[Cryptography] Security weakness in iCloud keychain
Ron Garret
ron at flownet.com
Wed May 9 15:39:52 EDT 2018
On May 9, 2018, at 11:38 AM, Ron Garret <ron at flownet.com> wrote:
>
> On May 3, 2018, at 11:44 PM, Jon Callas <jon at callas.org> wrote:
>
>> Incidentally, "iCloud Keychain" is perhaps a misnomer. The keychain items aren't stored in iCloud, they're synced directly between members of a keychain circle, end-to-end encrypted while they are in transit. They pass through iCloud as a transfer mechanism, but they're not stored there.
>
> It turns out this is not true.
And it turns out this is documented here:
https://support.apple.com/en-us/HT204085
It gets worse: at the bottom of the page there are instructions for how to remove your iCloud keychain from Appleās servers. Those instructions say:
Tap Settings > [your name] > iCloud > Keychain > Advanced.
When I do this (on iOS 11.3.1) there is no Advanced option.
I also just noticed that my weather app settings somehow managed to get transferred from my old iPod despite the fact that I wiped it and never made an iCloud backup.
rg
More information about the cryptography
mailing list