According to TechCrunch, lost and stolen phones will cost consumers billions of dollars in 2012. I was curious about the article’s intense focus on replacement costs. But, I’d be more concerned about the data stored on the phone — passwords, for example.
No problem, I use a mobile-security service that can locate, lock, and even wipe most of the data stored on the phone. And — being one of those anal types — I also use a mobile password manager. That way, sensitive passwords are protected until I figure out if my phone was lost or stolen. Either way, I’m covered.
Well, not quite
I have a news web crawler that alerts me when it finds the word combination of password and smartphones. While contemplating the TechCrunch article, my notebook beeped, signaling a hit. And it was a doozy — “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? Apparently, the authors, Andrey Belenko and Dmitry Sklyarov of Elcomsoft Co. Ltd knew something I didn’t.
I read the paper — like that helped. Reading about high-level encryption is cryptic, at least for me:
Read EncryptedDatabaseKey and EncryptedValidator from Database
KEK := MD5 (Password + Salt)
IV := MD5 (KEK + Password + Salt)
7DatabaseKey := AES-128-CBC (KEK, IV, EncryptedDatabaseKey)
Validator := AES-128-CBC (DatabaseKey, NULL, EncryptedValidator)
If Validator = DatabaseKey Then password is correct
I decided to contact both the authors and see if they could make time for a few questions. They did, even though Dimitry was in Germany and Andrey in China.
Kassner: Your research focused on “security of data at rest,” meaning storage of user passwords on the mobile device. In order to obtain the passwords, the attacker needs one of the following:
- Possession of the device.
- Backup copy of data stored on the device.
- Access to the password-manager database.
You deal with Apple iOS and RIM Blackberry in this paper, would you briefly explain how each protects passwords?
Belenko: Both platforms offer security mechanisms to protect data (not only passwords) stored on devices:
- Device passwords (called passcodes on the iOS): They restrict access to UI and data on the device.
- Backup encryption: Once you set up encrypted backups in iTunes, iOS device will always encrypt backups. With BlackBerry you can control encryption on per-backup basis because encryption is done by the desktop application and not by the device.
- Keychain (iOS only): This is a system-wide storage for passwords, keys, certificates, etc. — information that needs additional protection.
Operating systems can typically implement better security measures because they operate on a lower level — closer to the hardware. For example, protecting the Apple iOS keychain is an integral part of iOS data protection (other parts include storage/content encryption along with passcode protection).
On the BlackBerry platform there is no equivalent of iOS keychain, so security depends on the device password. Thankfully, there are no easy or reliable ways to bypass the device passwords.
In our research we wanted to analyze if password management apps provide additional layers of security — protection-in-depth, so to say.
Kassner: You differentiate between operating-system security and password-manager security. Why would there be a difference? And is it a problem?
Sklyarov: The difference is the operating system usually has access to all features of the device, but applications are limited to APIs offered by the operating system. The device’s firmware offers some protection mechanisms, but for the most part they’re just environments for running applications.
Most firmware and app developers feel that security is the responsibility of the application. But, app developers are typically more concerned about improving usability than increasing security because usability features are much more obvious than security enhancements.
Kassner: DataVault Password Manager for the iOS platform stores passwords in a secure iOS-encrypted keychain — operating system and password application working together. That seems like the best solution. Why aren’t more developers following DataVault’s example?
Belenko: I can think of two likely reasons:
- Apps must be portable (require versions for iOS and Android) and developers do not want to dive into platform-specific features. Thus they only utilize features that are common to different platforms.
- Developers do not understand the security model of the device and do not allocate enough time to study security services provided by the platform.
DataVault is an interesting example. It is not using the keychain properly, but at least they are trying.
Kassner: The research paper looks at 17 different password managers and provides a detailed explanation of each app’s shortcomings. I happen to use 1Password Pro. I tried to follow the explanation, but quickly became lost. Could you explain in layman’s terms why 1Password is vulnerable?
Sklyarov: First, no invulnerable solution exists. Everything can be cracked; it’s just a matter of time. If it happened to take centuries, such a solution is usually considered good enough. But if your password can be discovered in minutes — that is not good enough.
We start by assuming the attacker has access to the 1Password database. How the access happens is not important to us. What does matter to us is how fast all possible password combinations can be tested.
For 1Password, more than 10 million passwords can be tested each second. In theory, using just digits for password characters, a seven digit password can be found in less than one second, an eight digit password takes 10 seconds, nine digits only 100 seconds.
For passwords that contain letters, digits, punctuation marks, and special characters (95 in all), it is possible to discover a six-character password in 24 hours. But it is rare that such passwords are used on smartphones. It is too hard to type it every time.
Kassner: My colleague — a RIM fanatic — uses Blackberry Wallet. Although I’m under the impression that RIM does a better job at keeping passwords safe, the paper pointed out password recovery was possible. Once again, in layman’s terms, would you please explain how Wallet is vulnerable?
Belenko: The same way 1Password Pro is: if you manage to get a backup of your colleague’s BlackBerry you will be able to run a password recovery attack on his Wallet master password, albeit at a slower rate than 1Password Pro — I assume Wallet 1.2 for BlackBerry OS 6+.
What makes password cracking easier on mobile platforms is the small or restricted keyboard. It is difficult to type in long or complex passwords.
Kassner: I’m glad you brought that up. I wanted to ask you about the following quote I read in the paper:
“Most mobile devices today do not a have physical keyboard, making it harder for users to utilize motor learning to remember complex passwords. Therefore we believe it is safe to assume that, on average, the complexity of a password that has to be entered routinely on a mobile device will be lower than that of a password that is used on devices with physical keyboards.”
Is that really a consideration?
Sklyarov: Many people (including myself) can easily type complex sentences on standard keyboards, but have problems when required to type passwords letter-by-letter. We call it motor memory.
Now add to that problem the fact that virtual keyboards are small and produce no physical feedback about which part of the key you just touched — center, angle, or some edge. So, it is doubly hard to type long complex passwords using a virtual on-screen keyboard — making simple passwords more prevalent.
Kassner: With so many password manager apps available, what advice could you give users who are looking for one?
Belenko: It may sound a bit paranoid, but probably it is best not to rely on protection provided by password managers at all. Instead, users should utilize all security mechanisms offered by the mobile devices and their operating system:
- Use the device’s passcode application.
- Set the backup password and make it complex.
- Do not connect iOS devices to an untrusted computer or power source.
- Set the device’s password (This is the primary protection of the data).
- If you are encrypting the media card, set encryption to use device key, using device password will allow an attacker to recover it.
- Never store unencrypted backups.
I hear it time and time again. The absolute best thing we can do is use the device lock on our mobile phones. Proof positive, the FBI are unable to crack Android’s pattern screen lock. And, now you’ve heard it from two world-class experts.
I cringe though — it’s such a pain.
Thanks Dmitry and Andrey for shedding light on an important weakness.