Elcomsoft Criticism of iOS Password Apps Overblown
Major password-keeping apps for iOS use encryption techniques that, depending on the strength of the master password, can be easily overcome in under a day, revealing all of the ostensibly secured passwords, security firm Elcomsoft said in a security conference presentation in the Netherlands. Short passwords and numeric PIN-style passwords are allowed in such software, although it’s unclear how many users might opt for such weak choices. A full explanation is in an associated white paper (PDF) that provides mathematical and encryption details. You may see this reported breathlessly as “Password Safes Unlocked!” The reality is nowhere near that worrying, but the
report is worth examining.
The list of examined apps includes 1Password Pro, LastPass Premium, and mSecure, three of the most popular iOS password keepers available. However, the risk is quite low even without considering the issue of short (six or fewer characters, including letters, numbers, and punctuation) or solely numeric passwords. For starters, access to the app’s data store is required — either via an iTunes backup or an iOS device containing the app and its data — and any iOS security controls must be bypassed first. The flaws that Elcomsoft has identified cannot be exploited (as far as is currently
known) over the Internet, which further limits exposure.
The Risk Scenario — Elcomsoft analyzed 14 apps for iOS and 3 for BlackBerry OS. Of those, 7 had inadequate protections allowing instant recovery of a master key no matter the password’s composition because, the firm said, data is stored with no encryption, protected only with a static password built into the software, or protected by a key derived from flawed cryptography. (The white paper provides app-by-app details, so you can read about any app you may use.) In all cases, the researchers needed access to the app’s data store, which means first circumventing any iOS security protections, also discussed in the white paper.
In order to extract information from one of these iOS apps, a cracker needs physical access to the device and the ability to bypass certain security protections, or access to either an iTunes backup of the device or an image of the device’s storage. App data can be extracted from a local iTunes backup if the backup is unencrypted, or if the backup is encrypted and a cracker knows or can guess the backup password.
If you use iCloud for backups or have a strong, secret iTunes backup password, your device backups aren’t vulnerable. There is more risk if the cracker obtains access to your actual device, but that person must have significant forensic skills and software, and extracting the app data might take an inordinately long time. Such extraction may not be possible at all on the latest iOS hardware when it’s properly protected with a passcode that’s not easily guessed (don’t pick “1234” or “4444”, for instance). If locked, the passcodes used by the iPad 2, third-generation iPad, and iPhone 4S are entirely secure unless the device was jailbroken before being locked.
In short, although it’s extremely distressing to hear that so many iOS apps aren’t doing as good a job protecting your data as would be ideal, the risk for any given person is very low — and nearly zero if you use a strong password. Where that risk becomes higher is if you rely on a cryptographically weak password and a particular individual who has or can hire the necessary skills targets you specifically. If you’re going through a messy divorce, work on secure and private matters (governmental, rebel, legal, banking, or other), or express unpopular opinions widely in public, I recommend that you immediately change your app’s master password to one that’s stronger, encrypt any local iTunes backups, and set at least a
four-digit iOS passcode. You should also delete old iTunes backups that are not encrypted (see “Deleting a Backup,” in this Apple support note).
All the flaws relate to how the apps protect their stored password data locally. In the case of 1Password, mSecure, and LastPass, stored data cannot be cracked immediately, but Elcomsoft estimates that for those three (and seven others on both iOS and BlackBerry), it would take a cracker less than a day to crack a relatively long, but solely numeric, password, or a short password that’s a jumble of characters.
With 1Password and LastPass, a numeric master password can be broken in under a day if it is 12 digits or fewer in length, and 10 or fewer digits for mSecure. Passwords of half that length (6 and 5 characters) can also be broken in under a day even if they use a random mix of letters, numbers, and punctuation.
Plus, 1Password allows the use of a short PIN code instead of or in addition to a longer password. I use the PIN code to lock all access with 1Password for iOS. After it’s entered, I can view items by name but not passwords, which requires the additional entry of the master password. If 1Password’s PIN code is used exclusively to unlock its data in iOS then computation time drops to hours.
The Encryption Background — Each additional digit in a numeric password increases the time it takes to crack by a factor of 10, but each extra character in a mixed password multiplies the complexity by 95 (the number of legitimate printable ASCII characters). These numbers assume using a computer with a high-end graphics card that together cost well under $3,000; more expensive systems can crack faster. (Comparatively, a mixed-text password requires 85 to the Nth power more attempts than a numeric one where N is the number of characters in the password.)
While all three apps use robust security mechanisms to protect the data, the weak link is always the password that, when entered, unlocks the actual, long encryption key used to encrypt the data. mSecure quotes a review of its product in IT Business Net, which states that mSecure “uses 256-bit data encryption, which is basically impenetrable.” That’s essentially true of the actual encrypted data; decryption without the long encryption key might be impossible without years or even centuries of effort by any means currently known. However, if the password protecting that long encryption key is weak, the protected data is vulnerable with only minimal computational effort.
The three apps we know best, 1Password, LastPass, and mSecure, store password data in other places as well, a topic not addressed by Elcomsoft. 1Password stores its password data on a local volume or in a Dropbox folder, although it doesn’t provide a PIN-style interface on the desktop and advises that you pick a good password when you set it up. (Dropbox has seen various security failures in the past, though none recently.) LastPass caches password data on your desktop computer and mobile devices, but maintains the master copy on its servers for syncing, securing the data with your password, which the firm doesn’t retain. mSecure stores data in desktop and mobile data stores, and can sync between the two.
Any of these data stores could potentially be vulnerable, although the same issue applies: the cracker must obtain remote access to the data files, or gain physical access to a system from which data can be copied. Other password keepers with syncing capabilities undoubtedly suffer from similar theoretical vulnerabilities. And again, the concern largely disappears as long as you have a strong password.
Updating your app’s master password to a mix of letters, numbers, and punctuation (or even a few memorable words) of 10 characters or more will provide the greatest assurance of protection, although at the cost of reduced usability. In iOS, think about how you switch back and forth between keyboards to access numbers and punctuation; it makes sense to create a strong password that doesn’t require unnecessary keyboard flipping.
The white paper’s authors note that the lack of physical keyboards on touch-based smartphones and tablets contributes to people choosing shorter passwords. That’s in part why Windows 8 offers gestural passwords overlaid on personal photos.
For protection beyond a longer app password, you should either store your device backups in iCloud or, if you’re storing them locally, encrypt them with a strong password. Also, using iOS’s optional four-digit passcode significantly increases the security of your data. For even more security, you can set a strong passcode for your iOS device instead of the four-digit one; just turn off Simple Password in Settings > General > Passcode Lock, and enter a stronger passcode.
And if all this seems like too much trouble, consider whether it’s worth having access to all your passwords on your iOS device — it might be best simply to delete the password-keeping app and all its data.
The Response from Software Makers — After this story was first published and we contacted the three software makers discussed above, we received a response from LastPass’s Joe Siegrist, who says Elcomsoft is in error about the way in which LastPass currently protects a master password. As of four months ago, LastPass started using a substantially stronger method of obscuring a password, as noted in this blog post. That brings recovery difficulty far beyond 1Password and mSecure, according to Siegrist. Further, LastPass allows an increase in difficulty that makes weaker passwords
harder to break as well. New accounts and password changes made since this security update went into effect get the additional protection. You can change your password in LastPass (even to the same current password) to ensure that the more-secure process is applied if you’re not sure.
AgileBits also responded, pointing us to a new blog entry which illustrates the time to crack passwords of various lengths, and explaining its current approach, which the firm believes is adequate, but already had plans to improve upon. These plans include dropping PIN-only protection in the iOS version, and, alongside an associated switch to requiring iOS 5, adding a technique that slows down attackers. These moves should make shorter and numeric passwords safer as well as improving overall security.
Lastly, we heard from mSevenSoftware, makers of mSecure, which generally agrees with the conclusions of this article about password strength and will work to provide better feedback to users about the strength of chosen passwords. The firm noted that its Dropbox sync option requires a 12- to 30-character password that is stored only locally.
I was concerned to learn from Elcomsoft that the companies mentioned in the white paper were not made aware of these vulnerabilities in advance of the white paper being released. That’s common practice in the security world, to give firms a chance to address the vulnerabilities before the information becomes widely known.
An Elcomsoft spokesperson told me that too many companies were involved and the flaws were too fundamental to pre-disclose. That seems like a somewhat weak excuse (“it was too much work to contact each of them”), but since physical access to the apps’ data stores is necessary and the quick decryption relies on weak numeric passwords, the release of this information doesn’t create a “zero-day” exploit scenario in which crackers can immediately use the information to exploit vulnerable systems in a widespread fashion.
A Positive Outcome — In the long run, we’re glad to see all these firms — Elcomsoft and the makers of the various password-keeping apps — taking the issue of smartphone data security seriously.
Reminds me of this: http://xkcd.com/538/
If someone really, really wants your data, they will find a way to get at it, and that method might involve violence, deception, a court order, or all three.
Maybe I'm better off with something that's good enough to keep the casual hacker out, but weak enough that if someone is really, really determined to steal something from me, they can get at it without using violence. I'm terribly allergic to pain.
It's good to know precisely how at risk your data is, especially when white papers are issued that seem to indicate a high level of danger.
This article was intended to make sure the precise level of risk was understood. If Dropbox were ever successfully penetrated, for instance, I've relied on 1Password's security mechanisms to protect my password. I have a strong password and am thus secure (even after this research). But if you had a weak password, well, you should change it now.
1Password uses Dropbox to sync between devices. That just uses the master password. Seems like it would be better to attack that than to attack first iOS then 1Password. Maybe people pick better dropbox passwords than iOS pin #s, but i doubt it.
Glenn, this isn't just a matter of choosing a strong password. The ElcomSoft paper clearly demonstrates improper use of cryptography for many of the leading Password apps. Not to pick on 1Password, but here is an example of a critical flaw that has nothing to do with password strength, and that wasn't addressed by the blog post from Agilebits:
"However, because PKCS7 padding is used when encrypting database encryption key, it is possible to verify password just by computing KEK (using MD5 hash function), decrypting last block of encrypted database key, and checking if it equals to 16 bytes with value 0x10 (this will be the PKCS7-compliant padding when encrypting data whose length is exactly N blocks of underlying cipher). Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password."
The paper claims this could allow 20 million brute-force password attempts per second.
Disclosure: I work on STRIP Lite, also reviewed.
I'm not enough of a cryptographer to evaluate the lower-level crypto and math claims, but I would be happy to link to such if someone does the calculations independently.
There are a few public benchmarks of GPUs being used against MD5 at a rate of tens or hundres of millions per second (e.g. http://hashcat.net/oclhashcat-lite/ http://www.insidepro.com/eng/egb.shtml). Given the rig that was used, it seems like 20 million per second for combined MD5 and AES is reasonable.
> "The paper claims this could allow 20 million brute-force password attempts per second."
To be clear, we have not been able to verify that particular statistic.
They don't cite the computer and system in the paper, but we asked, and we opted to not include the details as they are not interesting to our audience.
They use a 12-core Intel i7 with an AMD graphics card. You can purchase a complete system custom configured with those options for under $3,000. They use both CPU and GPU calculations.
I like how this article defends one particular platform despite Blackberry also having exactly the same protections.
I love the are "entirely secure" if you use a strong PIN. Don't worry, that'll be fixed soon enough.
This is a Mac site; we don't discuss BlackBerry technology except in passing.
As for the second, you are misreading the article and the differences between PINs and passwords.
I would agree that the normal user is safe from cracking, even if the normal user had a unencrypted notepad application as his password vault.
However, to say that certain OSes are safe (and to disregard ELCOMsoft's study) is dangerous if you actually have sensitive data (or have your phone stolen by the "wrong" people.)
With physical access, worse case criminals will desolder the NAND chips and plop them in a reader (a few thousand extra on top of the $4k cracking PC is nothing to them).
This is assuming, of course, you haven't been targetted (or happen to have installed a black-hat version of Charlie Miller's demo app).
These are the reasons why ELCOMSoft made the point for strong passwords and encryption.
Incidentally, http://www.cellebrite.com/mobile-forensics-products/forensics-products/ufed-ultimate/ufed-physical-supported-phones.html says that the i Pad2 has a backdoor, so you might want to remove that from your safe list.
We don't say any particular OS is safe. And in the article we describe the level of risk in terms of what kind of person might want access to your data. Normal people aren't going to have people use liquid nitrogen to freeze the state of their chips.
iPad 2: We're not creating a safe list. We're noting the present reality as of the time this article was written.
I'm one of the developers referenced on the paper, and I've been in direct communication with the researchers. They have been helpful in understanding the weaknesses and proposing solutions. I'm thankful for that.
Thanks Glenn, interesting article! One question. You note that backing up your iOS device to iCloud is one way to keep the data out of a potential hacker's way (encrypting the iTunes backup being another). But what if someone hacks the iCloud servers? One reason I've never enabled iCloud backup is because I can't find any information on whether it's encrypted or not. So I stick with an encrypted local iTunes backup. Are you aware of whether iCloud iOS backups offer any encryption?
I did not have the answer to that and searched Apple's site. There's a support page that explains precisely how Apple encrypts data, transfers, and authentication. How neat.
https://support.apple.com/kb/HT4865
Thanks, Glenn, that's an incredibly useful article (also answers a couple things about Find My iPod that I've wondered). I don't know why I didn't come across it when I was looking into the iCloud backups on iOS 5's release, but I suspect I was too narrow in my search (focusing solely on wireless backups). So a huge thank you for digging this article up. Superb.