[Cryptography] Security weakness in iCloud keychain

Ron Garret ron at flownet.com
Wed May 2 14:45:52 EDT 2018 

I have a “sacrificial iPod” that I don’t use for anything mission-critical in order that I can update it and evaluate the latest Apple software without having to worry about bugs and backwards-incompatibility (which are serious issues in the Apple ecosystem nowadays).  I also have about a dozen other Apple devices.  All of them are logged into iCloud to prevent the denial-of-service attack described here:

http://blog.rongarret.info/2016/06/apple-bricked-my-macbook-and-theres.html

None of these devices have iCloud Keychain enabled except the iPod.  Nonetheless, the latest iOS update (11.3) includes a new password manager feature, and that drew my attention to the fact that somehow ALL of the passwords on ALL of my machines were resident on the iPod, and accessible in plain text with nothing more than the iPod’s PIN code (which is only four digits because it’s supposed to be a non-mission-critical machine).

When I discovered this, I disabled iCloud Keychain on the iPod, whereupon it asked me if I wanted to delete all my passwords from the iPod.  Of course I said yes.  Nonetheless, the passwords are still there, and now I don’t know of any way to get rid of them except to manually delete them one by one.  And there are a LOT of passwords.  And not all of them are mine.  It seems to have grabbed every password that anyone who has ever had an account on any of my machines has ever had.

This leaves me wondering:

1.  How did these passwords get there?  It must have been through iCloud Keychain, but that feature is definitely disabled on all my other machines.

2.  Does the fact that I can access stored passwords in plain text without the password that secures my active keychain belie Apple’s claim that these passwords are encrypted and can’t be read by Apple?  I can’t think of any way that Apple could transfer my passwords to my iPod and make them readable without my knowledge if Apple cannot read them.

3.  Is this behavior known?  I can’t find anything written about it on the web.  But it feels to me like this should be a major scandal.  I had no idea that this iPod had such a huge vulnerability, so I hadn't taken any measures to secure it.  If it had fallen into the wrong hands it could have been a total catastrophe.

rg

More information about the cryptography mailing list