Slashdot Mirror

← Back to Stories (view on slashdot.org)

Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

Posted by timothy on from the security-is-a-four-letter-word dept.

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."

5 of 48 comments (clear)

  1. Nested links by Scutter · · Score: 4, Informative

    So, the summary links to a summary, which links to a PDF of another summary, which links to a PDF of the actual study. Did we forget how the web is supposed to work?

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    1. Re:Nested links by definate · · Score: 3, Informative

      Here's a direct link for everyone
      “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? by Andrey Belenko and Dmitry Sklyarov

      --
      This is my footer. There are many like it, but this one is mine.
  2. Re:WTH by philip.paradis · · Score: 5, Informative

    You have demonstrated a profound level of ignorance of the most basic elements of cryptography. May I suggest spending some quality time with Applied Cryptography, among other notable and readily available references in the field.

    --
    Write failed: Broken pipe
  3. Casted vs Thrown Illumination by VortexCortex · · Score: 4, Informative

    Shedding Light, Casting Light, or Bringing to Light -- but Throwing Light on something? Is this a thing? I mean, you can Throw a Switch, but Light?

    That said, unless you're encrypting the datastore

    However, the risk is quite low even without considering the issue of short (six or fewer characters, including letters, numbers, and punctuation) or solely numeric passwords. For starters, access to the app’s data store is required — either via an iTunes backup or an iOS device containing the app and its data — and any iOS security controls must be bypassed first. The flaws that Elcomsoft has identified cannot be exploited (as far as is currently known) over the Internet, which further limits exposure.

    I wouldn't be too concerned if this were desktop PCs, but these are devices you carry around with you and may leave laying somewhere while you go to the bathroom, or have stolen. You shouldn't keep all your important passwords as plain-text in your wallet or purse... A weak password store is not much better than this.

    There's a much higher chance of physical access to a portable device, especially one you carry with you everywhere in public, than there is to the desktop PC. This is why physical access is less of a concern for PCs than having it remotely exploited: You don't drag it around in public.

    Physical access to the device means game over unless the data-store is strongly encrypted. Data Extraction Devices Exist, and police have been using them without a warrant. To my knowledge these devices don't work on iPhones, yet, but anything in plain-text or enciphered weakly would still be a concern if physical access to the device is gained.

    Having a password store with a weak password is a bit alarming. If you're going to have a central point of failure in your pocket, out on your desk, in your hand on a cab, then the security of that single point of failure is very important. I know an unscrupulous cab driver who gets $50 for handing your forgotten phones over to street thugs. They pay $75 if the device hasn't been locked. The thugs actually use Faraday cages to prevent remote wipes. The point is: They're already interested in your data. It's only a matter of time until they have tools to brute force your password stores, they may have them already. With a weak password that can be brute-forced in one or two days, this is an issue that would cause me concern. That is: I'd want a stronger password and a manager that requires re-auth after standby mode is entered -- Laymen, like my brother, actually think 4-6 character pass-code is adequate to protect their bank credentials.

    IMHO, the fact that they allow such weak passwords for such an important single point of failure is a serious design flaw. If a weak password is used there should be some minimal end user education, perhaps via big splash screen saying: "Your Password is Very Weak -- Do Not Store Important Passwords in this Password Store"

  4. Re:WTH by rtfa-troll · · Score: 5, Informative

    I have no idea why someone would gloss over / apologize for half-baked attempts at practical crypto, as Glenn Fleishman appears to have done here ("oh yeah, it's not really secure, did you reeeally need that?"). Does he have a horse in this race?

    Very good question (mods; you should be reading at -1). Having looked about a bit it seems that he has been recommending this password software, for example he recommended 1password pro which has multiple problems; doesn't use the keychain; encourages use of a PIN for security and (to quote Elcomsoft):

    Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password.

    When you write articles on a topic you likely get advertising revenue from that, so it's possible he's also being attacked on his income. As they say, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" (N.B. I am not suggesting concious corruption or something).

    In the end I guess I had better put it in an obXKCD which puts this better than I could.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();