[Cryptography] Security weakness in iCloud keychain

Jon Callas jon at callas.org
Fri May 4 02:44:11 EDT 2018 

> On May 2, 2018, at 11:45 AM, Ron Garret <ron at flownet.com> wrote:
> 
> I have a “sacrificial iPod” that I don’t use for anything mission-critical in order that I can update it and evaluate the latest Apple software without having to worry about bugs and backwards-incompatibility (which are serious issues in the Apple ecosystem nowadays).  I also have about a dozen other Apple devices.  All of them are logged into iCloud to prevent the denial-of-service attack described here:
> 
> http://blog.rongarret.info/2016/06/apple-bricked-my-macbook-and-theres.html

Perhaps I can help a little bit.

I realize that your comment above has nothing to do with the poor guy's problems, but logging your machines in to iCloud (and enabling "Find My Mac") doesn't *prevent* the anti-theft features, it *enables* them. If someone walked off with your computer and then you declared it to be missing, it would disable itself.

Before moving on, I typed "Mac anti-theft lock" into Google and found a number of articles about Find My Mac along with third-party alternatives. The flip side of that – the tale of someone who's Mac was stolen – is at:

https://www.macworld.com/article/2028403/dont-get-apple-picked-how-to-protect-your-mac-from-theft-in-public-places.html

These features cut both ways. As the above article notes, there's a lot of theft of computers, and a feature that that deters theft has all the obvious downsides, too, like the poor other guy's issue, where he bought a computer that later got marked as stolen.

Anyway, let's get on to the keychain.


> 
> None of these devices have iCloud Keychain enabled except the iPod.  Nonetheless, the latest iOS update (11.3) includes a new password manager feature, and that drew my attention to the fact that somehow ALL of the passwords on ALL of my machines were resident on the iPod, and accessible in plain text with nothing more than the iPod’s PIN code (which is only four digits because it’s supposed to be a non-mission-critical machine).

Have you considered a longer passcode?

And yeah, that's the feature.

However, the password manager stuff appeared long before iOS 11. Parts of it were buried in the midst of settings and are exposed at a easier-to-find level with iOS 11.0 (not 11.3), and were extended so that a password that you have for a web site is now available in the associated app. I find this really convenient because it means I can have a long password on a web site (like Protonmail) and then when the app wants that password I don't have to go find it and laboriously type it in.


> 
> When I discovered this, I disabled iCloud Keychain on the iPod, whereupon it asked me if I wanted to delete all my passwords from the iPod.  Of course I said yes.  Nonetheless, the passwords are still there, and now I don’t know of any way to get rid of them except to manually delete them one by one.  And there are a LOT of passwords.  And not all of them are mine.  It seems to have grabbed every password that anyone who has ever had an account on any of my machines has ever had.

What it would have would be all the passwords from your account.

If you had a Mac in your house that a lot of people were using, e.g. an iMac with auto-login, then yeah, all the passwords that people typed into the keychain on that Mac would be there. But it's only ever going to be for that one account.

You could get rid of them from your iPod by "Erase Contents and Settings." They'll be gone completely.

> 
> This leaves me wondering:
> 
> 1.  How did these passwords get there?  It must have been through iCloud Keychain, but that feature is definitely disabled on all my other machines.

Definitely iCloud Keychain.

Well, okay. I don't mean to gainsay you, but there's no other way for them to get there. 

It's possible that you turned on keychain syncing and then turned it off again from your Mac, but that would leave the keychains synced after you turned it off on the Mac. Incidentally, "iCloud Keychain" is perhaps a misnomer. The keychain items aren't stored in iCloud, they're synced directly between members of a keychain circle, end-to-end encrypted while they are in transit. They pass through iCloud as a transfer mechanism, but they're not stored there.

Personally, I recommend that you use iCloud Keychain.

> 
> 2.  Does the fact that I can access stored passwords in plain text without the password that secures my active keychain belie Apple’s claim that these passwords are encrypted and can’t be read by Apple?

No, they're encrypted to keys that only you have.

>  I can’t think of any way that Apple could transfer my passwords to my iPod and make them readable without my knowledge if Apple cannot read them.

Okay. It uses elliptic curve keys and end-to-end encryption. More below.

> 
> 3.  Is this behavior known?  I can’t find anything written about it on the web.

Yes, it is known. I'm sorry you couldn't find anything on the web. Allow me to help.

The iOS Security Guide has some decent descriptions. You can find it at <https://www.apple.com/business/docs/iOS_Security_Guide.pdf> (I found it by typing "iOS security guide" into google, myself.) Take a look at the sections on "Data Protection" as well as the keychain itself and the iCloud Keychain. The description is high-level, but reasonably complete.

I typed "iCloud Keychain" into google and the top hit is:

	Frequently asked questions about iCloud Keychain - Apple Support
	https://support.apple.com/en-us/HT204085

The second hit is:

	Everything you need to know about iCloud Keychain | iMore
	https://www.imore.com/icloud-keychain

And going further down the page there are:

	How to Use iCloud Keychain on Your iOS Devices - Mac Rumors
	https://www.macrumors.com/how-to/icloud-keychain-iphone-ipad/

	What is Apple's iCloud Keychain and how do I use it? - New Atlas
	https://newatlas.com/apple-icloud-keychain-ios7/30301/

And further down there are some tutorial videos on YouTube and more. Some of these articles are a bit old, going back to 2014 or 2015.


>  But it feels to me like this should be a major scandal.  I had no idea that this iPod had such a huge vulnerability, so I hadn't taken any measures to secure it.  If it had fallen into the wrong hands it could have been a total catastrophe.

Help me understand what the scandal is. I'll file bug reports for you.

One has to turn on the iCloud Keychain. One has to enter each device into it with one's iCloud password, and go through a small ritual to approve every new device. I understand that you didn't do it, but someone did and that someone had your iCloud password.

Indeed, I agree that if you have an iPod that is syncing with your other devices and it only has a four-digit passcode, then that is a vulnerability. But it's also a backup, too, since if you had other devices lost you could reconstruct the whole thing from the iPod and all those passwords would sync back to your new device.

If you want to remove everything from the iPod since you did say that it's a sacrificial device, then erase it using "Erase all contents and settings". It's very, very secure. Look in the iOS Security Guide for the details of how this gets done.

Feel free to write me off-list if I can help with anything else.

	Jon

More information about the cryptography mailing list