LAS VEGAS—Apple’s iCloud Keychain is a critical piece of technology that provides users of Apple’s devices with password management capabilities, making it a lucrative target for hackers. Until March of this year, iCloud Keychain and the hundreds of millions of users who rely on it were at risk due to a vulnerability in how the encryption was implemented.
Alex Radocea, founder of Longterm Security, disclosed the iCloud Keychain vulnerability, identified as CVE-2017-2448, to Apple in January. Apple issued a patch in March with the iOS 10.3 and macOS 10.12.4 updates. At the time of the patch, Apple’s advisory provided only a few details about what the flaw actually was.
“An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain,” Apple’s advisory stated. “In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets.”
At the Black Hat USA conference here, Radocea provided significantly more detail. In a session as well as a press conference, he revealed more insight into how he found the flaw and how bad it could have been for Apple’s user base had it not been patched.
“We took a look at how Apple’s end-to-end encryption with iCloud worked, and we found a flaw,” Radocea said. “It was exactly the kind of flaw that the FBI would purchase from someone to gain access into a device.”
The flaw that Radocea found was in open source code that Apple was using as part of its iCloud Keychain implementation. The company uses the Off The Record (OTR) protocol, which was originally used in the AOL Instant Messenger (AIM) platform to help keep messages private.
“We found a flaw in the OTR signature verification that would basically let someone intercept secrets and the attack could be performed silently on users,” he said.
While Apple now has a limited security bug bounty program, Radocea didn’t submit his flaw as part of the program and as such he noted that he did not receive any reward or bounty from Apple for disclosing it.
Watch the full video with Alex Radocea above.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.