Overview
Syllabus
Intro
Secret Syncing & Recovery in the Cloud
Designed to be Highly Secure
Critical Flaws Now Fixed
Prior Work & Presentations Covering iCloud Keychain
iCloud Keychain Components
Circle Protocol Illustrated
What happens when devices are lost while traveling?
iCloud Keychain Passwords Overview
How Does A New Device Join Without Approval?
Uncovering a hidden peer
Which Backups Contain the Cloud Identity Key?
iCloud Keychain Sync Transmits Data Across Apple Services
OTR KEX Messages
Pairwise, Fanout Negotiation
OTR Flaws
CVE-2017-2448 - SecVerify Signature And Mac
CVE-2017-2448 - Goto Fail Redux
CVE-2017-2448 - Sample Trigger in 32 Bytes
Signature Bypass Attack Impact
Apple's iCloud Keychain Security Goals (without OTR fix)
Stack Overlap Attack Impact
Wrapping up
Next Steps for the Security Industry
Questions?
Taught by
Black Hat