iCloud Keychain Vulnerability Allowed MitM Attackers to Steal Passwords
In its March security release to iOS, Apple patched a Keychain vulnerability that could have been exploited by man-in-the-middle (MitM) attackers to get access to user information. The details have only now been disclosed by Alex Radocea of Longterm Security, security researcher responsible for this bug's discovery.
MitM attackers could have stolen Keychain secrets
Tracked as CVE-2017-2448, the flaw is a critical Keychain weakness that undermined end-to-end encryption touted by Apple and could have enabled a privileged attacker to steal user keychain secrets. "While reviewing attack surfaces on iOS for potential sandbox escapes, we uncovered a critical flaw in a custom Off-The-Record implementation relied upon by iCloud Keychain Sync in addition to a memory trespass error," security researchers wrote this week. "We are currently not aware of any additional uses of the custom OTR implementation."
iCloud Keychain stores names, passwords, credit card details, and WiFi network information for its users. The iCloud Keychain Sync feature allows users to synchronize their keychain to have access to all the data from every Apple device. Unlike other password syncing features, Apple's iCloud keychain sync that offers cross-device password sharing employs end-to-end encryption making it highly resilient against compromised user passwords or a compromised iCloud backend.
The encryption relies on a syncing identity key which is unique to each device, and the plaintext of the secrets and encryption keys are never exposed to iCloud. This makes it exceedingly difficult even for an adversary with unrestricted access to the iCloud backend or iCloud communications to decrypt keychain data when transmitted or ephemerally stored in iCloud.
Researchers explained that the data is transmitted via iCloud Key-Value Storage (KVS), which is tied to an individual's iCloud account. Applications then have to use this KVS to synchronize the data. "Applications are only allowed access to key-value storage data under their own identifier, and communication to the key-value storage servers is arbitrated by syncdefaultsd and other iCloud system services," researchers wrote. This communication with iCloud KVS requires user's password or an intercepted iCloud authentication token.
Radocea said the vulnerability was related to Apple's open source implementation of the Off-The-Record (OTR) messaging protocol that the iCloud Keychain Sync employs. He added that due to improper handling, the signature verification routine for OTR could be bypassed, which will enable a MitM attacker to negotiate an OTR session without needing the syncing identity key.
“For an adversary to gain access to user Keychain secrets, an adversary could leverage this flaw with one of several capabilities to receive keychain secrets," Radocea wrote. "First, assuming that two-factor authentication is not enabled for the user, an attacker with the victim’s iCloud password would be able to directly access and modify entries in the user’s iCloud KVS data."
Second, a sophisticated adversary with backend access to iCloud KVS would also be able to modify entries to perform the attack. Third, the ‘syncdefaultsd’ service does not perform certificate pinning for TLS communications. Without key-pinning, a maliciously issued TLS certificate from any trusted system Certificate Authority could intercept TLS sessions to the iCloud KVS web servers and also perform the attack.
Apple has now addressed the problem through improved error handling and validation for the authenticity of OTR packets. More technical details and the code can be accessed here.