puzzling statement in "Managing 1Password secrets in memory"

bkh
bkh
Community Member

In https://discussions.agilebits.com/discussion/comment/494637/#Comment_494637 it appeared to be established with @brenty that the combination of a crash, memory dump, and telemetry could export master password, secret key, and vault contents in plain text in the absence of malware.

In view of that, it was puzzling to see paragraph 2 in the official AgileBits statement on the issue at https://support.1password.com/kb/201902a/

The most important thing to know is that the issue described in the report is only a threat to a computer that is already compromised. If your computer is not compromised, you aren’t affected by the issue.

Were we incorrect in our joint understanding that a crash and memory dump could expose secrets in the absence of malware? Or did the official statement inadvertently assert something that isn't quite right?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @bkh: My comments were in response to specific hypotheticals raised by individuals in the discussion. I don't think it is sensible (or feasible) for a knowledgebase article to cover every possible hypothetical scenario. I'm really sorry for any confusion I caused though.

  • ski22
    ski22
    Community Member

    @brenty :
    Your knowledge base article specifically stated “if your computer is not compromised, you aren’t affected by the issue”.

    This knowledge base article was written in response to the ISE research paper issues found in your product. The ISE research paper specifically stated your system does not have to be compromised for you to be at risk.

    They said “secrets may be extracted in a non-running state as a by-product of system activity and/or crash/debug log files.”

    Your knowledge base article is very misleading to your customers. Why ?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ski22: What is the risk, if the machine is not compromised? As far as I can tell, the ISE paper indicates that the issue exists even if the machine is not compromised. We're not disputing that. But it is important to note that without the machine being compromised, there is no actual threat.

    What's misleading is telling people that they are under attack when they are not; and without the machine being compromised, they are not.

  • ski22
    ski22
    Community Member

    @brenty : so you consider a crash/debug log that could be transmitted back to the developer of a software product a compromised system ? Something specially stated in the research paper.

    Shouldn’t your customers be aware of this issue and be prepared to not allow a crash/debug log to be transmitted ? How is that a compromised system ?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ski22: That sounds like malware to me: something sending secrets without your knowledge or consent. "Best" case scenario, that would be a huge bug. And I think that characterization would be generous for what you're suggesting.

    The point is, 1Password doesn't do that. We don't have control over what other people's software does. And software that does bad ("Mal, from the Latin") things is the definition of malware.

  • ski22
    ski22
    Community Member
    edited March 2019

    It doesn’t have to be malware. It could be any trustworthy driver or software product that crashes and sends back a crash/debug log to help the developers. That’s not a compromised system, nor is it malware.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's not trustworthy if it's sucking up memory allocated to other apps. How is an attacker going to collect the data, and retrieve it, without having malware running on your machine? Hence, the system would need to be compromised, which is why the knowledgebase article takes care to clarify that. Otherwise people can -- and do -- get the impression that somehow their secrets can be stolen just by virtue of using 1Password or one of the others in the report, and that's simply not the case. I don't see the benefit to 1Password users to be misled to believe otherwise.

  • ski22
    ski22
    Community Member

    Do you consider Nvidia drivers malware ?

    Here is what they state:

    https://nvidia.custhelp.com/app/answers/detail/a_id/4641/~/collecting-a-full-memory-dump-in-windows-10

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2019

    Collecting a full system memory dump to troubleshoot a graphics issue is asinine. If the software is capturing and sending all of that without informed consent from the user, I would characterize it as malware. It doesn't look like that's what's happening though, but rather that a user might do that. I wouldn't recommend it, whether you use a password manager or not.

    At the end of the day, listing all of the possible permutations of bad things untrustworthy software could potentially do if you allow it to run on your machine is well outside of the scope of 1Password itself and therefore the document in question, which is about 1Password. We're not in a position to document every issue with any software out there, just 1Password. If you're an Nvidia customer and disagree with the way they're doing things (I don't have all the context, as I'm not using their tools), you'd need to get in touch with them.

  • ski22
    ski22
    Community Member

    The fact remains, telling your customers ONLY a compromised system is at risk of this memory issue is very misleading and plain wrong. I’m sure Nvdia isn’t the only trustworthy company getting full system dumps on crashes.

    Your customers concerned about this memory issue should be warned not to allow full system dumps to be sent. Full stop.

  • ski22
    ski22
    Community Member

    More information about full systems dumps and how trustworthy developers might request them. I doubt your customers know how this puts the customer at great risk because the complete password database including the unlock passcode is in plain text in memory. Even in a lock state.

    https://www.howtogeek.com/196672/windows-memory-dumps-what-exactly-are-they-for/

  • AGAlumB
    AGAlumB
    1Password Alumni

    Again, that isn't something that is going to happen spontaneously, and it doesn't apply specifically to 1Password users. No one should send information like that to a third party blindly.

    As I said already,

    How is an attacker going to collect the data, and retrieve it, without having malware running on your machine?

    I'm sure you can think of all sorts of other creative scenarios in which you'd do a memory dump, but the fact remains that an attacker would need to have some way to capture that and exfiltrate it from your system. If you have reason to believe that you're in that kind of situation, it's important that you not access sensitive information and get help disinfecting.

  • ski22
    ski22
    Community Member
    edited March 2019

    So Nvidia and other trustworthy developers needing a full system dump for crash analysis are attackers?

    Telling your customers “only” compromised systems are at risk of 1Password’s flaw of leaving ALL your passwords in memory in plain text (even in a lock state) is a big disservice to your customers in my opinion.

    Your customers don’t realize the huge risk of providing memory dumps to trustworthy developers. They don’t realize 1Password’s flaw of the complete 1Password database and 1Password unlock passcode in plain txt in that dump.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2019

    Only compromised systems are at risk from attackers. But we cannot stop you from sending anything to another party yourself. That's you collecting and sending the data. That is not an "attack" scenario. I'm sure you know that, but if not we're going to just have to agree to disagree at this point I think.

  • ppiixx
    ppiixx
    Community Member

    Sending a full memory dump to any developer is incredibly risky. Even if your 1password secrets aren't in there things like your google session secrets probably are.

    Maybe 1Password could add a warning that you should reboot before collecting and sending a full memory dump to anyone, but I really don't think this a common occurrence.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited March 2019

    @bhk asked

    Were we incorrect in our joint understanding that a crash and memory dump could expose secrets in the absence of malware?

    Default Windows settings (as far as I see, though this might differ in many ways) sets the default Kernel Dump Mode to Automatic Memory Dump. It is a variety of Kernel Memory Dump which according to the documentation says

    This dump file will not include unallocated memory, or any memory allocated to user-mode applications.

    1Password for Windows also opts out of Windows Error Reporting. This should also reduce the likelihood of 1Password memory appearing in such a dump and definitely prevent 1Password memory contents being transmitted.

    I don't want to make excessively strong claims about the protections that those offer; but at the same time, I would like to ask you all to test and report whether a system crash is writing 1Password memory to disk. (It might be interesting to contrast what happens when the system crash is induced when 1Password is locked versus unlocked.)

This discussion has been closed.