This article originally appeared in TidBITS on 2012-03-16 at 2:01 a.m.
The permanent URL for this article is:
Include images: Off

Elcomsoft Criticism of iOS Password Apps Overblown

by Glenn Fleishman

Major password-keeping apps for iOS use encryption techniques that, depending on the strength of the master password, can be easily overcome in under a day, revealing all of the ostensibly secured passwords, security firm Elcomsoft said in a security conference presentation in the Netherlands. Short passwords and numeric PIN-style passwords are allowed in such software, although it’s unclear how many users might opt for such weak choices. A full explanation is in an associated white paper [1] (PDF) that provides mathematical and encryption details. You may see this reported breathlessly as “Password Safes Unlocked!” The reality is nowhere near that worrying, but the report is worth examining.

The list of examined apps includes 1Password Pro [2], LastPass Premium [3], and mSecure [4], three of the most popular iOS password keepers available. However, the risk is quite low even without considering the issue of short (six or fewer characters, including letters, numbers, and punctuation) or solely numeric passwords. For starters, access to the app’s data store is required — either via an iTunes backup or an iOS device containing the app and its data — and any iOS security controls must be bypassed first. The flaws that Elcomsoft has identified cannot be exploited (as far as is currently known) over the Internet, which further limits exposure.

The Risk Scenario -- Elcomsoft analyzed 14 apps for iOS and 3 for BlackBerry OS. Of those, 7 had inadequate protections allowing instant recovery of a master key no matter the password’s composition because, the firm said, data is stored with no encryption, protected only with a static password built into the software, or protected by a key derived from flawed cryptography. (The white paper provides app-by-app details, so you can read about any app you may use.) In all cases, the researchers needed access to the app’s data store, which means first circumventing any iOS security protections, also discussed in the white paper.

In order to extract information from one of these iOS apps, a cracker needs physical access to the device and the ability to bypass certain security protections, or access to either an iTunes backup of the device or an image of the device’s storage. App data can be extracted from a local iTunes backup if the backup is unencrypted, or if the backup is encrypted and a cracker knows or can guess the backup password.

If you use iCloud for backups or have a strong, secret iTunes backup password, your device backups aren’t vulnerable. There is more risk if the cracker obtains access to your actual device, but that person must have significant forensic skills and software, and extracting the app data might take an inordinately long time. Such extraction may not be possible at all on the latest iOS hardware when it’s properly protected with a passcode that’s not easily guessed (don’t pick “1234” or “4444”, for instance). If locked, the passcodes used by the iPad 2, third-generation iPad, and iPhone 4S are entirely secure unless the device was jailbroken before being locked.

In short, although it’s extremely distressing to hear that so many iOS apps aren’t doing as good a job protecting your data as would be ideal, the risk for any given person is very low — and nearly zero if you use a strong password. Where that risk becomes higher is if you rely on a cryptographically weak password and a particular individual who has or can hire the necessary skills targets you specifically. If you’re going through a messy divorce, work on secure and private matters (governmental, rebel, legal, banking, or other), or express unpopular opinions widely in public, I recommend that you immediately change your app’s master password to one that’s stronger, encrypt any local iTunes backups, and set at least a four-digit iOS passcode. You should also delete old iTunes backups that are not encrypted (see “Deleting a Backup,” in this Apple support note [5]).

All the flaws relate to how the apps protect their stored password data locally. In the case of 1Password, mSecure, and LastPass, stored data cannot be cracked immediately, but Elcomsoft estimates that for those three (and seven others on both iOS and BlackBerry), it would take a cracker less than a day to crack a relatively long, but solely numeric, password, or a short password that’s a jumble of characters.

With 1Password and LastPass, a numeric master password can be broken in under a day if it is 12 digits or fewer in length, and 10 or fewer digits for mSecure. Passwords of half that length (6 and 5 characters) can also be broken in under a day even if they use a random mix of letters, numbers, and punctuation.

Plus, 1Password allows the use of a short PIN code instead of or in addition to a longer password. I use the PIN code to lock all access with 1Password for iOS. After it’s entered, I can view items by name but not passwords, which requires the additional entry of the master password. If 1Password’s PIN code is used exclusively to unlock its data in iOS then computation time drops to hours.

The Encryption Background -- Each additional digit in a numeric password increases the time it takes to crack by a factor of 10, but each extra character in a mixed password multiplies the complexity by 95 (the number of legitimate printable ASCII characters). These numbers assume using a computer with a high-end graphics card that together cost well under $3,000; more expensive systems can crack faster. (Comparatively, a mixed-text password requires 85 to the Nth power more attempts than a numeric one where N is the number of characters in the password.)

While all three apps use robust security mechanisms to protect the data, the weak link is always the password that, when entered, unlocks the actual, long encryption key used to encrypt the data. mSecure quotes a review of its product in IT Business Net, which states that mSecure “uses 256-bit data encryption, which is basically impenetrable.” That’s essentially true of the actual encrypted data; decryption without the long encryption key might be impossible without years or even centuries of effort by any means currently known. However, if the password protecting that long encryption key is weak, the protected data is vulnerable with only minimal computational effort.

The three apps we know best, 1Password, LastPass, and mSecure, store password data in other places as well, a topic not addressed by Elcomsoft. 1Password stores its password data on a local volume or in a Dropbox folder, although it doesn’t provide a PIN-style interface on the desktop and advises that you pick a good password when you set it up. (Dropbox has seen various security failures in the past, though none recently.) LastPass caches password data on your desktop computer and mobile devices, but maintains the master copy on its servers for syncing, securing the data with your password, which the firm doesn’t retain. mSecure stores data in desktop and mobile data stores, and can sync between the two.

Any of these data stores could potentially be vulnerable, although the same issue applies: the cracker must obtain remote access to the data files, or gain physical access to a system from which data can be copied. Other password keepers with syncing capabilities undoubtedly suffer from similar theoretical vulnerabilities. And again, the concern largely disappears as long as you have a strong password.

Updating your app’s master password to a mix of letters, numbers, and punctuation (or even a few memorable words [6]) of 10 characters or more will provide the greatest assurance of protection, although at the cost of reduced usability. In iOS, think about how you switch back and forth between keyboards to access numbers and punctuation; it makes sense to create a strong password that doesn’t require unnecessary keyboard flipping.

The white paper’s authors note that the lack of physical keyboards on touch-based smartphones and tablets contributes to people choosing shorter passwords. That’s in part why Windows 8 offers gestural passwords [7] overlaid on personal photos.

For protection beyond a longer app password, you should either store your device backups in iCloud or, if you’re storing them locally, encrypt them with a strong password. Also, using iOS’s optional four-digit passcode significantly increases the security of your data. For even more security, you can set a strong passcode for your iOS device instead of the four-digit one; just turn off Simple Password in Settings > General > Passcode Lock, and enter a stronger passcode.

And if all this seems like too much trouble, consider whether it’s worth having access to all your passwords on your iOS device — it might be best simply to delete the password-keeping app and all its data.

The Response from Software Makers -- After this story was first published and we contacted the three software makers discussed above, we received a response from LastPass’s Joe Siegrist, who says Elcomsoft is in error about the way in which LastPass currently protects a master password. As of four months ago, LastPass started using a substantially stronger method of obscuring a password, as noted in this blog post [8]. That brings recovery difficulty far beyond 1Password and mSecure, according to Siegrist. Further, LastPass allows an increase in difficulty that makes weaker passwords harder to break as well. New accounts and password changes made since this security update went into effect get the additional protection. You can change your password in LastPass (even to the same current password) to ensure that the more-secure process is applied if you’re not sure.

AgileBits also responded, pointing us to a new blog entry [9] which illustrates the time to crack passwords of various lengths, and explaining its current approach, which the firm believes is adequate, but already had plans to improve upon. These plans include dropping PIN-only protection in the iOS version, and, alongside an associated switch to requiring iOS 5, adding a technique that slows down attackers. These moves should make shorter and numeric passwords safer as well as improving overall security.

Lastly, we heard from mSevenSoftware, makers of mSecure, which generally agrees with the conclusions of this article about password strength and will work to provide better feedback to users about the strength of chosen passwords. The firm noted that its Dropbox sync option requires a 12- to 30-character password that is stored only locally.

I was concerned to learn from Elcomsoft that the companies mentioned in the white paper were not made aware of these vulnerabilities in advance of the white paper being released. That’s common practice in the security world, to give firms a chance to address the vulnerabilities before the information becomes widely known.

An Elcomsoft spokesperson told me that too many companies were involved and the flaws were too fundamental to pre-disclose. That seems like a somewhat weak excuse (“it was too much work to contact each of them”), but since physical access to the apps’ data stores is necessary and the quick decryption relies on weak numeric passwords, the release of this information doesn’t create a “zero-day” exploit scenario in which crackers can immediately use the information to exploit vulnerable systems in a widespread fashion.

A Positive Outcome -- In the long run, we’re glad to see all these firms — Elcomsoft and the makers of the various password-keeping apps — taking the issue of smartphone data security seriously.