Elcomsoft Claims

Penelope PitstopPenelope Pitstop Junior Member
Calling Mr Goldberg ...

Implications of this for 1PW data security?

I seem to recall reading that your faith in iOS security made it acceptable to use weaker password protection on these devices?

Nothing to worry about I'm sure but it would be nice to hear what you think.

Comments

  • bswinsbswins Agile Customer Care
    edited May 2011
    Interest article Penelope. Thanks for posting.

    Like you, I'll be waiting for a response from Professor Snape and other members of AgileBits' Dark Arts Defense Group.

    I was somewhat comforted by this statement in the article:


    (under the paragraph titled: Breaking the Encryption)

    Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition.

    Source: ElcomSoft Breaks iPhone Encryption...


    Of course, my comfort lasts only as long as I can keep my iPhone from others.

    Regarding 1P, I hope the professor continues to believe that the 1Password.agilekeychain, or its future format, is unlikely to be compromised even if someone can break my iPhone's encryption...analogous to the recent Dropbox issue.

    In the meantime, I'll keep a tighter grip on my iOS devices! :)
  • MikeTMikeT Agile Samurai

    Team Member
    edited May 2011
    Hi Penelope,

    Thanks for posting this topic and the link to the article.

    First thing is that this security app requires the actual device in order for the app to decrypt your data. This may not be enough because it may only take a few minutes for the app to copy the encryption key from your iPhone. So, if you leave your iPhone without a few minutes, then you might have a problem.


    As far as I can tell in this article, it seems to be part of the same security weakness from the previous weakness we heard in the beginning of the year. We wrote about it in this blog post:
    http://blog.agile.ws...safe-passwords/

    The shortest answer is I don't believe 1Password isn't affected by this exploit. The guys who wrote the app mentioned the same thing from the previous research. While you could decrypt all the contents of the keychains, you still can't decrypt the actual hashes stored within the keychain. In other words, we don't store your details in clear view in the keychain, only the encrypted values.

    The keychain is a system-wide storage area for application secrets such as user account details, usernames and passwords. While Elcomsoft Phone Password Breaker already has the ability to display the contents of the keychain area, it could only read the keychain from iOS backups. As it turns out, not all data from the system keychain is exported into the backup. For example, the backup password itself is present in the system keychain but is never exported to the backup. Application developers utilizing Keychain can choose whether records stored by their application should go to the backup or not. That said, the complete Keychain including items not included wit the backup can be read and decrypted using the same set of keys obtained from the device.


    In this case, it's the same security weakness as the previous research showed.
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    Elcomsoft are providing two tools. One is available for sale to everyone and does not change what we've previously said about security on iOS devices.

    The "Elcomsoft Password Breaker" does not gain access to what 1Password places in your iOS keychain (unless you use "migratable" backups, which are unfortunately called "encrypted" backups). So the previous advice stands that encrypting your device backup in backup actually weakens your iOS security.

    As Elcomsoft describes in in their recent blog post, http://blog.crackpassword.com/2011/05/elcomsoft-breaks-iphone-encryption-offers-forensic-access-to-file-system-dumps/

    The keychain is a system-wide storage area for application secrets such as user account details, usernames and passwords. While Elcomsoft Phone Password Breaker already has the ability to display the contents of the keychain area, it could only read the keychain from iOS backups. As it turns out, not all data from the system keychain is exported into the backup. For example, the backup password itself is present in the system keychain but is never exported to the backup. Application developers utilizing Keychain can choose whether records stored by their application should go to the backup or not.


    We are among the application developers who chose to exclude what we put in the iOS keychain from backups.

    But... And this is the big "but". Elcomsoft are claiming that they have found away around that, and they provide a "Toolkit" for getting at everything on the device. This Toolkit is restricted to law enforcement entities only. (Which means I can't just buy a copy and see if it really does what it says it does.)

    http://www.elcomsoft.com/iphone-forensic-toolkit.html

    Frankly we can't take much comfort in the fact that they limit this toolkit to law enforcement only. Things like this, if they work, will leak out. Also once the bad guys know that something is possible, they should be able to find the same weakness Elcomsoft have found.

    We don't know whether Elcomsoft disclosed their discovery of the weakness to Apple as would be the norm among security researchers. I've always admired Elcomsoft for their technical abilities, and during their initial claim to fame one of their researchers, Dmitry Sklyarov, spent time in jail for trying to present his research at a conference. (I still have my "Free Dmitry Sklyarov t-shirt"). But given the nature of their business, I suspect that they have not disclosed the vulnerability to Apple. It is certain that people at Apple are looking at this. We have know idea of how easy this will be to fix.

    We do provide an additional layer of obfuscation when storing information in the iOS keychain. It is well done, but nonetheless it is just obfuscation.


    At this point, I am inclined to repeat the "don't panic" advice set out at the end of

    http://blog.agile.ws/2011/02/lost-iphone-safe-passwords/

    But if you are particularly concerned about this, you may wish to change your iOS passcode from a four digit code to a full passphrase. This can be done by going into Settings on your iPad and iPhone and under General > Passcode Lock turn "Simple Passcode" to OFF.

    In 1Password you can remove the information from the iOS keychain by going to Settings (this now is the 1Password Settings) Sync > Dropbox > Account and tap "Reset". That will clear all of the information from the iOS keychain that 1Password uses for automatic syncing.

    You will, of course, need to re-enter the the information the next time you wish to sync the data. We will look at ways of making what gets stored or not more configurable in future versions, but it is certainly too early to make any promises about what that would look like.

    Again, the overwhelming majority of people who steal an iPhone or iPad wish to wipe it clean and resell it. They will only go after data that are easy to get at. Still, we wish to keep your data safe from skilled and resourceful attackers as well, and so will be following the new report carefully and exploring what we can do.

    Cheers,

    -j
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited May 2011
    It looks like I may have been caught up in Elcomsoft's style of reporting results along with others. With some help from my friends (Thank you, MikeT) and a little more of putting things in perspective, it now seems very possible that even Elcomsoft's "toolkit" for law enforcement represents nothing new in principle.

    What they appear to have done is further automated long known issues and combined things together. Their blog post makes it sound as if they are getting the device key off of the device, but it is far more likely that they are attempting to crack the device passcode on the device itself.

    So on this view, other than things being available in a commercial package, there is nothing fundamentally new with respect to iOS security in this latest Elcomsoft announcement. The same issues were widely reported back in February, which in turn was just a scripting of what was known long before.

    If the new tools (though not new actual breaks) are of concern, then your best approach is to go from a Simple Passcode (four digits) to a genuine password or pass phrase for your iPad, iPhone, or iPod Touch.

    Here, again, are those instructions:
    jpgoldberg wrote:

    This can be done by going into Settings on your iPad and iPhone and under General > Passcode Lock turn "Simple Passcode" to OFF.


    There is a very reasonable and level headed discussion of this here:

    http://arstechnica.c...ion-toolset.ars

    Cheers,

    -j
  • Penelope PitstopPenelope Pitstop Junior Member
    edited May 2011
    Thanks all for the replies and Jeff in particular for the advice on using a passphrase to lock the phone instead of the simple 4 digit code.

    Intellectually at one level, I just want to blindly follow your advice but on another I can't stop myself from needing to properly understand what's going on so that I can decide if the trade off between the convenience and security of a simple passcode is something I want to worry about.

    I've now had a chance to properly read and digest the information in the various blog postings referenced in replies to my post. I want to make sure I properly understand it, hopefully you can help me.

    Elcomsoft wrote:

    By default (with “Simple passcode” option enabled), passcodes consists of only four digits, meaning that only 10,000 possibilities exist. Having to enter their passcode pretty often most users keep their passcodes to the default length of only four digits for the sake of usability.

    Ten thousand combinations do not sound like much. On a PC, breaking a passcode of this length would only take a few moments. Unfortunately, passcodes can only be bruteforced on the device itself. With iPhone 4, the maximum time of breaking a 4-digit passcode is therefore about 40 minutes, while taking about 20 minutes on average. iPhone 3GS is slower, and it takes a bit longer to break a passcode there. In fact, phones running iPhoneOS 3.x can be broken without knowing the passcode by simply removing it; with iOS 4.x, a valid passcode is required to gain full access.

    So I see that using a more complex passphrase will make these brute force attacks impracticable but what about the setting that wipes the phone after 10 failed attempts? Could they just re-image the bit for bit copy of the phone and try ten more? It would slow them down more but would still make it possible to crack a simple 4 digit passcode in a reasonable amount of time.

    Elcomsoft wrote:

    It is possible to overcome the requirement of having the correct passcode by using escrow keys. Escrow keys are created and stored by the iTunes when you first plug an iOS device to the computer. Having a set of escrow keys collected from a computer to which an iOS device was once connected gives the same powers as knowing the passcode (except that you can’t deduce the passcode itself).

    So does this mean that they can get at the data in the backup using the escrow keys but not the keychain off the device itself? If I understand correctly, the iOS keychain on the device itself has the keys and credentials necessary to decrypt the Agile keychain but the backup doesn't because Agile ensure that this critical data is not part of the backup.

    It sounds like a simple passcode might allow access to all the data on my phone but, whilst they might be able to read my email or see my contacts database, they won't be able to decrypt my Agile keychain even if they have my iTunes backup files too. Is that right?
  • Penelope PitstopPenelope Pitstop Junior Member
    jpgoldberg wrote:

    But if you are particularly concerned about this, you may wish to change your iOS passcode from a four digit code to a full passphrase. This can be done by going into Settings on your iPad and iPhone and under General > Passcode Lock turn "Simple Passcode" to OFF.


    I've asked some more general questions in another reply but ...

    How complex do you have to make the passphrase to thwart the technique that Elcomsoft like attackers would use given they are currently restricted by the performance of an iPhone4?
  • brentybrenty

    Team Member
    edited May 2011

    Intellectually at one level, I just want to blindly follow your advice but on another I can't stop myself from needing to properly understand what's going on so that I can decide if the trade off between the convenience and security of a simple passcode is something I want to worry about.

    This is a good instinct. Since it is your data, you need to be sure you understand the risks and make a decision accordingly. That's what we're here for -- to help in any way we can. :)


    So I see that using a more complex passphrase will make these brute force attacks impracticable but what about the setting that wipes the phone after 10 failed attempts? Could they just re-image the bit for bit copy of the phone and try ten more? It would slow them down more but would still make it possible to crack a simple 4 digit passcode in a reasonable amount of time.

    I believe that there is nothing stopping these brute force attempts from being made on that data itself. The timeout on bad unlock attempts and the wipe after 10 failed passcode attempts (Settings > General > Passcode Lock > Erase Data) are enforced by the UI on the device, not in the data itself. In other words, when they are talking about doing this in 20-40 minutes, that means about a half hour of continuous guessing of all of the possible passcodes until they find one that works. This is performed against the data on the device itself (connected to a computer via USB), rather than making some poor guy pound away at the unlock screen. :)


    So does this mean that they can get at the data in the backup using the escrow keys but not the keychain off the device itself? If I understand correctly, the iOS keychain on the device itself has the keys and credentials necessary to decrypt the Agile keychain but the backup doesn't because Agile ensure that this critical data is not part of the backup.
    It sounds like a simple passcode might allow access to all the data on my phone but, whilst they might be able to read my email or see my contacts database, they won't be able to decrypt my Agile keychain even if they have my iTunes backup files too. Is that right?

    I believe you are correct. And again, this is why we don't have 1Password data available in backups saved by iTunes. I'll let Jeff step in if he has something to add (or correct), but this is my understanding of the situation.
  • Penelope PitstopPenelope Pitstop Junior Member
    brenty wrote:

    I believe that there is nothing stopping these brute force attempts from being made on that data itself. The timeout on bad unlock attempts and the wipe after 10 failed passcode attempts (Settings > General > Passcode Lock > Erase Data) are enforced by the UI on the device, not in the data itself. In other words, when they are talking about doing this in 20-40 minutes, that means about a half hour of continuous guessing of all of the possible passcodes until they find one that works. This is performed against the data on the device itself (connected to a computer via USB), rather than making some poor guy pound away at the unlock screen. :)

    Thanks for your reply brenty.

    From my reading I got the impression that the speed of this attack is constrained by the performance of the single iOS device. Is that true? Does it mean that we can safely use a weaker passphrase for an iOS device than the one we might choose for our master password in 1PW?

    As per my earlier question, how strong does it need to be (number of diceware words) to make an attack impracticable?

    If they did crack the device pass phrase, does that mean they can get at the vital 1PW keys and credentials necessary to decrypt the Agile keychain?
  • Hi,

    After reading this, it dawned on me that putting all my stuff (bank details, password) may not be wise. I'd love to hear the thoughts of a agile representative on this.

    Also, could you clarify exactly how data is protected, ie the file is encrypted using the iPhone chip, and it also lives in an encrypted filesystem? Is it doubly encrypted, and is it better?

    thanks in advance

    -a
  • MikeTMikeT Agile Samurai

    Team Member
    Hi xgt, I merged your topic into this thread. Please read the previous posts about this. Your data still remains safe with 1Password.
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited May 2011

    How complex do you have to make the passphrase to thwart the technique that Elcomsoft like attackers would use given they are currently restricted by the performance of an iPhone4?


    Because the testing of the device passcode must be done on the device, that already slows things down. If we go by Elcomsoft's claim that it takes 40 minutes to test 10000 possibilities:

    Unfortunately [sic], passcodes can only be bruteforced on the device itself. With iPhone 4, the maximum time of breaking a 4-digit passcode is therefore about 40 minutes, while taking about 20 minutes on average.

    this works out to just a tiny bit more than 4 trials per second. Given that extreme slowness, I wouldn't go as far as using diceware for an iOS password.

    First you will need a passcode that is reasonably easy to type on an iOS device. For an iPad that means both letters and numbers as the keyboard shows both. For the iPhone or iPod you will probably want something that is all digits or all letters. So let's first look at average crack time for something that is only lowercase letters, a-z. (Note this requires random selection of passcode. More on that later.)

    Four lowercase letters: 15 hours
    Five lowercase letters: 17 days
    Six lowercase letters: 1 year, three months
    Seven lowercase letters: 32 years
    


    Now lets consider mixed case letters (where it is truly random whether a particular letter is upper or lower case)
    Four mixed case letter: 10 days
    Five mixed case letters: 1 year, 6 month
    Six mixed case letters: 78 years
    


    Or lets consider just digits
    Four digits: 20 minutes
    Five digits: 3 hours, 20 minutes
    Six digits:  34 hours
    Seven digits: 2 weeks
    


    So really something like six lower case letters should be easy enough to remember and reasonable to type on an iPhone or iPod.

    As I said, this all assumes that you pick truly random passcodes instead of something that is meaningful. You can use 1Password's strong password generator to do this. On the iPhone or iPad go to (More ...) > Passwords and tap the "+" button. Set include digits and include symbols to OFF and set the desired length. 1Password's generator will give you mixed cases passwords, but you can always treat "T" as "t". Of course you will need to remember this passcode for your iOS device.

    We don't have the Strong Password generator built into 1Password for iPad, but you can use 1Password on your Mac to create a new Account of the type "Generic Account" and then use the Strong Password Generator in there. In 1Password for Windows you can get to the Strong Password Generator by creating a New Login.

    My main advice is to be realistic and not to make things too hard for yourself. It is tempting to say "oh I want a passcode that would take centuries to crack" but you will need to remember this passcode and type it into a small keyboard frequently, so do consider what a thief would be willing to do to get at your data.

    Cheers,

    -j
  • Penelope PitstopPenelope Pitstop Junior Member
    edited May 2011
    Cool, thanks Jeff.
This discussion has been closed.