A security flaw in iOS devices that went largely unreported after it was revealed to have been fixed had the potential to be one of the most damaging security vulnerabilities this year.
The bug exploited a flaw in how Apple’s iCloud Keychain synchronizes sensitive data across devices, like passwords and credit cards on file, which — if exploited — could’ve let a sophisticated attacker steal every secret stored on an iPhone, iPad, or Mac.
“The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system,” said Alex Radocea, co-founder of Longterm Security, who is set to reveal more details about the now-fixed vulnerability at the Black Hat conference in Las Vegas on Wednesday.
Radocea said the flaw could have let an attacker punch a hole in the end-to-end encryption that Apple uses to ensure nobody can read data as it is sent across the internet.
That data can be intercepted by an attacker to steal passwords and other secret data, like the websites you visit and their passwords, as well as Wi-Fi network names and their passwords.
It’s all because of a flaw in how iCloud Keychain verified device keys, which Radocea was able to bypass.
Radocea, who also blogged about the vulnerability, explained by phone earlier this week that iCloud Keychain uses a customized version of the open-source Off-the-Record encryption protocol, typically used in instant messaging apps, in order to exchange secrets across the internet. The protocol uses key verification to protect against impersonating by ensuring two or more devices are talking to each other properly.
He discovered a way to bypass the signature verification process, which could’ve allowed an attacker to negotiate a key without having it verified.
“It’s completely silent to users,” said Radocea. “They wouldn’t have seen a device being added.”
He verified the attack by loading a TLS certificate on a test iOS device, which allowed him to carry out a man-in-the-middle attack to inspect the traffic. He started intercepting the traffic and modifying Off-the-Record packets in transit in order to deliberately get an invalid signature.
“We knew just what bytes to flip to get an invalid signature, whilst still getting it approved,” he explained. “We were able to send a signature that’s wrong and modify the negotiation packet to accept it anyway.”
From there, he was able to get a device approved. “We could see everything [in the Keychain] in plain-text,” he said.
There are caveats to the attack, said Radocea, indicating that not anyone can carry out this kind of attack. It takes work, and effort, and the right circumstances.
“With the bug I couldn’t go ahead and steal whoever’s iCloud Keychain just by knowing their account name. I would also need access to their iCloud account somehow,” he said, such as an Apple ID email address and password. In the past few years, we’ve seen billions of accounts exposed as a result of data breaches — enough to individually target accounts that reuse passwords across sites. (Radocea noted that accounts with two-factor authentication are far better protected than those that aren’t.)
“Instead, what we found was a break in the end-to-end encryption piece,” he said. “The communication between devices and Apple was still secure. However, the encryption flaws would have made it possible for a rogue Apple employee or lawful intercept order to gain access to all of the keychain data.”
And that could be a problem. Cast your mind back a year and you’ll remember the Apple vs. FBI saga, in which the government demanded Apple rewrite software to break the encryption on an iPhone that belonged to the San Bernardino terrorist.
Apple refused, and the FBI eventually withdrew its request after it found and paid a hacker to break the encryption.
Radocea praised Apple’s effort for designing a system that can’t be accessed by anyone — including Apple, as well as law enforcement — but he warned that one design flaw is all it takes to become vulnerable again.
“Update all your things,” he said.
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.