Wednesday, December 7, 2022

Advanced Data Protection for iCloud

Apple (MacRumors, Hacker News):

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.

[…]

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.

John Gruber:

It’s off by default, primarily, I believe, for customer support reasons. With standard iCloud data protection, customer data is encrypted in transit and in storage on iCloud’s servers, but Apple holds keys that can be used for recovery in case a customer loses access to their account.

I’m guessing it also can’t be enabled if your account has devices with older OS versions, though I haven’t seen any documentation about this.

Apple:

Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.

With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 23 and includes your iCloud Backup, Photos, Notes, and more.

This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.

If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key.

It seems not great that it’s all protected by the device passcode. Mine is shorter than I’d like because I have to thumb-tap it in frequently when Face ID fails. Presumably there’s a key stored in the cloud in case I lose all my devices, and I wish that could be encrypted with a longer password. [Update (2022-12-08): Apple doesn’t quite say this in writing, but the video with Federighi strongly implies that a passcode is not enough; if you lose your trusted device you need a recovery contact or recovery key.]

Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.

[…]

iWork collaboration, the Shared Albums feature in Photos, and sharing content with “anyone with a link,” do not support Advanced Data Protection. When you use these features, the encryption keys for the shared content are securely uploaded to Apple data centers so that iCloud can facilitate real-time collaboration or web sharing. This means the shared content is not end-to-end encrypted, even when Advanced Data Protection is enabled.

[…]

When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. You have the option to turn on data access on iCloud.com, which allows the web browser that you're using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.

Robert McMillan and Joanna Stern:

Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”

[…]

Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.

Possible next steps:

Previously:

Update (2022-12-14): Rosyna Keller:

The new optional end-to-end encryption features requires that you have all devices using an iCloud account be on iOS 16.2/macOS 13.1/watchOS 9.2/audioOS 16.2/iCloud for Windows vNext/et fam or later. If a device doesn’t comply, you must de-iCloud it.

Matthew Green (tweet):

While every single one of these is exciting, one announcement stands above the others. This is Apple’s decision to roll out (opt-in) end-to-end encryption for iCloud backups. While this is only one partial step in the right direction, it’s still a huge and decisive step — one that I think will substantially raise the bar for cloud security across the whole industry.

[…]

I am struggling to try to find an analogy for how crazy this is. Imagine your country held a national referendum to decide whether most citizens should be compelled to photocopy their private photos and store them in a centralized library — one that was available to both police and motivated criminals alike. Would anyone vote in favor of that, even if there was technically an annoying way to opt out? As ridiculous as this sounds, it’s effectively what we’ve done to ourselves over the past ten years: but of course we didn’t choose any of it. A handful of Silicon Valley executives made the choice for us, in pursuit of adoption metrics and a “magical” user experience.

[…]

I wish I could tell you that Apple’s announcement today is the end of the story, and now all of your private data will be magically protected — from hackers, abusive partners and the government. But that is not how things work.

Dan Moren:

But as good as those protections are, there are still a few more places where the company could enact additional security and privacy measures to help make sure that your data stays in your control.

Sami Fathi:

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud , governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” Speaking generally about end-to-end encryption like Apple’s Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests “lawful access by design.”

See also: MacRumors, Slashdot, TidBITS.

17 Comments RSS · Twitter

"It seems not great that it’s all protected by the device passcode." I don't think this means what you seem to think it means. Everything on your device is protected by the device passcode, including, I presume, an iCloud recovery key stored on your device. But the iCloud recovery key is cryptographically strong. If you lose access to your Apple ID account, then the only way to recover your iCloud is via one of your own devices. The point is that you can recover with your device even without your Apple ID.

@Jeff I’m talking about losing access to my device, not losing access to my account. Are you saying that if I only have one phone and I lose it, everything is gone forever even if I know my passcode? I presumed that they were still keeping the key in the cloud for recovery, encrypted with the passcode.

"I’m talking about losing access to my device, not losing access to my account." But that's not what the Apple document was talking about: "If you lose access to your account". And the Fleishman article was talking about enrolling a new device, where the first step is to sign in successfully with your Apple ID, so that can't be the same process as this, if you've lost access to your Apple ID.

Unfortunately, System Settings is so bad that there is no way I can update to Ventura for these protections. These kinds of things should be backported, especially since they just cut off support for a number of Macs that are still completely usable.

@Jeff My original claim was based on logic, not a document. I don’t think they would remove the recovery feature, and they didn’t mention another password or mechanism, so I assume they are using the device passcode unless they publish something that says otherwise. It seems like you are disagreeing and saying that there is now no way to do recovery without a trusted device, but I don’t know what you are basing that on.

@Brad Yeah, I would like to know what the plan is for older devices and OS versions. Are you not allowed to enable Advanced Data Protection if any older devices are signed in? Or do they get to sign in but lose access to certain classes of data?

This is why Advanced Data Protection is disabled by default. The user has to take all responsibility for recovery. When you enable ADP, Apple forces you to choose a recovery contact or recovery key. Thereafter, you can only recover with a trusted device or with your chosen recovery method. You said "Presumably there’s a key stored in the cloud in case I lose all my devices", but I don't see the basis for that presumption.

I am pleased, despite myself, and that awful bug. Good of Apple to look after recurring revenues with the speed and alacrity that they don't for usable encrypted local backups that they just casually broke, eh?

This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.

Mmm, but Apple can still decide what keys a conversation participant will correspond to, and thereby insert themselves (on behalf of the fuzz) into your exchanges. We've got to have indicators of keys and user-managed trust, to fix that.

"Apple can still decide what keys a conversation participant will correspond to, and thereby insert themselves (on behalf of the fuzz) into your exchanges. We've got to have indicators of keys and user-managed trust, to fix that."

Those features are literally included in the same announcement, as iMessage Contact Key Verification.

> Conversations between users who have enabled iMessage Contact
> Key Verification receive automatic alerts if an exceptionally
> advanced adversary, such as a state-sponsored attacker, were
> ever to succeed breaching cloud servers and inserting their own
> device to eavesdrop on these encrypted communications. And for
> even higher security, iMessage Contact Key Verification users
> can compare a Contact Verification Code in person, on FaceTime,
> or through another secure call.

"This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in."

Which should be expected and unsurprising: you're sending someone else data, and it's then their responsibility to protect that data as they see fit. That'd even be the case if you sent someone an RSA encrypted email, as there's nothing stopping them from decrypting it and saving the plaintext on their drive. This also mirrors some other collaboration cases:

> Advanced Data Protection is designed to maintain end-to-end
> encryption for shared content as long as all participants have
> Advanced Data Protection enabled. This level of protection is
> supported in most iCloud sharing features, including iCloud
> Shared Photo Library, iCloud Drive shared folders, and shared
> Notes.

@Jeff That’s a possible interpretation, but it could also just be that the recovery contact/key requirement is because Apple being able to reset your account is incompatible with E2E, so they are forcing you to use the same more secure recovery that was available before. The basis for my presumption is that: (1) they say that you need your passcode but don’t say you need a device, (2) they don’t warn that losing your lone device means you would lose your data, (3) I think they are much more worried about people losing data than having a less secure key.

@Person It is kind of surprising, e.g. the part I quoted about how iWork Collaboration and shared albums are not E2E even if all participants have it enabled.

"(2) they don’t warn that losing your lone device means you would lose your data"

They don't because that's not true. You have a recovery contact or a recovery key.

@Jeff They also say that you need your passcode or a recovery contact or recovery key, which to me implies that the latter two are optional.

"They also say that you need your passcode or a recovery contact or recovery key, which to me implies that the latter two are optional." Yes, your passcode on a trusted device.

@michael Tsai - It's worth the 6 mins to listen to Ferdereghi explain it here https://www.youtube.com/watch?v=M4ZOkWaDxfw

I believe you can get yourself in a situation where you are totally dependant on a single device however you can set a recovery key that you hold, and Apple doesn't, which doesn't require the device and there is also the idea of a recovery person who can (and it's not exactly clear how) help recover your account. At least that's what I got from what Craig said.

Default is for Apple to hold the keys, as they do now, so you can hope that Apple will be willing to unlock your account.

The Platform Security Guide was also updated yesterday with more details, and yes it requires the latest OSes on all devices: "Devices where the user is signed in with their Apple ID must be updated to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, and the latest version of iCloud for Windows. This requirement prevents a previous version of iOS, iPadOS, macOS, tvOS, or watchOS from mishandling the newly-created service keys by re-uploading them to the available-after-authentication HSMs in a misguided attempt to repair the account state."

https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web

@Liam Thanks. Yes, the video strongly implies that Apple stores the key encrypted with the recovery key and/or something from the recovery contact. So it is more secure than only requiring your passcode, and if you lose your devices, your recovery contact, and your recovery key you are out of luck.

@Brendan I suppose this means those of us who do testing with previous OS versions will need to create separate test Apple IDs.

Re: "recovery contacts", I'd really like to see Apple embrace 3rd party folks like myself whom, while perhaps "professional" I.T. in our day jobs, often end up moonlighting as I.T. staff for family and friends (or, in my case, also my day job!), such that we could be listed as "proxy" agents on an Apple ID. Yes, I realize this could become a vector for fraud and abuse, however I'd be willing to pay the (ubiquitous) Apple $99 "tax" to be an "Apple Specialist" or "Apple Expert" or whatever they want to call me, and get vetted, if there would be an all-in-one place for me to be invited and act as a "recovery contact", "Legacy contact", official AppleCare point of contact, and account password resetter for "clients". Because I'm dealing more and more with older Apple users—and, not to be agist, but also many younger!—who simply cannot navigate all the intricacies of the various "features" that Apple has rolled out over the past decade. Anyone who has had the displeasure of trying to get back into a "lost" Apple ID "protecting" an iCloud Photo Library of their life, multiple that by 10+, and that's my life. And those who would say "Just have them call Apple" or "Go to an Apple Store", you've clearly not actually watched how that unfolds in real life. Apple isn't as bad as Google (who moronically uses "what date did you open your Google account" as a security mechanism, without actually TELLING users they should be notating that information when they sign up), but it is often frustrating, heartbreaking, and anxiety-inducing working with these poor folks who simply cannot remember all the passcodes, passwords, and 2FA codes/pop-ups they get. (How many others of you have seen dozens of crossed out 6-digit 2FA codes in that 'little book' of passwords next to the word: "Password"??) Because while it is nice, GREAT that Apple is doing these things, users aren't always discovering them, often not, and, from my humble experience, usually not until too late. And even if they do discover them, they simply don't understand what they/do, nor fully grasp the extent of the repercussions of losing/failing to notate that information.

Has anyone been able to access iCloud.com from a Windows PC web browser after turning on ADP? I can access the Calendar (because that's not encrypted), but to access Photos and Notes it says it will send an "access request" to one of my trusted devices -- presumably my iPhone, iPad, or Macbook Pro which are all up to date. But I receive nothing. However when I try to access iCloud.com from Chrome on my Mac, it works fine... though it's completely pointless because a Mac already has dedicated apps for Notes and Photos. Surprisingly, I cannot find anyone else having the same problem when I search Google. My PC is totally up to date and has the latest version of iCloud 14.1

The error that I see in Chrome on Windows 11 is: "There was no response to the request sent to your devices. Your photos can’t be displayed until you grant iCloud.com access from one of your devices."

I do not have the same problem with Apple's regular 2FA, where it prompts me to approve access via my iPhone and gives me a 6-digit passcode to enter. Something is strange with the access to iCloud.com from a PC if ADP and web access are enabled. Surely this would have been the most popular use case to test, since accessing iCloud.com from an Apple device is pointless.

Leave a Comment