I agree with your first point and disagree with the second. :)
I think it's highly likely that Apple was being honest and that the HSM service was not vulnerable to this attack. That's consistent (as you say) with this being a separate, highly-audited implementation, and frankly consistent with what Apple said--and to save, what, $200k, they have no real reason to lie to a researcher here.
To your second point, while this is indeed a big change in attack surface, I am not sure it's as problematic as you say. Doesn't the iCloud backup basically contain (for most users) all of the device contents--photos, messages, etc--that an attacker would want? Conversely, users want to be able to restore their iCloud backups from a new i-device if they lose their existing one, ideally without having to know more than the lockscreen PIN.
Given that, the two systems--the cloud system and the i-device--are storing mostly-identical data, offering mostly the same security guarantees (hardware-backed key derivation from a weak PIN, rate limiting), and the only issue is that this is just a second hardware security module that's separate from the one in the i-device.
For users who have turned off cloud backup, this might be a bad tradeoff. (Maybe turning off cloud backup turns off the HSM/PIN syncing?) But for most users, the gain in usability seems likely to far outweigh the hypothetical additional risk.
iCloud backups aren't a requirement. You can have an iPhone with iCloud on disabled, and privacy-conscious users might choose that approach; additionally, those backups don't necessarily contain all device data.
But if you want to download apps at all from the App Store you need to sign in, and if that alone gives Apple the ability to verify your device PIN even without iCloud, that's a problem.
Hmm. I think for such users this may be surprising. At the same time, you don’t really have any reason to trust the cloud HSM more or less than the Secure Enclave, right?
Certainly it does increase attack surface, but if Apple said “now I-devices ship with 2 HSMs”, we’d be like, ok, shrug. No?
The fact that this is “remote” is sort of immaterial, I think. You’re trusting Apple’s (bespoke or acquired) stack the same either way, and as far as we can tell the security properties of both local and remote HSMs are the same.
The issue is that if you break one HSM, you get the ability to bruteforce thousands (millions?) of users' PINs, without their knowledge. You could bruteforce someone's PIN ahead of time, then acquire their phone knowing you can get at the data with zero risk. Getting the phone first then figuring out how to break into it is a lot trickier.
I do in fact trust the SEP more than I trust cloud HSM, because the SEP is an Apple design, and the HSMs they use, as far as I know, are third-party.
That's fair. I think I agree with that characterization.
I think if this excluded users who turned off iCloud sync, I'd have no qualms about it, however; the tradeoffs seem ideal for giving users a secure recovery mechanism. But users who have turned off iCloud may not want this functionality, I agree.
I think it's highly likely that Apple was being honest and that the HSM service was not vulnerable to this attack. That's consistent (as you say) with this being a separate, highly-audited implementation, and frankly consistent with what Apple said--and to save, what, $200k, they have no real reason to lie to a researcher here.
To your second point, while this is indeed a big change in attack surface, I am not sure it's as problematic as you say. Doesn't the iCloud backup basically contain (for most users) all of the device contents--photos, messages, etc--that an attacker would want? Conversely, users want to be able to restore their iCloud backups from a new i-device if they lose their existing one, ideally without having to know more than the lockscreen PIN.
Given that, the two systems--the cloud system and the i-device--are storing mostly-identical data, offering mostly the same security guarantees (hardware-backed key derivation from a weak PIN, rate limiting), and the only issue is that this is just a second hardware security module that's separate from the one in the i-device.
For users who have turned off cloud backup, this might be a bad tradeoff. (Maybe turning off cloud backup turns off the HSM/PIN syncing?) But for most users, the gain in usability seems likely to far outweigh the hypothetical additional risk.