[Cryptography] Security weakness in iCloud keychain
Ron Garret
ron at flownet.com
Wed May 9 14:38:12 EDT 2018
On May 3, 2018, at 11:44 PM, Jon Callas <jon at callas.org> wrote:
> Incidentally, "iCloud Keychain" is perhaps a misnomer. The keychain items aren't stored in iCloud, they're synced directly between members of a keychain circle, end-to-end encrypted while they are in transit. They pass through iCloud as a transfer mechanism, but they're not stored there.
It turns out this is not true. By sheer coincidence (at least I’m pretty sure it was a coincidence) shortly after starting this thread, my iPod developed a battery problem and needed to be replaced. (Apple authorized service centers can’t replace the battery, so they give you a new iPod instead.) I wiped the old iPod before turning it in (i.e. logged out of iCloud and invoked the Reset function from general settings). I just now fired up the new one they gave me to replace it. When I did this, a test password that I had entered manually on the old iPod appeared on the new one. There is no place that password could have been stored other than in iCloud.
Even worse: at one point during the setup process for my new iPod it asked me for the passcode I had set for the old one. So Apple must have stored that too. I find that to be particularly disturbing.
rg
More information about the cryptography
mailing list