Cybersecurity Insight

The Dark Side of End-to-End Encryption

23 Mar

As the battle rages between Apple and the FBI in the media and courts, more applications and programs are coming to light that use end-to-end encryption. From popular messaging programs and applications to email servers and beyond, authorities from around the world are running into walls when it comes to actually seeing what is messaged between the parties they are investigating. So is end-to-end encryption truly a complete barrier to those hoping to infiltrate messages sent that threaten our security? Does the necessity of having access to these private messaging options outweigh what authorities see as a potential threat to communities spanning the globe? And what are the next steps in this journey toward total encryption?

Demanding backdoor entry exceptions from various companies due to security concerns poses a huge threat to the future of technology security. End-to-end encryption, also known as “going dark” when these messaging apps are used to escape detection, isn’t as ironclad as initially thought. A team of researchers at Johns Hopkins University were able to not only intercept these encrypted messages but decrypt them as well. This team created software that posed as an Apple server, then intercepted an encrypted message sent from a phone running outdated software. Finally, they began repeatedly guessing a 64-character decryption key corresponding to an encrypted photo on Apple’s iCloud servers. Once they found the correct key, they could download the photo from Apple’s server and view it. So, while even Apple cannot view the iMessages sent (unless they are backed up by the user on iCloud), these researchers were able to intercept and decode a variety of text and photo messages, demolishing the assumed end-to-end encryption barrier.

As mentioned previously, end-to-end encryption works as such: the people communicating are the only ones privy to the messages. Most importantly, no one – ISPs, telecom providers, or the company running the messaging service – can get access to what is being sent. Obviously for the user it ensures the utmost level of privacy from potential prying eyes. The counter argument that security and government officials pose is they need that data so a full spectrum of security and safety can be obtained. However, the cost for doing so is quite steep – as one recent publication points out, there is already so much publicly available data to these parties. The issue resides in being able to quickly disseminate what is being collected and analyzing it in a coherent and timely fashion; this obviously has not happened yet. By creating a system to do so, however, could change the approach toward these so-called secretive messaging applications.

End-to-end encryption is extremely helpful but can also be used by those with ulterior motives. Though there are not any finite answers just yet, continuous education about security policies and compliance standards is key for any employee at any company, and will continue to morph and evolve as these types of events come to light.