[Cryptography] Security weakness in iCloud keychain

[Ron Garret]

On May 3, 2018, at 11:44 PM, Jon Callas <jon at callas.org> wrote:

> Incidentally, "iCloud Keychain" is perhaps a misnomer. The keychain items aren't stored in iCloud, they're synced directly between members of a keychain circle, end-to-end encrypted while they are in transit. They pass through iCloud as a transfer mechanism, but they're not stored there.

It turns out this is not true.  By sheer coincidence (at least I’m pretty sure it was a coincidence) shortly after starting this thread, my iPod developed a battery problem and needed to be replaced.  (Apple authorized service centers can’t replace the battery, so they give you a new iPod instead.)  I wiped the old iPod before turning it in (i.e. logged out of iCloud and invoked the Reset function from general settings).  I just now fired up the new one they gave me to replace it.  When I did this, a test password that I had entered manually on the old iPod appeared on the new one.  There is no place that password could have been stored other than in iCloud.

Even worse: at one point during the setup process for my new iPod it asked me for the passcode I had set for the old one.  So Apple must have stored that too.  I find that to be particularly disturbing.

rg