Thursday, August 26, 2021

Why Apple Asks for Your Other Device’s Password

Glenn Fleishman (tweet):

Why would Apple ask for the password or passcode for one of your other devices? Could it be some sort of scam? What exactly is going on here?

[…]

Apple has chosen to protect some data that it views as highly secure or very private with end-to-end encryption that prevents Apple from knowing anything about the contents of the synced data. Apple doesn’t possess any of the keys required to decrypt this data passing through its servers. Instead, those keys reside only on individual iPhones, iPads, and Macs.

[…]

For iCloud Keychain and similar sensitive data, Apple has your devices generate and maintain a set of public and private keys that enable interaction with the information synced across iCloud. The devices never reveal their private keys and have the public keys of all the other devices connected to an iCloud account.

[…]

The hard part isn’t syncing data privately. Rather, it comes when you want to add a new device to this set.

[…]

On at least one of the devices in the iCloud sync set, Apple adds an encrypted version of that device’s passcode or password to the set of shared information.

[…]

Apple syncs this information to iCloud, and the setup process on the new device then pulls it down, prompting you to enter the passcode or password.

This seems reasonable, although I guess it creates a slight risk in that now your device’s password has been stored in the cloud. It’s encrypted, but someone with access to the cloud could apply a lot of computing power over a long period of time in order to brute-force it. This would make it possible to break into your device during only a brief window of physical access.

Glenn Fleishman:

Apple made it more confusing by not documenting the procedure anywhere on its site. So if you Google or search to make sure it’s safe and not phishing, you cannot find any additional information about it!

He wrote that in 2019. I was not able to find this described in the 2021 Apple Platform Security document, though it’s possible I just didn’t know where to look. I also don’t know if it has a name. Apple does describe a similar “syncing circle” system for iCloud Keychain, but that seems to be different. (And the system Fleishman describes works even if you are not using iCloud Keychain.)

Update (2021-09-08): alanzeino:

I’ve always wondered why this works like this, especially since it randomly sometimes requires every device to re-login and the last device that logs in is the password used to encrypt

Maxwell Swadling:

It does this because dropped an old device from your circle and needs to generate a new key that old device doesn’t know.

He thinks that what Fleishman describes is the “syncing circle” mentioned in the Apple document. In other words, iCloud Keychain is running at some level even if you haven’t chosen to store your own passwords in it.

5 Comments RSS · Twitter

> This seems reasonable, although I guess it creates a slight risk in that now your device’s password has been stored in the cloud.

That is not necesasrily true:
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

“Your device’s password has been stored in the cloud” is not necessarily true. The data itself could be encrypted with a key derived from that passcode via a key stretching function like PBKDF2, then you still need to know the passcode to access the data but what’s contained isn’t itself a copy of the passcode.

@Person and @Graham Well, the article says it contains an encrypted version of the password. Even if it’s a derivation, doesn't that still allow you to brute-force?

I ran into this, and it took me a half hour of searching to be okay with putting the password in.

I have no idea why Apple doesn't document it.

This is not a good solution.
First, it's not clear and is not explained to users. Thus it does look like a phishing scam indeed.
The lack of clarity with all this usually can mean that there is some loophole that can and thus will be exploited.
So, on the one hand, Apple's device security is very cumbersome when and the experienced user has to enter admin and iCloud password numerous times during a setup. Yet, we keep hearing about simple phishing schemes being pulled on hundreds if not thousands of users.
Just three days ago, I wanted to remove my old iPad from my iCloud account. Still, a seemingly straightforward operation triggered a tsunami of password requests and a flood of notifications on all of my devices. It's hard to imagine how many times I had to go through a two-factor authentication routine and click ok on some pop-up. And within all that over-the-top demand to prove that I am still the account owner, I had to enter the password for my old iPod touch.
This is not a good solution. It's a bad design and a very flawed implementation.

Leave a Comment