Protection of the 1Password Vault from Ransonware

laugherlaugher
edited January 2016 in Lounge

Hi,

I'm currently evaluating 1Password's defenses against attack vectors from Ransonware. I'll start off with a simple question;

What happens when my vault is sychronized/backed up to the cloud via Dropbox and a particularly nasty party somehow got to it via one of my mobile devices or a laptop or even a desktop and started encrypting my whole Dropbox without my knowledge? The 1Password keys are also encrypted and then "synchronized" to ALL my other devices that also use 1Password.

As you might be aware, Dropbox does not in itself offer 2FA during the authentication phase making it more likely for a potential attacker to focus upon.

Besides suggesting I implement a strong password for Dropbox (which I have), and not fully understanding how the 1Password secret keychains are stored in Dropbox, can you advise what happens in this particular scenario? It seems to me that the endpoint devices that synchronize with Dropbox becomes the weak point in the chain. Comments? Suggestions?

Thanks!


1Password Version: Current (but also applies to all)
Extension Version: Not Provided
OS Version: Windows, iOS, Android
Sync Type: Dropbox and iCloud

Comments

  • brentybrenty

    Team Member

    I'm currently evaluating 1Password's defenses against attack vectors from Ransonware. I'll start off with a simple question;

    @laugher: Great questions — but it doesn't really pertain to 1Password.

    What happens when my vault is sychronized/backed up to the cloud via Dropbox and a particularly nasty party somehow got to it via one of my mobile devices or a laptop or even a desktop and started encrypting my whole Dropbox without my knowledge? The 1Password keys are also encrypted and then "synchronized" to ALL my other devices that also use 1Password.

    Dropbox syncs your data. That includes any changes, including creation, modification, and deletion. If someone else has access to your system, they can do whatever they want to any of your data. Your 1Password vault is just part of the filesystem, so while they cannot decrypt it without your Master Password, they can add their own encryption ( or simply delete it) and make it inaccessible to you.

    Like any of your data (documents, pictures, etc.), it's important to keep backups. It doesn't matter what it is: in the case of ransomeware, accidental deletion, theft, fire, or drive failure, you can lose data. So having a backup on and offsite is crucial.

    As you might be aware, Dropbox does not in itself offer 2FA during the authentication phase making it more likely for a potential attacker to focus upon.

    Can you explain what you mean? That doesn't seem to be the case. The term "2FA" (Two-Factor Authentication) refers explicitly to (and happens only during) the "authentication phase".

    To be clear, in all of these scenarios, the 'attack vector' is the same: you are no longer in control of your data. And similarly, the mitigation is the same: backup your data. That makes it so you can recover from any of these scenarios, and 1Password encrypts your data so that someone else accessing it (in Dropbox or elsewhere) cannot decrypt it. I hope this helps. Let me know if you have any other questions! :)

  • 1Password has a backup feature built in.. Keep your backup off of DropBox in this case.

  • Hi @laugher,

    I'm going to approach your query from a slightly different angle.

    Currently the ransomware I'm aware of attacks certain locations and certain file types. So I'm not aware of one that would go after 1Password vault. Let's say for the purpose of the argument though that this changes. Now ransomware is local to a single machine unless you've been caught badly you're looking at an individual machine messing things up. The ransomware to really mess you over would have to encrypt your locally stored vault as it applies to that platform as well as the sync data which would be something as follows.

    • Mac. The locally stored (and encrypted) SQLite database file, locally stored backups and any sync data in Dropbox. All are accessible locally so as long as the ransomware is aware certainly possible.
    • Windows. The Agile Keychain or OPVault wherever they are stored which may or may not be on Dropbox and the locally stored backups. Like the Mac all still possible.

    So let's assume machine A is messed up beyond belief, what happens to other machines syncing to it?

    • Mac or iOS device. Neither will be able to read the now encrypted sync container so the locally stored vault remains unchanged since the last sync.
    • Windows. Windows does read and write directly to the OPVault or Agile Keychain so if the Dropbox maintained copy was encrypted by ransomware it is lost. Any backups made by this second copy of 1Password for Windows though are locally stored and can be used to recover almost all if not everything that was contained in the now inaccessible OPVault or Agile Keychain.
    • Android. I don't know this platform well at all (it seems I need to by more kit for "research" purposes) but I'm being told it's like iOS in this respect. Syncing would stop but the vault can still be accessed.

    I believe Dropbox also allows you to revert to a previous state but I think you have to do this file by file which would be horrible if you had an Agile Keychain with hundreds of items as the Agile Keychain stores each item in its own file. If ransomware starts encrypting your local Dropbox folder then all the security in the world isn't going to help as you've authorised that computer to read and write to Dropbox.

    Does any of that help?

  • laugherlaugher
    edited February 2016

    Hi littlebobbytables,

    Yes. Your additional information is helpful.

    I think 1Password vaults are perfect targets for Ransonware. What better than to lock out someone's password vaults and never allow that person to access his own data again because access to the data is either password protected or worst, the data is encrypted with the password! And the person(s) behind the Ransonware attack don't even need to guess where your "valuable" data is. Because your password is the keys to the fiefdoms or kingdom! :)

    And yes, @brenty while a backup would sensibly deter these attempts, backups are not executed throughout the day in an enterprise and rarely are they executed against 3rd party cloud repositories. Password changes during the day would be totally lost if I were to use the password generator (which I do).

    In the absence of backups, I know Dropbox does allow you to recover data as long as no one goes into my Dropbox settings and permanently delete the files (which I think they can do). I'm not sure about recovering for iCloud storage and am guessing they have a mechanism in place to do so.

    At home, I occasionally do a backup. It sounds absolutely silly, I know. But I don't know too many homes who do regular backups. I try. Trust me, I do. Its on my to-do list. :)

    To complicate things, a regimental backup process needs to be implemented. i.e. Grandfather/Father/Son backup mechanism as an example. A simple copy of the vault (even if its automated to run at a schedule time of day, daily), could cause the backups to also replicate the Ransonware encrypted vault overwriting the previous day's backup. I would need to implement proper backup best practices at home! I wonder how many users are going to know how to do that? :)

    As for 2FA in Dropbox. I am not referring to interactive logins to Dropbox. My 1Password vault is currently being sync'ed to Dropbox without an interruption from a 2FA process.

    But what I was particularly worried about is the scenario @littlebobbytables launched into an analysis of. What happens when the Vault is encrypted and does the "damaged" vault then propagate through all my sychronized devices?

    So what you're telling me is that any Windows Phone or Windows 10 clients running 1Password would receive the Ransomware encrypted vault? Is this something AgileBits might look at "rectifying" in the future? At least bring the Windows solutions around to match the Mac/iOS/Android solutions to reduce costs in your operational support model?

    Thanks,
    Michael.

  • littlebobbytableslittlebobbytables

    Team Member
    edited February 2018

    Hi @laugher,

    So everything I stated earlier was in relation to our stable versions of 1Password, 1Password 6 for Mac and iOS, 1Password 4 for Windows and now a very new 1Password 6 for Android.

    We currently have in beta a brand new Windows client that we're, at least for now, called 1Password Windows Modern but full confession, I don't know if we've settled on the name or not. The new version of 1Password for Windows does use a database like the others, in part due to its support of 1Password for Teams (also still in beta). 1Password for Teams isn't a our attempt at a sync service as there isn't technically syncing in that sense but rather than a peer to peer mentality with password databases it's more in the line of a traditional server client model where the client interacts with the server. It used to be the case where we'd always make the statement that we never have your data and so we have nothing that can be stolen or recovered. It's mostly still true due to some massive efforts of leveraging maths in our favour where while we now technically hold a copy of the data at now point do we ever see an unencrypted copy of it and nor are we in the position to help somebody recover it no matter what pleading they do, we've made it in such a way so that mathematically we can't - it's the only way to be sure. So there is 1Password for Teams and a fairly in-depth white paper available for the curious. Brand new as of yesterday there is also 1Password Families using the same security and ideas but aimed at a very different audience. We're not walking away from people that don't want their data even in our hands but trust the product so it's more about options.

    So there is change in the winds.

    Oh and I can't see any possible way ransomware on a single machine could affect the server, in fact I wish I could find a backup service that worked like this as I'm pretty sure it would protect the user against ransomware damaging backups. That's the one big fear/requirement I have as I continue my search for a Windows backup option, one where multiple versions are retained and it's a server client model so that at no point can ransomware trample over the backup. Ideally the software or service is very reasonably price too as it's for a charity (and when are they not strapped for cash).

This discussion has been closed.