iCloud Security Flaw Gave Attackers Access to User Data Despite End-to-End Encryption

Author Photo
Jul 24, 2017
30Shares
Submit

Security researchers have revealed the details of an iOS security flaw that is being called as one of the worst security vulnerabilities of the year. The flaw exploited a loophole in Apple’s iCloud Keychain and how it synchronizes sensitive data across devices. iCloud Keychain helps users get access to data like passwords and credit cards info on all their iOS devices. However, if exposed, this data could turn into a goldmine for a sophisticated attacker – say government agencies?

“The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system,” Alex Radocea, co-founder of Longterm Security, wrote in a blog post hinting at the Apple-FBI encryption battle.

20111020apple_securityRelatedCritical Zero-day Security Flaws in iOS and OS X – Apple Silent for 6 Months

iCloud Keychain encryption bug exposes passwords & credit card numbers

iCloud Keychain is considered one of the most secure password sharing features thanks to its implementation of end-to-end encryption using device-specific keys. “This encryption makes iCloud Keychain Sync highly resilient against both compromised user passwords and even a compromised iCloud backend,” Radocea notes. However, the previously unreported flaw could have enabled a privileged attacker to undermine that encryption and steal user keychain data.

Radocea discovered a way to bypass the signature verification process, a protocol that protects against impersonation by making sure devices are communicating with each other securely. This allowed Radocea to negotiate a key without going through the verification process, which means a user wouldn’t have even known if a new device was added.

Talking to ZDNet, the security researcher explained that he “verified the attack by loading a TLS certificate on a test iOS device, which allowed him to carry out a man-in-the-middle attack to inspect the traffic.” Radocea then started to intercept the traffic and modify OTR packets in transit to get an invalid signature.

“We were able to send a signature that’s wrong and modify the negotiation packet to accept it anyway,” he added. Once in, he could see everything in plain-text.

icloud-keychain-2RelatedHow to Generate Strong and Secure Passwords with Safari iCloud Keychain

iOS 10.3 addressed the iCloud Keychain security flaw

The problem was fixed by Apple earlier in the year with the release of iOS 10.3. “We are currently not aware of any additional uses of the custom OTR [Off-The-Record] implementation,” Radocea adds. Apple had also given a few details of this iCloud Keychain security flaw and its fix in its changelog for the update:

Keychain

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain.

Description: In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets. This issue was addressed through improved validation.

CVE-2017-2448: Alex Radocea of Longterm Security, Inc.

However, not everyone could have used this to target iOS users. The security researcher adds that the attack requires time and effort, not to forget access to the victim’s iCloud account – think of an Apple ID email address and password. While it may seem like too much, a number of massive data leaks in the last year alone has ensured that determined attackers can find enough data to individually hit their targets.

“Besides well funded adversaries who might be interested in iCloud Keychains, there are opportunistic attackers and criminals looking to leverage and monetize leaked password dumps in any way they can think up,” Radocea warns. “They represent an immediate and constant threat to iCloud as well as any other cloud service.”

– Alex Radocea will reveal more details about this vulnerability at the Black Hat conference in Las Vegas later this week.

Submit