Posted on 07/25/2017 12:38:36 AM PDT by Swordmaker
A security flaw in iOS devices that went largely unreported after it was revealed to have been fixed had the potential to be one of the most damaging security vulnerabilities this year.
The bug exploited a flaw in how Apple's iCloud Keychain synchronizes sensitive data across devices, like passwords and credit cards on file, which -- if exploited -- could've let a sophisticated attacker steal every secret stored on an iPhone, iPad, or Mac.
"The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system," said Alex Radocea, co-founder of Longterm Security, who is set to reveal more details about the now-fixed vulnerability at the Black Hat conference in Las Vegas on Wednesday.
Radocea said the flaw could have let an attacker punch a hole in the end-to-end encryption that Apple uses to ensure nobody can read data as it is sent across the internet.
That data can be intercepted by an attacker to steal passwords and other secret data, like the websites you visit and their passwords, as well as Wi-Fi network names and their passwords.
It's all because of a flaw in how iCloud Keychain verified device keys, which Radocea was able to bypass.
Radocea, who also blogged about the vulnerability, explained by phone earlier this week that iCloud Keychain uses a customized version of the open-source Off-the-Record encryption protocol, typically used in instant messaging apps, in order to exchange secrets across the internet. The protocol uses key verification to protect against impersonating by ensuring two or more devices are talking to each other properly.
He discovered a way to bypass the signature verification process, which could've allowed an attacker to negotiate a key without having it verified.
"It's completely silent to users," said Radocea. "They wouldn't have seen a device being added."
He verified the attack by loading a TLS certificate on a test iOS device, which allowed him to carry out a man-in-the-middle attack to inspect the traffic. He started intercepting the traffic and modifying Off-the-Record packets in transit in order to deliberately get an invalid signature.
"We knew just what bytes to flip to get an invalid signature, whilst still getting it approved," he explained. "We were able to send a signature that's wrong and modify the negotiation packet to accept it anyway."
From there, he was able to get a device approved. "We could see everything [in the Keychain] in plain-text," he said.
There are caveats to the attack, said Radocea, indicating that not anyone can carry out this kind of attack. It takes work, and effort, and the right circumstances.
"With the bug I couldn't go ahead and steal whoever's iCloud Keychain just by knowing their account name. I would also need access to their iCloud account somehow," he said, such as an Apple ID email address and password. In the past few years, we've seen billions of accounts exposed as a result of data breaches -- enough to individually target accounts that reuse passwords across sites. (Radocea noted that accounts with two-factor authentication are far better protected than those that aren't.)
"Instead, what we found was a break in the end-to-end encryption piece," he said. "The communication between devices and Apple was still secure. However, the encryption flaws would have made it possible for a rogue Apple employee or lawful intercept order to gain access to all of the keychain data."
And that could be a problem. Cast your mind back a year and you'll remember the Apple vs. FBI saga, in which the government demanded Apple rewrite software to break the encryption on an iPhone that belonged to the San Bernardino terrorist.
Apple refused, and the FBI eventually withdrew its request after it found and paid a hacker to break the encryption.
Radocea praised Apple's effort for designing a system that can't be accessed by anyone -- including Apple, as well as law enforcement -- but he warned that one design flaw is all it takes to become vulnerable again.
Apple released a fix in March, with iOS 10.3 and macOS Sierra 10.12.4.
"Update all your things," he said.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
“With the bug I couldn’t go ahead and steal whoever’s iCloud Keychain just by knowing their account name. I would also need access to their iCloud account somehow,” he said, such as an Apple ID email address and password.
If I have access to the username and password of an account, I’m already in.
Good grief. Is there some kind of computer security tech conference coming up or something? Seems like a plethora of these kinds of things come out (like harbingers of doom) leading up to these events!
Well, security is a critical thing and it pays to beware. On Saturday, my wife and I took a trip to a coastal town to walk around, and I got a message from a co-worker asking if I was visiting this town, far from where I live or work. It was a last minute thing and I hadn’t discussed it with anyone, and I immediately thought for a split “Geez...do I have some obscure thing enabled that is transmitting my position in some way?”
I responded, asking how he knew, and he said I walked in front of his car...he and his wife had been visiting the same town! But I had about 10 seconds of concern as I mulled this over...
This is the worse thing I have ever seen! You mean if someone has my account ID and password, they can access my account? Why has Trump not done something about this?
Yes. The horror of it all! It's terrible. Perhaps they should even prevent ME from accessing my accounts with a user name and password. I particularly like the part about two factor being a more difficult problem for the hacker. . . oh, my. Ya think?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.