Comment by MBCook
3 years ago
Apple stores HomeKit video in their cloud.
It’s worthless because it’s end-to-end encrypted. They can hand over the data but no one can view it.
There are safe ways of using the cloud.
3 years ago
Apple stores HomeKit video in their cloud.
It’s worthless because it’s end-to-end encrypted. They can hand over the data but no one can view it.
There are safe ways of using the cloud.
>> “ During this process, the HomeKit data is encrypted using keys derived from the user's HomeKit identity and a random nonce and is handled as an opaque binary large object, or blob.”
If you don’t control the keys, to me, that’s not end-to-end encrypted.
Source: https://support.apple.com/guide/security/data-security-sec49...
You do control the keys though, "Because it’s encrypted using keys that are available only on the user’s iOS, iPadOS, and macOS devices"
"The authentication is based on Ed25519 public keys that are exchanged between the devices when a user is added to a home. After a new user is added to a home, all further communication is authenticated and encrypted using Station-to-Station protocol and per-session keys"
"The user who initially created the home in HomeKit or another user with editing permissions can add new users. The owner’s device configures the accessories with the public key of the new user so that the accessory can authenticate and accept commands from the new user. When a user with editing permissions adds a new user, the process is delegated to a home hub to complete the operation. "
https://support.apple.com/guide/security/data-security-sec49...
By control, I mean, create, replace, destroy, etc — I would never create keys based on “identity and a random nonce” selected by a third-party.
Also, since you brought it up, appears Ed25519 vulnerability has been reported:
https://www.google.com/search?q=Ed25519+exploit
Also, are these HomeKit “keys” in iCloud backups unencrypted? Meaning that the HomeKit data is encrypted, but the keys are not; to be clear, not saying they are, asking if they are.
Can you verify that or are you just taking their word?
The client side software can easily verify that. Whether you can trust the software running on your device is a somewhat different question that has nothing to do with whether or not you're storing things in "the cloud" (though it is still a valid concern).
If the backup password to these encrypted files is known, it can be rather trivial to access the data within.
Recently, a certain head of state's son had 100s of GB of iCloud backups thrown onto a torrent, and within a day rogue manchildren living in their parents' basements cracked most, if not all of it open.
With the backup password in hand, all one needs is this README.md file [0] to be off to the races.
[0] https://github.com/avibrazil/iOSbackup/blob/master/README.md
>If the backup password to these encrypted files is known, it can be rather trivial to access the data within.
That's how encryption works...
That's how Apple's encryption in iCloud works. There are plenty of modern encryption standards that are not broken by a random user merely entering a random passphrase string.
Some parts of iCloud are encrypted, some are not.
Please stop posting this same topic in your comments.
2 replies →