[Cryptography] Security weakness in iCloud keychain

Wed May 9 18:14:18 EDT 2018

On May 9, 2018, at 2:15 PM, Jon Callas <jon at callas.org> wrote:

>> On May 9, 2018, at 11:38 AM, Ron Garret <ron at flownet.com> wrote:
>> 
>> 
>> It turns out this is not true.  By sheer coincidence (at least I’m pretty sure it was a coincidence) shortly after starting this thread, my iPod developed a battery problem and needed to be replaced.  (Apple authorized service centers can’t replace the battery, so they give you a new iPod instead.)  I wiped the old iPod before turning it in (i.e. logged out of iCloud and invoked the Reset function from general settings).  I just now fired up the new one they gave me to replace it.  When I did this, a test password that I had entered manually on the old iPod appeared on the new one.  There is no place that password could have been stored other than in iCloud.
>> 
>> Even worse: at one point during the setup process for my new iPod it asked me for the passcode I had set for the old one.  So Apple must have stored that too.  I find that to be particularly disturbing.
> 
> Have you read the security document?

Assuming you mean this document:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

I have not read every word, but I’ve read parts of it.  In particular I’ve read the iCloud section.

> Based on what you're saying, I have a hypothesis about what's going on, but you don't believe me.

What can I say?  You wrote:

> The keychain items aren't stored in iCloud

But that turns out simply not to be true, as evidenced by both my experience and the document that you just asked if I’d read.  Storing your keychain in iCloud is an advertised feature!

"Keychain recovery provides a way for users to optionally escrow their Keychain with Apple, without allowing Apple to read the passwords and other data it contains. Even if the user has only a single device, Keychain recovery provides a safety net against data loss.”

This is not unreasonable.  What *is* unreasonable is that the instructions for turning this feature off once it has been enabled (https://support.apple.com/en-us/HT204085) don’t actually work.

rg