iCloud Keychain Encryption – How, When, & Where
Recently at Defcon Russia, viaForensics researcher Andrey Belenko (@abelenko) presented his findings on the iCloud Keychain. This presentation included a dissection of how, when, and where things are encrypted in the iCloud keychain, as well as what it takes to decrypt them.
In Andrey’s portion of this talk, which starts at the slide 10 – “iCloud Keychain”, he dives into the technical aspects of the iCloud keychain.
Included are discussions on the key-value store, the 4-digit iCSC, escrowed data recovery, escrowed records, complex and random iCSC’s, and more. The overall takeaway is that, while a complex system, iCloud is reasonably well engineered. iCloud does, however, have its own shortcomings (which are described in the talk), and users concerned about the security of their mobile devices, apps, and data should consult our best practices below.
Best Practices
A common question we have gotten since the talk is: “What does this mean for the enterprise?”.
We recommend following Andrey’s recommendations below, while also continuing awareness that mobile security should not be assumed. Enterprises need to take their own measures to secure their data.
Andrey’s conclusions on the iCloud Keychain:
- Trust your vendor but verify their claims
- Never use simple iCloud Security codes
- Do not assume that SMS messages Apple sends are 2FA (two-factor authentication)
- In all, iCloud Keychain is reasonably well engineered – though it is not without its shortcomings
A few additional ways we recommend to do this:
- Test the security of any mobile apps that will be used on your network.
- Gain visibility into your mobile environment to ensure that key data is not being leaked.
There are two solutions that we provide that can assist you in securing your mobile environment. The first, viaLab, is software that automates mobile application security assessments. It provides you with the ability to complete unlimited tests of any mobile application on Android and iOS. These tests include network, forensic, and code security tests, and can be completed with a detailed report provided to the analyst in less than 30 minutes.
The second solution, viaProtect, provides visibility your mobile device itself. Based on the SCAN model of mobile security – System, Configurations, Apps, and Network – viaProtect searches for vulnerabilities across the mobile attack surface and notifies you of any security vulnerabilities affecting your device. viaProtect is free for consumers (available on Android & iOS), while the enterprise version provides administrators enterprise level visibility and risk management.