Mobile OS

Mobile password managers: Cracking the security mechanisms

Password managers for mobile devices are convenient. But are the cached passwords sufficiently protected? Michael Kassner asks two experts to explain the vulnerabilities.

According to TechCrunch, lost and stolen phones will cost consumers billions of dollars in 2012. I was curious about the article's intense focus on replacement costs. But, I'd be more concerned about the data stored on the phone -- passwords, for example.

No problem, I use a mobile-security service that can locate, lock, and even wipe most of the data stored on the phone. And -- being one of those anal types -- I also use a mobile password manager. That way, sensitive passwords are protected until I figure out if my phone was lost or stolen. Either way, I'm covered.

Well, not quite

I have a news web crawler that alerts me when it finds the word combination of password and smartphones. While contemplating the TechCrunch article, my notebook beeped, signaling a hit. And it was a doozy -- "Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh, Really? Apparently, the authors, Andrey Belenko and Dmitry Sklyarov of Elcomsoft Co. Ltd knew something I didn't.

That's not good. They've plenty of street-cred, having created iOS Forensic Toolkit, software that decimates iOS data protection. So, I'm thinking I'd better check this out.

I read the paper -- like that helped. Reading about high-level encryption is cryptic, at least for me:

Read EncryptedDatabaseKey and EncryptedValidator from Database

KEK := MD5 (Password + Salt)

IV := MD5 (KEK + Password + Salt)

7DatabaseKey := AES-128-CBC (KEK, IV, EncryptedDatabaseKey)

Validator := AES-128-CBC (DatabaseKey, NULL, EncryptedValidator)

If Validator = DatabaseKey Then password is correct

I decided to contact both the authors and see if they could make time for a few questions. They did, even though Dimitry was in Germany and Andrey in China.

Kassner: Your research focused on "security of data at rest," meaning storage of user passwords on the mobile device. In order to obtain the passwords, the attacker needs one of the following:
  • Possession of the device.
  • Backup copy of data stored on the device.
  • Access to the password-manager database.

You deal with Apple iOS and RIM Blackberry in this paper, would you briefly explain how each protects passwords?

Belenko: Both platforms offer security mechanisms to protect data (not only passwords) stored on devices:
  • Device passwords (called passcodes on the iOS): They restrict access to UI and data on the device.
  • Backup encryption: Once you set up encrypted backups in iTunes, iOS device will always encrypt backups. With BlackBerry you can control encryption on per-backup basis because encryption is done by the desktop application and not by the device.
  • Keychain (iOS only): This is a system-wide storage for passwords, keys, certificates, etc. -- information that needs additional protection.

Operating systems can typically implement better security measures because they operate on a lower level -- closer to the hardware. For example, protecting the Apple iOS keychain is an integral part of iOS data protection (other parts include storage/content encryption along with passcode protection).

On the BlackBerry platform there is no equivalent of iOS keychain, so security depends on the device password. Thankfully, there are no easy or reliable ways to bypass the device passwords.

In our research we wanted to analyze if password management apps provide additional layers of security -- protection-in-depth, so to say.

Kassner: You differentiate between operating-system security and password-manager security. Why would there be a difference? And is it a problem? Sklyarov: The difference is the operating system usually has access to all features of the device, but applications are limited to APIs offered by the operating system. The device's firmware offers some protection mechanisms, but for the most part they're just environments for running applications.

Most firmware and app developers feel that security is the responsibility of the application. But, app developers are typically more concerned about improving usability than increasing security because usability features are much more obvious than security enhancements.

Kassner: DataVault Password Manager for the iOS platform stores passwords in a secure iOS-encrypted keychain -- operating system and password application working together. That seems like the best solution. Why aren't more developers following DataVault's example? Belenko: I can think of two likely reasons:
  • Apps must be portable (require versions for iOS and Android) and developers do not want to dive into platform-specific features. Thus they only utilize features that are common to different platforms.
  • Developers do not understand the security model of the device and do not allocate enough time to study security services provided by the platform.

DataVault is an interesting example. It is not using the keychain properly, but at least they are trying.

Kassner: The research paper looks at 17 different password managers and provides a detailed explanation of each app's shortcomings. I happen to use 1Password Pro. I tried to follow the explanation, but quickly became lost. Could you explain in layman's terms why 1Password is vulnerable? Sklyarov: First, no invulnerable solution exists. Everything can be cracked; it's just a matter of time. If it happened to take centuries, such a solution is usually considered good enough. But if your password can be discovered in minutes -- that is not good enough.

We start by assuming the attacker has access to the 1Password database. How the access happens is not important to us. What does matter to us is how fast all possible password combinations can be tested.

For 1Password, more than 10 million passwords can be tested each second. In theory, using just digits for password characters, a seven digit password can be found in less than one second, an eight digit password takes 10 seconds, nine digits only 100 seconds.

For passwords that contain letters, digits, punctuation marks, and special characters (95 in all), it is possible to discover a six-character password in 24 hours. But it is rare that such passwords are used on smartphones. It is too hard to type it every time.

Kassner: My colleague -- a RIM fanatic -- uses Blackberry Wallet. Although I'm under the impression that RIM does a better job at keeping passwords safe, the paper pointed out password recovery was possible. Once again, in layman's terms, would you please explain how Wallet is vulnerable? Belenko: The same way 1Password Pro is: if you manage to get a backup of your colleague's BlackBerry you will be able to run a password recovery attack on his Wallet master password, albeit at a slower rate than 1Password Pro -- I assume Wallet 1.2 for BlackBerry OS 6+.

What makes password cracking easier on mobile platforms is the small or restricted keyboard. It is difficult to type in long or complex passwords.

Kassner: I'm glad you brought that up. I wanted to ask you about the following quote I read in the paper:

"Most mobile devices today do not a have physical keyboard, making it harder for users to utilize motor learning to remember complex passwords. Therefore we believe it is safe to assume that, on average, the complexity of a password that has to be entered routinely on a mobile device will be lower than that of a password that is used on devices with physical keyboards."

Is that really a consideration?

Sklyarov: Many people (including myself) can easily type complex sentences on standard keyboards, but have problems when required to type passwords letter-by-letter. We call it motor memory.

Now add to that problem the fact that virtual keyboards are small and produce no physical feedback about which part of the key you just touched -- center, angle, or some edge. So, it is doubly hard to type long complex passwords using a virtual on-screen keyboard -- making simple passwords more prevalent.

Kassner: With so many password manager apps available, what advice could you give users who are looking for one? Belenko: It may sound a bit paranoid, but probably it is best not to rely on protection provided by password managers at all. Instead, users should utilize all security mechanisms offered by the mobile devices and their operating system: iOS
  • Use the device's passcode application.
  • Set the backup password and make it complex.
  • Do not connect iOS devices to an untrusted computer or power source.
Blackberry
  • Set the device's password (This is the primary protection of the data).
  • If you are encrypting the media card, set encryption to use device key, using device password will allow an attacker to recover it.
  • Never store unencrypted backups.
Final thoughts

I hear it time and time again. The absolute best thing we can do is use the device lock on our mobile phones. Proof positive, the FBI are unable to crack Android's pattern screen lock. And, now you've heard it from two world-class experts.

I cringe though -- it's such a pain.

Thanks Dmitry and Andrey for shedding light on an important weakness.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

10 comments
jobs94
jobs94

I've been using "Intuitive Password" online password manager for couple of months now, I'm quite interested in the concept of the service. Worth to take a look.

JCitizen
JCitizen

This article should be everyone's mobile security concern. I'm almost relieved to see the recommendation to simply use the default device passcode. I was pretty sure using LastPass on smart phones wasn't going to have the same level of security as an NT6 computer. My password would have been very difficult to key in. I'm not ready to buy a smart phone yet, so I'm not really familiar with comments about how hard using the default system is. I can see why that isn't in the article though. Most folks reading this already have a smartphone, and are already quite aware of that factor.

randy
randy

The link provided points to an Apple KB article, not anything about Android pattern security and the FBI

HAL 9000
HAL 9000

The Facial Recondition that is used in some of the newer phones? Is that any better than the Fingerprint Readers and is it just as easy to bypass? Doesn't matter to me as I don't use a Smart Phone as I actively dislike them but that comes from being tied to a pager many years ago and being constantly on call. Col

robo_dev
robo_dev

If our phones are going to be our wallet, for all intents and purposes, the data needs to be secure, yet the device needs to be easy to use at the same time. You would think biometrics would be built into these devices by now? Not necessarily an iris scan, but surely a fingerprint scanner would not be that hard to implement.

Michael Kassner
Michael Kassner

New Post One would expect password managers to be extra, extra secure. It appears to not be the case. One manager app stores the log in password in plain text. See what else the researchers found.

Michael Kassner
Michael Kassner

I think most biometrics in of themselves are good. It's what happens after that info is changed into normal digital bits. We can't protect that now. And the big difference is that it's easy to redo a password, but kind of tough to change a face.

Michael Kassner
Michael Kassner

You have hit the ironic nail on the head. Ease of use versus security. I hate using the device passlock. I use my phone way too much and it is super annoying. As for biometrics. I have some concerns about that. I've been reading where the weak link is not the bio part--but the metric part. Or not being able to securely store the digital fingerprint--if you will. Once a bad guy gets that, all bets are off and your fingerprint can't be changed.

Editor's Picks