Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."

My scheme

I just add my ss # and phone number and bam - secure unforgettable password!

Re:My scheme

[DMUTPeregrine]

Bah, that's too easy to discover! I use really secret values that nobody knows, like a secret number where the ratio of the sum of the the secret number plus one is equal to the ratio of the secret number to one. No one has ever used it, and nobody else has the mathematical genius to calculate it!

WTH

Glenn Fleishman does understand that encrypted data should be safe even in the hands of the enemy? Also, totally didn't read that article.

Re:WTH

I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

Re:WTH

[binarylarry]

I think Mr Fleishmen is well aware. After all, he is a columnist for an Apple magazine and has a degree in art.

Elcomsoft has only cracked bluray, dvd, HDDVD and most other forms of commercially available encryption. They're practically noobs and probably don't even own in iPhone between them (LOLZ!).

Re:WTH

[beelsebob]

Actually, no – encrypted data absolutely isn't safe in the hands of the enemy. Assuming that the enemy can identify what's an important message, they will eventually crack it (by brute force if necessary). That's the key to why your messages are secure on the internet – your enemies can't identify what's important and what's not.

Re:WTH

[chrb]

As far as we know, data encrypted with a random key and modern algorithms ought to be safe in the hands of the enemy. I say as far as we know, because the NSA does not reveal exactly what they can and can't crack. There is no practical way to brute force any of the modern algorithms: 256 bits is roughly equal to the number of atoms in the universe.

Re:WTH

[noh8rz3]

ftfs:

In other words, there really isn't much risk here.

... for certain cases of "here" where users utilize long passwords and hackers can't access the device. So we're good@

Re:WTH

[philip.paradis]

You have demonstrated a profound level of ignorance of the most basic elements of cryptography. May I suggest spending some quality time with Applied Cryptography, among other notable and readily available references in the field.

Re:WTH

[jhoegl]

How can something be "roughly equal" to something else? o.O

Re:WTH

[philip.paradis]

Maybe this will help.

Re:WTH

http://en.wikipedia.org/wiki/Equals_sign#Approximately_equal

Re:WTH

[rtfa-troll]

I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

Very good question (mods; you should be reading at -1). Having looked about a bit it seems that he has been recommending this password software, for example he recommended 1password pro which has multiple problems; doesn't use the keychain; encourages use of a PIN for security and (to quote Elcomsoft):

Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password.

When you write articles on a topic you likely get advertising revenue from that, so it's possible he's also being attacked on his income. As they say, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" (N.B. I am not suggesting concious corruption or something).

In the end I guess I had better put it in an obXKCD which puts this better than I could.

Re:WTH

[rtfa-troll]

The entire threat model for a password safe is that your phone gets stolen. Otherwise a plaintext list of passwords would pretty much do. If the enemy never gets the data then they can never do anything with it even if it isn't encrypted. Oh, and what the others said about bruteforcing.

Re:WTH

[eggboard]

I'm never sure if Slashdot commenters read the original article or the blurb.

In the article, which I wrote, I explain the precise degree of risk, who is at risk, and how to mitigate.

* Recommending software: I did not write the article about 1Password Pro; Joe Kissell did.

* I do not receive a share of advertising revenue, nor is any my writing for any of many publications based on advertising revenue. I receive a fixed fee arranged in advance. Only the publication knows whether or not advertising was justified.

* Attacked on his income: Neither the publication TidBITS or me personally have any income issues associated with the sale of any security software.

This article was for normal folks, not security experts, and tried to explain in clear terms how to disable (for instance) any PIN-based access or switch away from a numbers-only passwords.

The criticism here seems both misplaced, conspiracy oriented, and not based on a reading of the article.

Re:WTH

[rtfa-troll]

Thanks for responding. First I'd like to apologise. I tried to make it clear that I don't think you are deliberately trying to mislead. I clearly failed. I'll say it again but more clearly. Nothing I could see in the article you wrote made me think you were acting in anything other than good faith. I think you should have written some things differently, but I do not see this as a deliberate attempt to mislead.

Now this is my understanding of the situation as it is now and why I think your publication should repudiate it's support for 1password:

The aim of a password safe is to increase security. There is a very simple and functional alternative to a password safe; to use the same password on all sites. In that case there is no problem whatsoever with remembering which site has what password (since they are all the same). However, there's a specific change of risk here.

• - compromise of one password, e.g. from a network capture, does not compromise all sites
• - it is easier to use more secure longer passwords which are harder to guess
• + compromise of the password safe compromises all passwords, even higher security ones which were different
• + compromise of the password safe gives a list of sites for the attacker to attack
• + since the attacker can target only specific sites she is less likely to be discovered
• + a remote compromise of the device can compromise all passwords once one is used rather than just the ones which are used during the time the device is compromised

So a password safe trades one threat; that the user's password for one site will be found from the password from another site; for a different threat; that the user's password safe will give away all of the user's passwords for all sites. When you think about this, it's actually trading a lesser potential damage for a greater one.

That trade off is only acceptable when the chance of the password safe compromise is considerably reduced. Good designs for this are clearly available in open texts. There are multiple elements; all of which were included in programs such as "Password Safe" which are inspiration for most of the modern software of this type. These elements include:

• encouraging a strong / long password
• using password strengthening
• ensuring the use of secure memory

To these elements I would currently add that on a modern system they should probably have additional protection from facilities of the operating system such as fully encrypted disks on Linux or the keychain on iOS and OS X.

Many of the programs listed, including the one recommended by your website, fail to provide these basics. The full implications of this will depend on the user's threat environment and behaviour profile. However, I think it's pretty clear that for many, possibly even most of your readers, using a badly designed password safe will increase their risk over using none at all.

Put simply: the current recommendation on your web site, to use 1passwd, seems to increase your readers risks and does so with no justification since there are better alternatives available which do not do so. Elcomsoft has correctly pointed this out although they have not put it fully clearly. You should be telling your users to migrate from solutions previously suggested by your web site to more secure ones.

Finally, I'd like to address, a little, your point about having no interest here. Firstly your site has published a review suggesting the use of one of the insecure products. Whether you were involved or not, you or your editor should be clearly retracting that recommendation.

Secondly you do get advertising money from security products. I have found several encryption and password related products advertised on your site. I can completely believe that you didn't think of this. It's on the boundary between careless and acceptable

Re:WTH

[rtfa-troll]

Sorry; one part of your comment I didn't respond to with my other post. I read your original article (considered immoral around here; I took the "rtfa-troll" tag specifically so I could claim to be trolling if someone caught me doing this). You mentioned risk mitigation; I was not convinced by your arguments and they have mostly been answered elsewhere in the comments thread. I will point to some:

There is more risk if the cracker obtains access to your actual device, but that person must have significant forensic skills and software, and extracting the app data might take an inordinately long time

There are specific forensic devices which do this automatically and are available to the kinds of people who run organisations where stolen iPhones end up, not to mention large foreign competitors of the type of people who need and care about password safes and governments. These machines fully automate these attacks.

If you use iCloud for backups or have a strong, secret iTunes backup password, your device backups aren’t vulnerable.

Serious security concerns have been raised against iCloud by people with more security knowledge than myself. Also I am not aware of a serious outside audit with published results. I would not be prepared to accept this statement without much further research and access to Apple's design and implementation information.

If locked, the passcodes used by the iPad 2, third-generation iPad, and iPhone 4S are entirely secure unless the device was jailbroken before being locked.

In my experience, problems such as USB/Wireless etc. etc. exploits have always found ways to work around this security. Could you please give a bit more basis for this belief?

Simply put, good security should be made up of different layers where the failure of one layer will not lead to the others failing. I do not find the general security of iOS to be sufficiently convincing to consider running an insecure password manager on it a good idea.

KeePass?

[hawguy]

This isn't one of the ones they tested, but does anyone know how safe KeePass is?

I use this on my desktop and Droid, which is pretty convenient since I can share the database file between them.

Re:KeePass?

[unrtst]

KeePass is also available for PocketPC, Winodws Phone 7, iPhone/iPad (multiple versions), Android, J2ME, BlackBerry, PalmOS, Linux, Max OS X, Windows 98 thought 7 + Wine + Mono, and there are libs that tie into several programming lanuages.

I read through the article, the linked PDF, and the PDF linked from the PDF to find out they didn't even test KeePass, which, AFAIK, is one of the most popular and widely available password managers out there.

I really hate it when someone claims to do a thorough test on something and states something like either "Of all the X we tested, none of them passed" or "Of all the X we tested, only one came close to passing". The former makes me think they should get off their high horse and write it themselves if it's so obvious. The latter that they're just trolling to push one product... especially when there are glaring holes in the tests.

Re:KeePass?

Assuming that their key derivation scheme scheme is sound, Keypass is probably 6000 times better than any of the "AES bound" systems covered in the paper.

Here's the summary of their key derivation as it relates to dictionary attacks: http://keepass.info/help/base/security.html#secdictprotect
This shows that they've put some thought into the issues that Elcomsoft is criticizing in other password managers. I don't know enough to say that this is a legitimate use of AES, and part of me is disappointed that rolled their own system rather than using something like http://en.wikipedia.org/wiki/PBKDF2

Re:KeePass?

I can't speak to other managers, but KeePass on Android allows keyfiles to be used as well as passwords. Combine this with the CifsManager program (or do it manually if you're a masochist) to easily share a keyfile to your android phone - now you have easy access to your passwords while at home, yet no one can possibly (assuming you use a strong keyfile) get your passwords if you leave your phone somewhere.

Re:KeePass?

[Elrond,+Duke+of+URL]

I use KeePassX, a derivative of the original KeePassX. It is also open and under the GPL. I gather that the major difference between it and the original KeePass is that its cross-platform nature is not dependent on Mono/.Net. The downside is that it does not yet support the KeePass 2.x DB format, but since I'm not using that, I don't mind.

I use KeePassX on Debian, the Windows port under Win7, and KeePassDroid on my phone. It all works really well. My only complaint with KeePassDroid is that it doesn't support file attachments that one can attach to an entry in the database. It doesn't appear to destroy them, it just ignore them right now. Other than that, it's great.

Re:KeePass?

[sapphire+wyvern]

Do you have any knowledge of which iOS implementations are better? I just got my first iOS device and I'm wondering which version of KeePass to install. It would be very bad news to pick one that isn't trustworthy.

Re:KeePass?

[BagOBones]

MiniKeepass for iOS is good, doesn't have built in sync but supports passing the database between apps like dropbox.

Don't know if the implementation is good. It defaults to a pin / remember password option but you can dissable that.

There are several others however only look at the ones that have updated recently. Several are in the app store but are very out dated.

MiniKeePass is the cheapest one that supports the current 2.x file format.

Re:KeePass?

[sapphire+wyvern]

Thanks for the advice. I'll look into it.

Nested links

[Scutter]

So, the summary links to a summary, which links to a PDF of another summary, which links to a PDF of the actual study. Did we forget how the web is supposed to work?

Re:Nested links

sure, page views and ads.

Re:Nested links

[definate]

Here's a direct link for everyone
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? by Andrey Belenko and Dmitry Sklyarov

Re:Nested links

No, the Slashdot editors just forgot what their job title entails.

Re:Smartphones, HA.

[GmExtremacy]

The real question is this: why haven't you switched to Gamemaker yet? Are you perhaps missing some gigabits on your puter...?

Pretty sad though...

[sshock]

It is pretty sad though how many of the apps don't encrypt the user data at all, or it's encrypted but the master password is stored in plaintext or is encrypted with a hard-coded key. Then there's many of them using strong crypto algs but not properly (e.g., what is the point of using PBKDF2 but with only 3 iterations?)

physical access

Physical access is 9 bajillion times easier when it comes to phones than it is with desktops. There is risk here. If you lose your phone, and someone can access the stores, then your'e effed.

Casted vs Thrown Illumination

[VortexCortex]

Shedding Light, Casting Light, or Bringing to Light -- but Throwing Light on something? Is this a thing? I mean, you can Throw a Switch, but Light?

That said, unless you're encrypting the datastore

However, the risk is quite low even without considering the issue of short (six or fewer characters, including letters, numbers, and punctuation) or solely numeric passwords. For starters, access to the app’s data store is required — either via an iTunes backup or an iOS device containing the app and its data — and any iOS security controls must be bypassed first. The flaws that Elcomsoft has identified cannot be exploited (as far as is currently known) over the Internet, which further limits exposure.

I wouldn't be too concerned if this were desktop PCs, but these are devices you carry around with you and may leave laying somewhere while you go to the bathroom, or have stolen. You shouldn't keep all your important passwords as plain-text in your wallet or purse... A weak password store is not much better than this.

There's a much higher chance of physical access to a portable device, especially one you carry with you everywhere in public, than there is to the desktop PC. This is why physical access is less of a concern for PCs than having it remotely exploited: You don't drag it around in public.

Physical access to the device means game over unless the data-store is strongly encrypted. Data Extraction Devices Exist, and police have been using them without a warrant. To my knowledge these devices don't work on iPhones, yet, but anything in plain-text or enciphered weakly would still be a concern if physical access to the device is gained.

Having a password store with a weak password is a bit alarming. If you're going to have a central point of failure in your pocket, out on your desk, in your hand on a cab, then the security of that single point of failure is very important. I know an unscrupulous cab driver who gets $50 for handing your forgotten phones over to street thugs. They pay $75 if the device hasn't been locked. The thugs actually use Faraday cages to prevent remote wipes. The point is: They're already interested in your data. It's only a matter of time until they have tools to brute force your password stores, they may have them already. With a weak password that can be brute-forced in one or two days, this is an issue that would cause me concern. That is: I'd want a stronger password and a manager that requires re-auth after standby mode is entered -- Laymen, like my brother, actually think 4-6 character pass-code is adequate to protect their bank credentials.

IMHO, the fact that they allow such weak passwords for such an important single point of failure is a serious design flaw. If a weak password is used there should be some minimal end user education, perhaps via big splash screen saying: "Your Password is Very Weak -- Do Not Store Important Passwords in this Password Store"

Re:Casted vs Thrown Illumination

[jimicus]

To my knowledge these devices don't work on iPhones, yet, but anything in plain-text or enciphered weakly would still be a concern if physical access to the device is gained.

Your knowledge is wrong. The manufacturer has a list of supported phones, and every iOS device is on there. It even claims "iOS physical extraction, decoding & real-time decryption"; which suggests that either they've found a weakness, they have a backdoor in or they're making overblown claims and it simply tries a dictionary attack.

I have no idea how much they cost, whether the manufacturer has any qualms about selling them to whoever wants to buy or if they're sufficiently widespread that someone suitably unscrupulous could easily buy secondhand, borrow or steal one.

Re:Casted vs Thrown Illumination

[bsane]

I have no idea how much they cost, whether the manufacturer has any qualms about selling them to whoever wants to buy or if they're sufficiently widespread that someone suitably unscrupulous could easily buy secondhand, borrow or steal one.

Like local law enforcement?

Re:Casted vs Thrown Illumination

There's another article about PIN extraction for most i* devices that basically jailbreak the device so they can access the whole filesystem -- and they only need the device for about 2 minutes.

other one

hmm this is interesting but i found more about this at www.scimat.com everyone should check it out

Re:Smartphones, HA.

[jmcvetta]

Awww dude, put your name to it! There's so much that you said that's just right, and yet so much you said that's just asininely wrong.. but who wants to debate an AC?

Google Docs file

All my silly passwords in a google docs file.

What do I care if someone gets into my pandora account?

Not for banking or anything related to money obviously.

Not Surprising

[aaaaaaargh!]

I'm the maker of a password manager for non-mobile platforms and can't think of any technical reasons why a mobile app would be less secure, as long as you don't intentionally sacrifice security for performance. However, from my own surveys of my "competitors" on Linux, Windows, and OS X I can assure you that not half of the programs out there can keep the promises it makes.

One thing you might check out to evaluate such apps is whether the encryption method is made public and whether the author explains exactly which hashing and salting methods he uses. Of course, if you want to make sure you need the source code but it's a good rule of thumb. Just writing AES means nothing, it could be AES in ECB mode with weak password hashing and no salting. But to be honest, I've even seen apps that store the passwords XOR encoded in the prefs file, no kidding.

No surprise

[gweihir]

In fact, I find that the more bold the security claims, the worse the actual security. Have seen this several times now. Be especially wary if somebody claims "Security is our highest priority". It means in fact: "Our security is so bad, that fixing it should be our highest priority, but it is not. We asked the PR people to fix this instead."

Most people implementing software today have no clue about security and that includes people writing security products. It is really pathetic. I think the reason is people wanting to keep their jobs ("yes, we can do that") and management that has no clue at all that writing secure software is a specialty that needs 5-10 years of experience in addition to specific training and talent before you can build anything that begins to be secure.

One problem I see...

[rthille]

One problem I see with phone-based password managers without hardware assisted crypto is the huge difference between the CPU power on the phone and even a $3000 dedicated cracking box. One thing the PDF quantifies is the amount of CPU/GPU time it'll take to generate a key for test decryption. 1-Password (the tool I've got, but haven't started using yet due to paranoia :-) uses just a single round of MD5 to generate the key, so key generation is fast. So fast that the GPU rig can test all the passwords possible in a 12.2 character (95 possible chars) password in just a day. So, for a decently safe password, you need at least 13 chars, and that'll buy you 3 months of data protection. And, you'll have to type that on your phone every time you want to use the password manager.

It seems that password managers should use a lot more CPU in the generation of the key from the password, even to the point where the delay on the phone approaches one second after the password is typed. One of the password managers ("the best") uses 4000 rounds of PBKDF2-SHA1 and so even with the GPU the cracking system can only check 10.1 characters worth of passwords in a day. So, a 12 character password will give you ~9000 days of data protection (assuming I'm doing the math correctly :-).

Mobile Password Security is a Generic Problem

[jasnw]

I purchased an iPad just after the 2 came out - I'm still wondering if that was a mistake. One of the main issues I am always wrestling with is how passwords for website access are handled, or not handled is more like. Safari doesn't have a protected username/password store capability (unless you consider AutoFill to be a nice secure way to store this info on a mobile device), and the third-party stuff like 1Password can't talk to Safari because of sandbox restrictions with iOS. Why is it that strong credentials security for accessing web-based information isn't a major component of mobile OS's? For me, it's now the main reason I don't get an iPhone and will likely turn my iPad into an expensive gaming pad for my grandson. (Yeah, I'm old - bring back Big Iron.)