iCloud backups aren't a requirement. You can have an iPhone with iCloud on disabled, and privacy-conscious users might choose that approach; additionally, those backups don't necessarily contain all device data.
But if you want to download apps at all from the App Store you need to sign in, and if that alone gives Apple the ability to verify your device PIN even without iCloud, that's a problem.
Hmm. I think for such users this may be surprising. At the same time, you don’t really have any reason to trust the cloud HSM more or less than the Secure Enclave, right?
Certainly it does increase attack surface, but if Apple said “now I-devices ship with 2 HSMs”, we’d be like, ok, shrug. No?
The fact that this is “remote” is sort of immaterial, I think. You’re trusting Apple’s (bespoke or acquired) stack the same either way, and as far as we can tell the security properties of both local and remote HSMs are the same.
The issue is that if you break one HSM, you get the ability to bruteforce thousands (millions?) of users' PINs, without their knowledge. You could bruteforce someone's PIN ahead of time, then acquire their phone knowing you can get at the data with zero risk. Getting the phone first then figuring out how to break into it is a lot trickier.
I do in fact trust the SEP more than I trust cloud HSM, because the SEP is an Apple design, and the HSMs they use, as far as I know, are third-party.
That's fair. I think I agree with that characterization.
I think if this excluded users who turned off iCloud sync, I'd have no qualms about it, however; the tradeoffs seem ideal for giving users a secure recovery mechanism. But users who have turned off iCloud may not want this functionality, I agree.
But if you want to download apps at all from the App Store you need to sign in, and if that alone gives Apple the ability to verify your device PIN even without iCloud, that's a problem.