A largely unreported iOS security flaw undermined iCloud's end-to-end encryption capability, and could have allowed attackers to steal passwords, credit cards, and any other information on file, according to security firm Longterm Security.
iCloud Keychain enables users to store passwords and credit card numbers across all of their devices, while iCloud Keychain Sync allows users to share this information securely between devices. The security flaw was found in iCloud Keychain Sync's custom Off-The-Record (OTR) implementation, Longterm Security co-founder Alex Radocea wrote in a blog post.
"The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system," Radocea told ZDNet.
SEE: Learn Website Hacking and Penetration Testing From Scratch (TechRepublic Academy)
iCloud Keychain's OTR encryption protocol uses key verification to protect a user's devices by ensuring information can pass securely between multiple devices. Radocea was able to bypass the signature verification process via a man-in-the-middle attack. He was also able to intercept traffic from devices, and modify OTR packets in transit to deliberately get an invalid signature, ZDNet reported. After this, he was able to get a device approved.
"We could see everything [in the Keychain] in plain-text," Radocea told ZDNet. Making matters more dangerous, "it's completely silent to users," he said. "They wouldn't have seen a device being added."
Weak, reused, and leaked passwords are a primary method of entry for cybercriminals, Radocea wrote in the blog post, making password hygiene critical for enterprise users. In 2016 alone, more than 500 million credentials surfaced publicly from mass-hack password dumps, combined with poor password storage practices, he added.
"Due to the risk of future mass dumps, passwords alone are just no longer a strong defense mechanism for sensitive data," Radocea wrote. "It is a very good idea for organizations to further harden access to any important personal information."
Current best practices include multi-factor authentication and end-to-end encryption, such as OTR, Radocea wrote.
Longterm Security will present more information on the issue in a session at Black Hat on Wednesday.
The 3 big takeaways for TechRepublic readers
1. A security flaw undermined iCloud's end-to-end encryption capability, and could have allowed criminals to steal passwords and credit cards, according to Longterm Security.
2. The flaw was addressed in the iOS 10.3 update, so users should update if they haven't done so.
3. Enterprises shouldn't rely on passwords alone to protect sensitive data, and should use multi-factor authentication and end-to-end encryption.