December. Apple refused to comply with the request from the federal agency, which dropped its pursuit of the company when investigators

Cryptography Experts Recommend Apple Replace its iMessage Encryption

Apple has implemented a series of short- and long-term defenses to its iMessage protocol after several issues were discovered by a team of researchers at Johns Hopkins University, according to a report published today (via PatentlyApple). This attack is different to the one Johns Hopkins researchers discovered in March, which allowed an attacker to decrypt photos and videos sent over iMessage. The technical paper details how another method known as a "ciphertext attack" allowed them to retrospectively decrypt certain types of payloads and attachments when either the sender or receiver is still online. The scenario requires that the attacker intercepts messages using stolen TLS certificates or by gaining access to Apple's servers. While the attack takes a high level of technical expertise to be successful, the researchers note that it would be well within the means of state-sponsored actors. Overall, our determination is that while iMessage’s end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries.The team also discovered that Apple doesn't rotate encryption keys at regular intervals, in the way that modern encryption protocols such as OTR and Signal do. This means that the same attack can be used on iMessage historical data, which is often backed up inside iCloud. In theory, law enforcement could issue a court order forcing Apple to provide access to their servers and then use the attack to decrypt the

Facebook Testing End-to-End Encryption in Messenger

Facebook has announced that it will begin rolling out optional end-to-end encryption within its Messenger app for iOS and Android on a limited test basis, ahead of the option becoming more widely available through early September. Messenger users will be able to create one-to-one "Secret Conversations" in Messenger that will be end-to-end encrypted and which can only be read on one device of the person they are communicating with. Within secret conversations, Messenger users will have the option to set a timer to control the length of time each message sent remains visible within the conversation. The technology is based on the Signal Protocol by Open Whisper Systems [PDF]. Facebook said secret conversations do not currently support rich content like GIFs and videos, making payments, or other popular Messenger features. End-to-end encryption will not be enabled by default, and secret conversations will not be available through Messenger.com, Facebook chat, or the desktop Messenger app for now, per TechCrunch, which also explained how to start a secret conversation:…just tap on your friend's name at the top of your current message thread. If you're part of Facebook's test group, you'll see an option called "Secret Conversation." Once you click it, a new conversation thread opens, with a notice at the top informing you that the chat is end-to-end encrypted. The timer feature that allows messages to be erased after a certain time period has elapsed is located right next to the text field. It offers a drop-down list of times you can select for how long you

Apple-Opposed 'Investigatory Powers' Surveillance Bill Moves Closer to Legality in UK

The United Kingdom's House of Commons this week passed the controversial "Investigatory Powers" bill, which gives spy and government agencies the ability to "engage in bulk surveillance and computer hacking," and has met stern opposition from various technology companies, including Apple. In the House of Commons, the bill passed by a vote of 444 to 69 (via Bloomberg). The original wording of the bill required companies to build anti-encryption backdoors into their software -- a point of contention Apple fought over repeatedly against the FBI this year -- and the storing of website records for every UK citizen by web and phone companies. The updated version of the bill passed this week introduced slight alterations to these rules, which could ultimately play in the favor of companies like Apple, Google, and Microsoft in the UK. The updated bill clearly states that companies aren't required to install backdoors to get around encryption when a government agency requests it, with one exception: if taking such an action "is technically feasible and not unduly expensive," the company could face the same request the US government gave Apple earlier in the year. Of course, the exact definition of what would be "technically feasible and not unduly expensive" isn't divulged in the bill. If the bill ultimately becomes law, these definitions would be left to the decision-making of a British judge on a case-by-case basis. According to Apple and CEO Tim Cook, if the company would have been required to introduce a workaround to grant unlimited access to terrorist Syed Farook's

Facebook Considering Optional End-to-End Encryption for Messenger

Facebook is planning to introduce an optional end-to-end encryption mode for its Facebook Messenger chat platform, currently used by more than 900 million people, reports The Guardian. Citing sources "close to the project," The Guardian says the encryption will be an opt-in feature because turning it on will impact some of the new machine learning features being built into the Messenger app like chat bots. Google's upcoming "Allo" messaging app also offers an opt-in end-to-end encryption option it calls "incognito mode." Many major technology companies have taken a stronger stance on privacy, embracing end-to-end encryption following Apple's standoff with the FBI. Earlier this year, the FBI demanded Apple unlock the iPhone 5c used by San Bernardino shooter Syed Farook by bypassing Apple's own passcode security features. Apple refused, and the FBI eventually found an alternate way to access the iPhone, but the dispute has scared technology companies into bolstering security. Dozens of major technology companies supported Apple during its fight with the FBI, all of whom were concerned about the precedent the FBI's demand could set. Popular Facebook-owned messaging app WhatsApp enabled full end-to-end encryption in April, and in March, Swiss software developer Proton Technologies released ProtonMail, an email app offering end-to-end encryption. Apple is also rumored to be working on enhanced security measures for its software and hardware, and apps like Telegram Messenger have grown in popularity. It is not clear exactly when Facebook might introduce new

Apple Rehires Security and Encryption Expert Jon Callas Following FBI Dispute

Following its very public encryption battle with the FBI, Apple has rehired software engineer and and security expert Jon Callas, reports Reuters. Callas, who has previously worked at Apple, is known for co-founding encrypted communications services Silent Circle, Blackphone, and PGP Corporation. Apple's decision to rehire Callas comes amid rumors the company is working on improving the security of its iOS devices. Apple has said it will continually improve security to keep ahead of hackers, and its dispute with the FBI is said to have spurred the company begin work on implementing security measures "even it can't hack." Earlier this year, Apple was ordered to assist the FBI in the unlocking of the iPhone 5c used by San Bernardino shooter Syed Farook, an order it fought because the FBI was asking for new software that would bypass iPhone passcode security measures. Apple insisted the software was "too dangerous to create," setting dangerous precedents that could lead to a weakening of overall device encryption. The FBI eventually dropped the case after finding an alternate method to breach the iPhone, but the fight over encryption is far from over. According to Reuters, Callas supports Apple's position and is opposed to companies being compelled to break their own encryption by the government, but he believes law enforcement officials should be able to take advantage of software vulnerabilities, the method the FBI ultimately used to get into Farook's iPhone 5c.Callas has said he is against companies being compelled by law enforcement to break into their own

ProtonMail iOS App Integrates Touch ID for Unlocking Encrypted Messages

Swiss-made encrypted email app ProtonMail received a significant update yesterday, bringing Touch ID integration and other security enhancements to iOS users. Logging into the app previously required users to remember their login and mailbox password to access their inbox, but as of version 1.2.3 they can turn on the Touch ID feature to unlock encrypted email with their finger on opening the app. An optional second layer of security has also been included, requiring users to enter a PIN code instead of or as well as their fingerprint. A new automatic lock function also lets users set ProtonMail to auto-lock every time they come out of the app, or after a set amount of time. Elsewhere, ProtonMail users can now add attachments from iCloud and other third-party storage apps directly to their messages, while an option to automatically show images in messages and password manager support for iOS have also been introduced. Paid ProtonMail Plus account holders additionally get mobile signature editing, with a number of bug fixes and smaller improvements also among the updates. ProtonMail was launched in March by Swiss software developer and civil liberties outfit Proton Technologies. The service made waves in the security community as the first free end-to-end encrypted email service built on the back of a half a million dollar crowdfunding campaign. ProtonMail invisibly integrates PGP encryption into a modern user interface and operates on the service's "zero access" policy, meaning all messages are stored in encrypted format so that not even ProtonMail has

WhatsApp Messenger Implements Full End-to-End Encryption

WhatsApp has enabled full end-to-end encryption for all users of the mobile instant messenger app. The Facebook-owned service started implementing end-to-end encryption to standard chat messages in 2014, but has now completed rollout to all forms of communication within the app, such as photos, videos and calls. WhatsApp co-founders Jan Koum and Brian Acton officially announced the rollout on the company's blog: From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats. The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private — sort of like a face-to-face conversation. If you’re interested in learning more about how end-to-end encryption works, you can read about it here. But all you need to know is that end-to-end encrypted messages can only be read by the recipients you intend. And if you’re using the latest version of WhatsApp, you don’t have to do a thing to encrypt your messages: end-to-end encryption is on by default and all the time.Encryption has become a hot topic in recent weeks following Apple's high-profile dispute with the FBI, which attempted to compel the company to unlock San Bernardino shooter Farook Syed's iPhone. On March 28 the

FBI Agrees to Help Arkansas Prosecutor Unlock iPhone and iPod in Homicide Case

The FBI has agreed to help an Arkansas prosecutor unlock an iPhone and iPod that belong to two teenagers accused of killing a couple, reports the Associated Press. The move comes days after the FBI announced that it had unlocked the San Bernardino shooter's iPhone. Faulkner County Prosecuting Attorney Cody Hiland said the FBI agreed to the request from his office and the Conway Police Department Wednesday afternoon. A judge on Tuesday agreed to postpone the trial of 18-year-old Hunter Drexler so prosecutors could ask the FBI for help. Drexler's trial was moved from next week to June 27.Hiland said the FBI agreed to help less than a day after the initial request was made. "We always appreciate their cooperation and willingness to help their local law enforcement partners," Hiland said. Patrick Benca, Drexler's attorney, said he was notified the FBI agreed to help and that he was "not concerned about anything on that phone." The prosecuting attorney said that they had heard the FBI had been able to unlock the San Bernardino shooter's iPhone and wanted to see if they could help, according to the Los Angeles Times. Drexler, along with 15-year-old Justin Staton, are accused of killing Robert and Patricia Cogdell last July. The couple raised Staton as their grandson. After the two teens were arrested in Texas and brought to Arkansas shortly after the shootings, prosecutors gained possession of Drexler's iPhone. Last week, Staton's defense attorney was ordered to hand over his iPod, which was in the defense attorney's evidence locker. Prosecutors argue that Staton had

iMessage Security Flaw Allows Researchers to Decrypt Images

A flaw in Apple's encryption systems has been found that enables an attacker to decrypt photos and videos sent over its iMessage instant messenger service. According to The Washington Post, the security hole in Apple's code was exploited by a group of Johns Hopkins University researchers, led by computer science professor Matthew D. Green. Green reportedly alerted Apple to the problem last year after he read an Apple security guide describing an encryption process that struck him as weak. When a few months passed and the flaw remained, Green and his graduate students decided to mount an attack to show that they could break the encryption of photos and videos sent over iMessage. The team succeeded by writing software that mimicked an Apple server and hijacked the encrypted transmission of the targeted phone. The transmission contained a link to a photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo. While the students could not see the key's digits, they guessed them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. The phone was probed in this way thousands of times until the team guessed the correct key and was able to retrieve the photo from Apple's server. Apple said that it partially fixed the problem last fall when it released iOS 9, and will fully address the issue through security improvements in iOS 9.3, which is expected to be released this week. The company's statement read: Apple works hard to

'ProtonMail' Email App for iOS Launches With End-to-End Encryption

Swiss software developer and civil liberties outfit Proton Technologies saw its encrypted email app ProtonMail hit the App Store today. The iOS app is a front end for the company's popular free worldwide end-to-end encrypted email service, built on the back of over half a million dollars raised in a 2014 crowdfunding campaign. ProtonMail invisibly integrates PGP encryption into a modern user interface and operates on the service's "zero access" policy, meaning all messages are stored in encrypted format so that not even ProtonMail has access to their contents. Illustrated example of end-to-end encryption (Image: ProtonMail) After creating a free email account, users can send and receive encrypted emails automatically, set timers for messages to self-destruct after sending, organize emails using swipe gestures and labels, and also send password-protected encrypted emails to non-ProtonMail email addresses. ProtonMail's encryption service is open source and hosted entirely in Switzerland, under the protection of some of the world's strongest privacy laws. Last year, the Swiss Parliament passed a new domestic surveillance law that increased the country's state surveillance capabilities and curtailed privacy rights. However, ProtonMail has concluded that the law does not negatively impact the company's secure email service. Boxes of signatures being delivered to the Swiss government in Bern (Image: ProtonMail) Despite that analysis, ProtonMail joined other civil liberty groups to mount a challenge against the new law, since according to Switzerland's

UK Parliamentary Bill Would Require Backdoors in Electronic Devices

Technology firms operating in the UK will be forced to install backdoors in their products and services for state surveillance purposes under proposed new laws, reports The Sunday Times. The new powers come under the controversial Investigatory Powers Bill (IPB), referred to by critics as the "Snooper's Charter", which was published by Home Secretary Theresa May on March 1 and is due to get its second reading in parliament tomorrow. The bill is backed by a draft code of practice that would also ban companies from revealing if they had been asked to install the backdoor technology. The accompanying draft document states that the British Home Secretary has the power to force firms to provide the "technical capability" to allow the security services to access communication data as well as undertake "interception" and "equipment interference". The bill itself grants the Home Secretary the power to order the removal of "electronic protection", which technology experts say is another word for encryption. Internet service providers would also have to keep records of the online browsing history of everyone for a period of 12 months and enable intelligence agencies to access the data unhindered, allowing them to see every website a person has visited. The UK opposition Labour party has warned the British government that it will derail the bill by abstaining to vote it through in its current form, which critics have called an invasion of privacy on a massive scale and a huge security risk if passed. "The Home Secretary's Bill requires substantial changes before it

Rallies Take Place in Over 50 US Cities to Support Apple in FBI Case

Privacy campaigners held organized rallies across the US yesterday to protest the FBI's demands that Apple unlock the iPhone at the center of its San Bernardino shooter investigation. Following on from limited protests in California last week, rallies extended from Albuquerque to Washington DC to support Apple's insistence that complying with the bureau's demands risked compromising the security of millions of users' data. Protestors rally outside an Apple Store (Image: Cult of Mac) Large crowds are reported to have gathered in front of Apple Stores in Boston, Portland, Reno, Seattle and Los Angeles, with protestors wearing T-shirts and brandishing signs with slogans such as "Don't break our phones". One rally at San Francisco's downtown store – the site of last week's protests – drew around 40 protestors and about 20 members of the press, beginning late afternoon and continuing into the evening. "We're concerned that if Apple undermines its security in response to the FBI's request it will set a very dangerous precedent that could be used in any number of cases going forward, both by the US government and by international governments, including authoritarian regimes that might seek to access our information," Rainey Reitman of the Electronic Frontier Foundation told Cult of Mac. "We're also worried that that key, once it's created, could be a honeypot for hackers that might want to seek access to information or could be misused in many diverse ways. We don't think that it's appropriate that the government order a tech company to undermine its own security

Justice Department Wants Apple to Extract Data From 12 Other iPhones

The U.S. Department of Justice is pursuing additional court orders that would force Apple to help federal investigators extract data from twelve other encrypted iPhones that may contain crime-related evidence, according to The Wall Street Journal. The revelation comes nearly one week after a U.S. federal judge ordered Apple to assist the FBI with unlocking an iPhone belonging to suspected San Bernardino terrorist Syed Rizwan Farook. Apple strongly opposed the court order last week in an open letter to customers. The twelve cases are similar to the San Bernardino case in that prosecutors have sought to use the 18th-century All Writs Act to force Apple to comply, but none are related to terrorism charges and most involve older versions of iOS software. In the past, Apple has extracted data from iPhones under lawful court orders, but the company stopped storing encryption keys for devices running iOS 8 or later. As a result of this stronger protection, Apple cannot assist the FBI without circumventing iOS security and putting the privacy and safety of its customers at risk. Apple has acknowledged that creating a "government-ordered backdoor" is technically possible, but CEO Tim Cook said cooperating with the FBI would set a "very dangerous precedent." Apple said it has "done everything that's both within our power and within the law to help in this case," adding that it has "no sympathy for terrorists." The U.S. government previously said that investigators are only seeking access to a single iPhone related to the San Bernardino attacks, but Apple argued that

Bill Gates Says Apple Should Unlock San Bernardino Shooter's iPhone for FBI [Updated]

Shortly after Apple was ordered to help the FBI recover data from the San Bernardino shooter's iPhone, Apple quickly said they would oppose the order, garnering the support of other major tech companies like Facebook, Twitter, Google and Microsoft. In a new interview with the Financial Times, former Microsoft CEO Bill Gates has instead backed the FBI, denying that they are asking for a back door. “This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case,” Mr Gates told the Financial Times.While Apple CEO Tim Cook has consistently argued that unlocking one device would set a dangerous precedent, Gates doesn't believe that it would. He argues that Apple has access to the information, but that they are declining to provide access to the information. Gates compares it to when a bank or telephone company is requested to give up records for a particular person. Gates went on to say that there were benefits to governments having some access to information, but that there would have to be rules in place to limit how they can access that information. He says that he hopes people will "have that debate so that safeguards are built and so people do not opt out -- and this will be in country by country -- [to say] it is better that the government does not have access to any information." FBI Director James Comey said in an editorial yesterday that the request was "not trying to set a precedent" and that it was instead about "the victims and justice." However, the FBI

Apple Says Opposing FBI is 'Absolutely Not' a 'Marketing Strategy'

Apple has shared a new Q&A page that explains why the company is opposing a court order to create a unique version of iOS that would bypass security protections and allow the FBI to unlock an iPhone via brute-force attack. Apple says the objection is "absolutely not" based on the company's concern for its "marketing strategy," as the U.S. Department of Justice opined last week, but rather about ensuring "the vast majority of good and law abiding citizens, who rely on iPhone to protect their most personal and important data" are not at risk. Apple admits that creating a "government-ordered backdoor" is technically possible, but says "the technique, once created, could be used over and over again, on any number of devices." The company insists that complying with the court order would have "dangerous implications" for customer privacy and safety, and set a "very dangerous precedent" that would expand the powers of the U.S. government.Law enforcement agents around the country have already said they have hundreds of iPhones they want Apple to unlock if the FBI wins this case. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks. Of course, Apple would do our best to protect that key, but in a world where all of our data is under constant threat, it would be relentlessly attacked by hackers and cybercriminals. As recent attacks on the IRS systems and countless other data breaches have shown, no one is immune to cyberattacks. Again, we strongly believe the only way to guarantee that such a powerful tool

FBI Director 'Not Trying to Set Precedent' With iPhone Unlock Demand

FBI Director James Comey has written an editorial to respond to concerns that the agency's demands of Apple in the ongoing San Bernardino shooter case undermine privacy rights and threaten future security efforts. "The San Bernardino litigation isn't about trying to set a precedent or send any kind of message," Comey said in an op-ed piece that appeared on the Lawfare blog late Sunday. "It is about the victims and justice. Fourteen people were slaughtered and many more had their lives and bodies ruined. We owe them a thorough and professional investigation under law." The editorial comes after Apple CEO Tim Cook vehemently opposed the FBI's demand that the company helps break into the iPhone of one of the shooters, claiming that the order undermined decades of security advancements designed to protect customers. "Once created, the technique could be used over and over again, on any number of devices," Cook wrote in a letter last week. Comey rejects that claim in the article and states that "the particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve." We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That's it. We don't want to break anyone's encryption or set a master key loose on the land.Tellingly however, Comey goes on to say that the case highlights how such "awesome new technology" creates "serious tension" between

FBI Insists Apple Cooperate Despite Resetting iCloud Password on Shooter's iPhone

The U.S. Federal Bureau of Investigation has confirmed that it worked with San Bernardino County government officials to reset the iCloud account password on an iPhone belonging to suspected terrorist Syed Farook, according to a press statement obtained by Re/code. Apple told reporters on Friday that the Apple ID password associated with Farook's iPhone was changed "less than 24 hours" after being in government hands. Had the password not been altered, Apple believes the backup information the government is asking for could have been accessible to Apple engineers. Nevertheless, the FBI insists that the iCloud password reset does not impact Apple's ability to comply with a court order demanding it create a modified iOS version that allows authorities to unlock the shooter's iPhone 5c by way of a brute-force attack. The FBI further stated that "direct data extraction from an iOS device often provides more data than an iCloud backup contains," and said investigators may be able to extract more evidence from the shooter's iPhone with Apple's assistance. Tim Cook and company, however, have thus far refused to cooperate.Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone. As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.Co

Apple Says Apple ID Password on Shooter's iPhone Changed in Government Possession, Losing Access to Data

Shortly after the U.S. Department of Justice filed a motion demanding Apple comply with an order to help it unlock the iPhone 5c of San Bernardino shooter Syed Farook, Apple executives shared key information with several reporters, including BuzzFeed's John Paczkowski, about government missteps that may have led to reduced access to the iPhone in question. According to Apple, the Apple ID password on the iPhone was changed "less than 24 hours" after being in government hands. Had the password not been altered, Apple believes the backup information the government is asking for could have been accessible to Apple engineers. The FBI has said it has access to weekly iCloud backups leading up to October 19, but not after that date, and it is seeking later information that could be stored on the device.The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a back door. One of those methods would have involved connecting the phone to a known wifi network. Apple sent engineers to try that method, the executives said, but the experts were unable to do it. It was then that they discovered that the Apple ID passcode associated with the phone had been changed.Apple executives said the entire backdoor demand could have potentially been avoided if the Apple ID password not been changed, as connecting to a known Wi-Fi network would have caused the device to start backing up automatically so long as iCloud backups