Apple: With iOS 16.3 comes encryption for iCloud backups and NFC keys for authentication

In mid-December, Apple announced three important security innovations: iCloud Advanced Data Protection, verification of the contacts’ keys in Messages and compatibility with NFC/USB physical keys for two-factor authentication. Advanced Protection was already available to US users in December, but will roll out globally next week with the launch of iOS 16.3, iPad OS 16.3 and (presumed) macOS 13.2.
With the same updates, support for Security Keys for two-factor authentication will also arrive, while for the third novelty, that is, the verification of cryptographic keys on Messages, we will have to wait a little longer.

The most relevant of the new features is undoubtedly the Advanced iCloud Data Protection. New Option Extends End-to-End Cloud Encryption to Different File Types It Wasn’t Available For Today of those currently available.

End-to-end encryption is currently in place for Keychain passwords, Maps history, Health app health data, and other sensitive data. To these are now added the files and contents of iCloud Drive, Notes, Reminders, Photos, Voice Memos, Safari Favorites, Siri Commands, Passes saved on the Wallet and above all the backups of devices and messages. This last point on the list is particularly relevant because it solves a long-standing Achilles heel of iCloud security, i.e. the potential vulnerability of data saved on iCloud within backups. However, emails, contacts and the calendar are still excluded. Apple explained that the choice is linked to interoperability with global e-mail, contact and calendar management systems which use “legacy” technologies that are not compatible with end-to-end encryption

When Advanced Protection is turned on, only the owner’s devices connected to the corresponding iCloud account can decrypt encrypted information. Not even Apple will be able to view or retrieve them in any way. This means that users will have to pay particular attention not to lose access: in case of loss of credentials, it will be possible to recover iCloud files only through the devices using the PIN, or through a contact or a recovery key, to be generated in advance .
There are also limitations to the functionality of iCloud in the Web version. To enable access to end-to-end encrypted backups, photos and other data with Safari or Chrome, it is in fact necessary to select a specific option that allows Apple to temporarily access the keys to authorize the remote session. The company has also specified that it will continue to have access to some types of metadata, mainly necessary for the optimization and organization of server space and for other operational needs.

Security Keys for Apple ID

The other new feature that Apple today confirmed to be globally available is the activation of support for NFC or external USB keys on iPhone, iPad and Mac. With the “Security Keys” function, users will be able to use keys based on the Fido Alliance, such as Yubikey, to proceed with two-factor verification while signed in to iCloud. Physical security keys are external third-party devices that can be used as an authentication token instead of a code sent by SMS (a procedure that can hide some pitfalls), by mail or on other devices connected to the same account, such as it already happens for iCloud.

Apple explained that the feature is “designed for users who, due to their public profile, fear complex attacks against their accounts, such as journalists, celebrities, or public officials”. However, nothing prevents anyone from using a physical security key, which costs little, is easy to find and is undoubtedly a more secure tool than sending a code. With the activation of this new compatibility on iOS and iPad OS 16.3, users will be able to use keys equipped with NFC chips by simply holding them close to the built-in reader on the iPhone and iPad. On the iPhone you can also use keys with a Lightning socket, while on the iPad those equipped with a USB-C socket will also be compatible (the same on the Mac). The only requirement for security devices is that they are based on the Fido standard.

Safety

Apple has eliminated a dangerous iPhone vulnerability. Why update iOS

by Antonio Dini

December 14, 2022

Verify encryption keys on iMessage

Finally, the third security innovation announced by Apple in December concerns the Messages app and provides for the introduction of a verification of the cryptographic keys of the contacts in the chats. Like WhatsApp or Signal, Messages on iPhone also uses end-to-end encryption to ensure that conversations can only be read by the sender and receiver.

With the new verification integrated into the chat, Messages will show a warning in case of a violation of the integrity of the keys of one of the two participants. Also in this case Apple specifies that the novelty is not designed so much for ordinary users but for those at high risk, who could be victims of particularly complex cyberattacks, such as journalists, celebrities, high-profile government figures or human rights activists.

The system also provides for the possibility of verifying the integrity of the encrypted communication by exchanging a unique code which the interlocutors can, for example, compare via an alternative secure telephone line. It should be clarified that the devices that can obtain a security “clearance” and therefore do not activate any warnings are all those connected to the user’s iCloud account via two-factor verification.

In other words, the key compromise warning is shown only when a new unknown device logs into the iCloud account and has access to Messages. The system therefore only prevents attacks from the outside: if we are messaging with the iPhone, anyone who has access to our iPad or Mac connected to the same account can understandably read and interact with Messages on our behalf.

The cryptographic key verification feature on Messages is still under development: Apple has announced that it will be available globally “later this year”, without specifying further details on the timing.

What Apple doesn’t say (about the safety of its products)

by Andrea Monti

09 December 2022