[Cryptography] Security weakness in iCloud keychain

Ron Garret ron at flownet.com
Fri May 4 15:12:45 EDT 2018 

On May 3, 2018, at 11:44 PM, Jon Callas <jon at callas.org> wrote:

> 
>> On May 2, 2018, at 11:45 AM, Ron Garret <ron at flownet.com> wrote:
>> 
>> I have a “sacrificial iPod” that I don’t use for anything mission-critical in order that I can update it and evaluate the latest Apple software without having to worry about bugs and backwards-incompatibility (which are serious issues in the Apple ecosystem nowadays).  I also have about a dozen other Apple devices.  All of them are logged into iCloud to prevent the denial-of-service attack described here:
>> 
>> http://blog.rongarret.info/2016/06/apple-bricked-my-macbook-and-theres.html
> 
> Perhaps I can help a little bit.
> 
> I realize that your comment above has nothing to do with the poor guy's problems, but logging your machines in to iCloud (and enabling "Find My Mac") doesn't *prevent* the anti-theft features, it *enables* them. If someone walked off with your computer and then you declared it to be missing, it would disable itself.

Yes, I know this.  I am “the poor guy”.  That is my blog.  And, BTW, there’s a sequel:

http://blog.rongarret.info/2016/07/i-unbricked-my-macbook.html

TL;DR: iCloud lock is actually totally useless unless your machine is stolen by someone who is completely clueless.

So: the reason I log all my devices into iCloud is because that is the only way I know of to insure that they aren’t bound to anyone else’s iCloud account.

>> None of these devices have iCloud Keychain enabled except the iPod.  Nonetheless, the latest iOS update (11.3) includes a new password manager feature, and that drew my attention to the fact that somehow ALL of the passwords on ALL of my machines were resident on the iPod, and accessible in plain text with nothing more than the iPod’s PIN code (which is only four digits because it’s supposed to be a non-mission-critical machine).
> 
> Have you considered a longer passcode?

Well, yeah, but remember this device was *specifically* purposed to be a sacrificial machine.  It was not supposed to contain any sensitive data at all.  So there was no reason to use a stronger PIN.

>> When I discovered this, I disabled iCloud Keychain on the iPod, whereupon it asked me if I wanted to delete all my passwords from the iPod.  Of course I said yes.  Nonetheless, the passwords are still there, and now I don’t know of any way to get rid of them except to manually delete them one by one.  And there are a LOT of passwords.  And not all of them are mine.  It seems to have grabbed every password that anyone who has ever had an account on any of my machines has ever had.
> 
> What it would have would be all the passwords from your account.
> 
> If you had a Mac in your house that a lot of people were using, e.g. an iMac with auto-login, then yeah, all the passwords that people typed into the keychain on that Mac would be there. But it's only ever going to be for that one account.

My wife and I have separate accounts on all of our machines, and we each have one machine that is designated our primary from which all sensitive work gets done.  We also have separate iCloud accounts.  The iPod was logged in to my iCloud account.  AFAIK it was never logged in to my wife’s account.

The only way I can think of for my wife’s passwords to have ended up on my iPod would be either:

1.  Her user account on her primary Mac somehow logged in to my iCloud account, *and* iCloud keychain got turned on and then turned back off, and then her machine got logged back into her own iCloud account.  This sequence of events is highly unlikely.

2.  My sacrificial iPod somehow got logged in to her iCloud account, snarfed her passwords, and then kept them when it was later logged in to my iCloud account.  IMHO, that would be a serious bug.

>> This leaves me wondering:
>> 
>> 1.  How did these passwords get there?  It must have been through iCloud Keychain, but that feature is definitely disabled on all my other machines.
> 
> Definitely iCloud Keychain.
> 
> Well, okay. I don't mean to gainsay you, but there's no other way for them to get there.

There is at least one other possibility: someone could have exfiltrated our passwords through some other means and entered them all into my iPod manually.

Now, of course this is *extremely* unlikely.  But it is possible.  I point this out not to be pedantic, but just to point out that your certainty that “there is no other way for them to get there” is unwarranted.  It is possible that there is yet another way for them to get there that involves neither iCloud nor a password gnome that neither of us has thought of.

FWIW, I do think it’s likely that iCloud plays a prominent role in whatever happened.  But I also think the story is probably more complicated than just “it’s iCloud working as intended."

> It's possible that you turned on keychain syncing and then turned it off again from your Mac, but that would leave the keychains synced after you turned it off on the Mac. Incidentally, "iCloud Keychain" is perhaps a misnomer. The keychain items aren't stored in iCloud, they're synced directly between members of a keychain circle, end-to-end encrypted while they are in transit. They pass through iCloud as a transfer mechanism, but they're not stored there.

Again, with all due respect, I don’t see how you could possibly know that.  How could you distinguish what you describe from a MITM attack?

> Personally, I recommend that you use iCloud Keychain.

Huh???  Did you leave out the word “not”?

>> But it feels to me like this should be a major scandal.  I had no idea that this iPod had such a huge vulnerability, so I hadn't taken any measures to secure it.  If it had fallen into the wrong hands it could have been a total catastrophe.
> 
> Help me understand what the scandal is. I'll file bug reports for you.

The (erstwhile) scandal is that I, a reasonably tech-savvy and privacy-conscious user, was able to get myself into a situation where ALL of my passwords were:

1.  Resident on an easily stolen device

2.  Without my knowledge (so I took no measures to secure this device) and

3.  Protected only by a 4-digit PIN

Furthermore, I still don’t know the details of how this could have happened.  But however it happened, at no point during the process did I ever get the slightest hint from the system that I was doing anything even remotely dangerous.  So either:

1.  It is easy to get to the very edge of catastrophe without realizing it, and this is *by design*, or

2.  There’s a bug in the system

Notwithstanding the murkiness around some of the details of how I got myself into this mess, I don’t see any other possibilities.

> Feel free to write me off-list if I can help with anything else.

Thanks!  I’ve elided a lot of links that you provided, but everything you said was very helpful.  I appreciate you taking the time.

rg

More information about the cryptography mailing list