Tell HN: iCloud Password Sync turns on by itself on iOS 17
After the update, iCloud Passwords and Keychain Sync turned on by itself. So all passwords and keychain info (I don't know what keychain info encompasses) is in the Cloud now. Apparently it's E2E encrypted, but in some closed source way which I didn't choose.
This is a known issue apparently (https://9to5mac.com/2023/09/27/icloud-keychain-issues/) but not many people seemed to care.
Also it's not clear if that data can be deleted from the Cloud at all (https://apple.stackexchange.com/questions/419116/are-there-any-solid-way-to-view-delete-online-icloud-keychain). The Apple Docs text has changed.
Then, today iCloud Calendar Sync turned on by itself, too, which isn't E2E by default. I don't know what's next.
I remember, in the past, iCloud Photo Sync turned on by itself too on some old version.
Also "Live Voicemail" turned itself on. But that's not iCloud? I don't know.
There were similar posts in the past (https://news.ycombinator.com/item?id=28285567).
Apple, why do you keep doing this? I use iCloud for Find My iPhone and Wallet only, but it seems like you don't care and just enable other stuff as well, which I explicitly turned off before.
I liked iOS because I thought Apple respects that kind of stuff, but now I'm not sure what phone to buy next.
Perhaps this info is interesting for other folks here.
42 comments
[ 3.6 ms ] story [ 98.0 ms ] threadI've also been getting a "Verify Your Recovery Key" warning in Settings on both iPad and Mac ever since beta 4 of iPadOS 17 and Sonoma (and that continues to this day). Settings app was crashing too in beta 4. It was a really bad beta for iCloud stuff.
Also worth noting: iOS and macOS re-enable Bluetooth after every update. https://lapcatsoftware.com/articles/bluetooth.html
And when it was enabled there was a nag for Passkeys or password family sharing or something like that. I guess they want people to use that now.
Also I don't understand how you could screw these things up repeatedly for so many features. iMessage is another one that iOS loves to enable again. I just checked: it's enabled again. Turned it off. And the one with Bluetooth that lapcat mentioned. I don't believe these things to be bugs.
But they really crossed the line for me with Passwords.
Seems like a generic bug in the settings system which is fairly complex. Pretty easy to see how something like that could happen.
If not illegal.
That said, if you enable E2EE I don’t think it’s cause for much concern. You already use their closed source OS.
They uploaded new software and downloaded data they were not authorized to download without getting permission first.
I'm sure there is some cover your ass clause in the EULA that tries to protect them when they (accidentally or on purpose) violate the CFAA, but, in this case, they pretty clearly did things that exceeded their authorization.
The relevant part of the CFAA is a.1 (I removed the bits that are irrelevant):
> (a) Whoever—
> (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained ... restricted data, as defined in ... causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it ...
https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
1. I thought implied consent was out of fashion these days
2. What if it's something like an IDE that reads the surrounding directories? VS code does that and I certainly didn't know that feature even existed before I first opened it, so how could have given authorization? Is Microsoft in breach of the CFAA?
Reading the directory in a software running on your computer is not the problem. The question is, is data from the surrounding directories transmitted to somebody else's computer, a.k.a. The Cloud?
The service isn’t capable of delivering the keychain to anything other than the user’s own devices.
It’s Apple. They are the other end where the traffic is decrypted.
And yes they can see your stuff. We know this because law enforcement gets access to it all the time.
The keychain is just another keystore.
> They are the other end where the traffic is decrypted
Only for certain types of data, with certain settings. That does not include the keychain.
https://support.apple.com/en-us/102651
> And yes they can see your stuff. We know this because law enforcement gets access to it all the time.
What law enforcement typically gets access to is iCloud Backups, which is not end-to-end encrypted by default (but can be) and is not a mandatory feature. iCloud backups do not contain your keychain.
> The keychain is just another keystore
Nobody has said anything else? But Apple does not hold the key to decrypt it.
https://support.apple.com/guide/security/secure-icloud-keych...
Did they announce this change? It's a pretty major UI departure. In particular, if you have one Apple device and loose it, the 2022 article implies you can recover your keychain, but the 2023 article says you're completely screwed.
A lot of people rely on iCloud backup. It seems like there should be a device-wide toggle that lets you choose between the two behaviors for things like passwords, health data, and all the other E2E apps.
The escrow is only an additional layer of security - your device still has to decrypt the downloaded keychain contents using your password AFTER proving to escrow that you're allowed to download the encrypted keychain using device or SMS 2FA or an iCloud security code.
Configuration Profiles can also be a good way to more strongly force certain settings on devices, including that functionality be disabled. They’re how MDM works in most corporate settings.
Thanks for sharing the story.
I used an iPhone a few years ago and when setting it up, I made sure to turn off all iCloud stuff. When it was time to get a new phone, I noticed all my pictures were in iCloud.
I also did not like how hard it was to try and keep Bluetooth and Wifi turned off. Regularly it would nag me to connect to an open Wifi when I was sure I switched Wifi off completely. Turns out iOS re-enables both Wifi and Bluetooth after OS updates and you can't completely switch them off from the quick settings. If users privacy was so important, wouldn't you want to make sure all that stuff would not happen?
Also, it's good practice to reboot your phone one in a while, so why isn't there a reboot option in iOS?
Out of curiosity, what is the advantage of rebooting your phone? I disn't do it for a couple of months and I don't see what gets "better".
Besides, turning it off and on again will reboot it too. Just slighty more inconvienent :)
For example, this makes malware persistence much more difficult, as verified boot checks for integrity at every boot and reverses any unsigned changes.
Persistence on iOS and Android is very difficult. As an example, at least on iOS, threat actors have sometimes failed to achieve persistence, so they hijack the shutdown process and simply fake shutdown by animating the shutdown flow. The user thinks they've shut down the phone, but in reality the device was never shut down and never went through the verified boot process. However, since Steve Jobs decided iOS never needs a manual reboot, gaining persistence may not even be necessary, because people don't reboot their iPhones.
Once the battery runs out completely, then you can be sure verified boot is helping you out. I'm sure there are now other mechanisms that fixed the example of faking the boot process I wrote about earlier.
Or in the US. Apple and Uncle Sam wants your passwords.