At the annual BlackHat USA 2016 security conference next week in Las Vegas, Apple security guru Ivan Krstic will provide security researchers with an in-depth overview regarding many of the more advanced security features built into iOS 10. While Apple showing up at the BlackHat conference in an official capacity is not unprecedented, Krstic’s talk promises to be the most detailed technical look into the security mechanisms that govern iOS yet.
Krstic’s talk will focus on a myriad of security related topics, including three core Apple technologies that “handle exceptionally sensitive user data.”
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user’s home, the ability to unlock a user’s Mac from an Apple Watch, and the user’s passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Other topics on deck for Krstic’s talk include iOS cryptography, the Secure Enclave processor that was designed alongside TouchID, and how Apple is making it increasingly difficult for malicious actors to compromise mobile Safari.
Krstic, who heads up Apple’s security efforts, is a security wiz who was originally hired back in May of 2009. Prior to that, he was the director of security architecture for the One Laptop per child initiative where he focused on ensuring that computers were easy to use and impervious to malware. Impressively, Krstic began working at Apple at the age of 23 and was previously heralded as one of the most influential security experts in the world.
On a related security note, Apple executive Craig Federighi touched briefly on one of the security features built into Auto Unlock during a post-WWDC podcast last month. Responding to a question about how Apple plans to prevent users with an Apple Watch from opening up a Mac that isn’t their own, Federighi responded:
It’s a continuation of the work we did with continuity to develop really low-power BTLE based discovery protocols so that your devices could discover each other continuously with acceptable overhead from a battery point of view. And also, all the authentication mechanisms we put in place as far as having your devices know that they’re your devices. So that’s kind of a foundation.
The unique challenge with auto-unlock is that you don’t want a kind of relay-attack, where Phil is actually well far away from his office and someone basically has a bluetooth listener that will forward a signal to you, because you’re now by his Mac, and this Mac is having a conversation with Phil’s watch over a very long distance. And so, we’re actually able to do time of flight calculations using peer-to-peer Wi-Fi where we literally can measure how long at the speed of light it’s taking for the signal to travel from your Mac to your watch and back.
And because of that, if you interposed any kind of relay, it would introduce a delay that would immediately tell us that there are hijinks afoot. So that piece is critical.
Krstic’s talk is slated to take place on August 4 at 12:50 Eastern Time.