8

Since the introduction of Universal Clipboard on Apple's operating systems, I've found myself increasingly relying on it to paste passwords and authentication codes from my MacBook to my iPhone and vice-versa. I use a password manager, and on my work laptop, which is connected to my iCloud but doesn't have the same password manager installed, I often find myself copying the password on the iPhone and pasting it on the MacBook. In the case of two-factor authentication codes, the need is even bigger becasue I only have Google Authenticator on my iPhone.

Is it secure to do paste passwords using the Universal Clipboard (via Bluetooth, essentially) between an iPhone and a Mac or vice-versa?

  • I'm interested in an answer for the case of third-party eavesdropping in a public space - is UC safer than reading my 2FA code on one screen and typing it on another device? Shoulder-surfing seems pretty trivially easy for 2FA stealing, given how slow numbers are to type. Thought about asking this as a new question, but it seems to fall under this existing question. – Ken Williams Oct 10 '19 at 15:23

2 Answers2

1

The specific encryption algorithm used by the Universal Clipboard feature has not been disclosed but I believe that all Bluetooth connections are encrypted (on some level) by default1. Read this answer to learn a little more about possible attack vectors: Is Bluetooth 4.0 traffic encrypted by default/design?. I don't know the exact implementation details of Universal Clipboard are but what I can say is that Universal Clipboard data is not uploaded to iCloud, it stays local to your devices2. That means that Apple can't see what you are copying and pasting.

See also this answer to the same question when it was asked previously: Universal clipboard iOS10 and macOS. How secure?


Footnotes:

1: Is Bluetooth 4.0 traffic encrypted by default/design?

2: http://arstechnica.com/apple/2016/09/macos-10-12-sierra-the-ars-technica-review/4/#h3

Aaron
  • 11
  • 3
-3

No. Your Mac's CPU and your phone's SIM card are the critical low-level backdoors that render anything built on top of them(your clipboard) insecure. So, even if Apple's closed-source clipboard isn't backdoored, there's two big reasons why it isn't secure:
1.The Intel firmware has a powerful rootkit that you can't disable.
2.The SIM in your iPhone presents a gaping backdoor that's simpler and far cheaper for a non-state actor to utilize and take advantage of.
Nothing built on top of compromised firmware can be considered secure, so your clipboard never had a chance.

andDevW
  • 217
  • 1
  • 11
  • 1
    I fail to see how a SIM can compromise the entire OS. As far as I know the iPhone's modem does not share memory with the main CPU, so even if it's compromised by the SIM the main CPU is still safe. – André Borie Jan 24 '17 at 09:58
  • 4
    You're basically saying that the firmware probably has backdoors so the clipboard isn't secure. That conclusion can be implied, but it's kind of a redundant point. It's like saying if Earth was destroyed then you won't ever have another cup of tea. Yeah sure, but then you'd have bigger problems. tl;dr keep your answers in scope – Awn Apr 24 '17 at 07:14
  • 1
    A9 Chipset does share Memory Space with iPhone's Internal Modem? Let's get the perspective here if it could be proven? I'm curious to know this. – Shritam Bhowmick Apr 24 '17 at 22:36
  • If you follow American news at all, Apple was getting all kinds of publicity for not granting the FBI access to their backdoor in the A9. – andDevW Apr 25 '17 at 19:37