Lost iPhone? Safe passwords!

When the ‘net is abuzz with videos and headlines like Lost iPhone? – Lost passwords! and iPhone Attack Reveals Passwords in Six Minutes and iPhone passwords succumb to researchers’ attack and hundreds more like it, it is more than natural for users of 1Password for iPhone and for 1Password for iPad to be concerned about what happens when their iPhone, iPad or iPod Touch falls into the hands of the bad guys.

As we reported earlier today, the bad guys get nothing from or about 1Password. We’ve had lots of queries, so I wanted to just write up a quick note at the time. But now I would like to take the time to discuss things in more detail.

The crucial point can be found in the full report (PDF) by Jens Heider and Matthias Boll of the Fraunhofer Institute for Secure Information Technology:

Secrets within other protection classes, such as passwords for websites, could not be revealed in our lost device scenario. In our proof of concept implementation, these secrets [...] were available to the script only after entering the passcode to unlock the device, which by assumption should not be possible for an attacker.

The lesson here is that only some of the passwords stored on the device are available to an attacker. None of your 1Password data or the data that 1Password needs to perform automatic syncing falls into the vulnerable class. We designed 1Password with the knowledge that phones get stolen and that devices can be jail broken. Those design decisions are why we remain confident about 1Password even in light of these recent headlines.

The rest of this article just provides some background and spells out our security measures in more detail. At the very end, I talk about what you should do if your iPhone, iPad, or iPod Touch is stolen. You may wish to skip directly there.

Where’s your data?

The bulk of your 1Password data is in an encrypted database file. There is encryption provided by iOS (the operating system) and our own encryption based on your master password on top of that. Reports like what we’ve seen today are not about that data. What we have seen are attacks against things stored in iOS keychains.

For automatic syncing via Dropbox, 1Password does store some extremely sensitive information in an iOS keychain. When 1Password fetches your data with Dropbox it needs three things: It needs to login to your Dropbox account, it needs to decrypt the data that it fetches from Dropbox, and it needs to re-encrypt that data to store it in the data format we use on iOS. (All of this encryption and decryption is performed only on your device.) To do this automatically 1Password stores the following in an iOS keychain.

  1. Your Dropbox credentials (email address and Dropbox password)
  2. Your master password for your data as stored on Dropbox
  3. Your master password for 1Password on your iOS device

If those three things fell into the hands of the bad guys your data would be entirely compromised. We want to make sure that that never happens.

iOS Protection classes

I mentioned up top that 1Password data in the iOS keychain is not in the vulnerable “Protection Class.” Here are the gory details about what that means.

When items are saved to an iOS keychain on iOS 4 or later there are different settings that can be used to define how they are encrypted and which keys are needed to decrypt them. There are six setting combinations that matter for this discussion. Items can be set to “Accessible Always”, “Accessible after First Unlock”, or “Accessible only when Unlocked”. Each of those three can be set as either “Migratable” or “Non-migratable.”

The keychain information that can be retrieved by the attacks described are only those that fall into the “Accessible Always” Class. Things stored this way are items that should be available to software on the phone as soon as it is turned on, even if the user doesn’t unlock it. These are typically network passwords, such as WiFI login information. It also includes MobileMe passwords and MS-Exchange passwords.

The data that 1Password stores in an iOS keychain has the most restrictive settings. It is set with both “Only when Unlocked” and “Non-migratable.” The first setting is what protects it against the kind of attack demonstrated by the researchers at Fraunhofer. The disadvantage of using this setting is that syncing won’t start happening immediately when your phone is turned on. We are very happy with the design choice we made in that respect.

The “Non-migratable” setting prevents attacks against device backups, as it ensures that the information is always encrypted with a unique hardware key built into the device. The disadvantage of using this setting is that if you wish to migrate all of your device settings and data to a different device you will have to re-enter the passwords needed to set up Dropbox syncing. Again, I think you will agree that we made the correct design choice with that.

“So what should I do if my device is stolen?”

The first thing to remember if your iPhone, iPod Touch or iPad are the simple words, “don’t panic.” The fact that you have been using 1Password already means that you’ve done 90% of what you need to do to protect your data. All the actions described here are just extra precautions.

As discussed above some sensitive data (though not from 1Password) can be revealed through the attacks above. Network passwords (WiFI passwords, VPN settings) can be exposed. More importantly MobileMe and Exchange logins can be exposed. So those are passwords that you will need to change. If those passwords aren’t unique, you should change passwords for every login that uses those. Users of 1Password on the desktop will find great tools to manage that chore.

Your 1Password data is safe from known attacks. But we also need to be concerned about attacks that we don’t know about. So it would be a good idea to change your Dropbox password quickly after discovering that your iPhone has been stolen. Your 1Password master password is actually the kind of thing that should be made strong from the beginning and rarely changed, but you may wish to change that as well.

If you subscribe to MobileMe you may also try the Remote Wipe feature. This is a good thing to try if your iPhone is stolen, but keep in mind that anyone who would launch a sophisticated attack against your iPhone would know to remove the SIM card first to foil Remote Wipe and Find My iPhone.

In the vast majority of cases of a stolen iPhone, iPad or iPod Touch the thief is far more interested in selling the device than the data it contains. Once they see that your device is password protected, they will just wipe it themselves. But we aren’t only interested in the vast majority of cases. We have designed 1Password to withstand sophisticated attacks as well as casual ones. The recent news has given me the opportunity to discuss some of the guts of what we do to keep your data secure against sophisticated, resourceful attackers.

Thanks, and stay safe out there.

23 replies
  1. Chris Davidson
    Chris Davidson says:

    Many thanks for writing this article. I assumed 1Password wouldn’t be vulnerable to this reported attack but it’s very reassuring to get a confirmation.

    Note that a MobileMe subscription isn’t necessarily required to use Find My iPhone and remote wipe functionality. It “is now free on any iPhone 4, iPad, or fourth-generation iPod touch running iOS 4.2” (see ). I’m using it happily on my iPhone 4 without a subscription.

    • Jeff
      Jeff says:

      Thanks for that, Chris. You are absolutely correct. I’d forgotten that Find My iPhone and Remote Wipe were now available without a subscription.

  2. Nigel
    Nigel says:

    Thanks for this write up. Very interesting to know about how the keychain works on iOS devices. And, of course, great to hear that you guys made sound design decisions from the outset.

  3. Louie Lee
    Louie Lee says:

    Awesome! Thanks for the article. I assumed that the 1Password database would be safe….

    I appreciate your candidness in your design decisions, and glad you don’t rely on “security” by obscurity. :)

  4. Tracy
    Tracy says:

    If I’m reading this correctly, the 3 pieces of data in the iOS keychain are only safe from this attack if the user has a passcode lock in use.. If the user does not have a passcode, or the passcode is compromised, then everything is vulnerable.. Is this correct?

    • Jeff
      Jeff says:

      Yes, Tracy.

      This does depend on using the device passcode. However, it is still unclear whether this could be used to break into keychain items stored by third party apps (like 1Password.) One feature of iOS is that app specific keychains need to be opened by the apps themselves. It is not immediately clear how that extra layer of encryption could be defeated on a jail broken phone. So I don’t have a definitive answer for you at this time.

      Cheers,

      -j

  5. celerity
    celerity says:

    So, the only thing a hacker needs to do is to crack the 4-digit iPhone passcode to unlock the WHOLE keychain after performing the attack described above? Given the fact that such code has only 4^10 combinations it would take a modern PC about a second to do that. Password strenghtening might increase brute force time say by 3000x, wish would mean in worst case no more than an hour.

    Now when all saved passwords in the keychain are accessable, Dropbox, 1P MP and iOS MP are compromised. In short, ALL YOUR BASE ARE BELONG TO US. Please tell me I am wrong!

    • Jeff
      Jeff says:

      Hi Celerity,

      Normally a four digit passcode is trivial to break as you point out. However, because of how iOS uses a hardware encryption key, you can only attempt to break this on the device itself. You can’t run a cracker on separate machine. So what seems like trivial protection is actually much stronger than it first appears.

      I’ll try to write more about this later, but for the moment, I wanted to just let you know that iOS security is deceptively simple. It appears simple to the user, but it actually much better protected underneath.

      Cheers,

      -j

  6. celerity
    celerity says:

    The hacker might simply install an SSH server on the iPhone and run a brute-force script. ARM Cortex-A8 (Apple A4 chip) performs about 2000 MIPS which is more than enough for such attack.

    In fact, there are apps written especially for the iPhone for WEP cracking (Aircrack-ng).

    Neither will the “Wipe after 10 failed attempts” protect since it’s GUI dependent.

    I look forward to reading more from you!

    • Jeff
      Jeff says:

      Celerity, I expect that you are correct about this. Since the scripts are run on the device, they have access to the device key.

      What remains a question is whether codesigning is also defeated. That is, even with device passcode would our keychain data be exposed. I suspect that it would, as the jail breaking already evades some of the codesigning requirements. But I haven’t specifically investigated.

      We do provide another layer beyond this. The information that we store in the iOS keychain is also encrypted with a key built into 1Password for iOS. This last layer is, admittedly, security by obscurity, and is not something that should be relied upon as a major line of defense. But it does mean that an attack on your 1Password data in the iOS keychain would also need to include a specialized attack against 1Password itself.

      If people are concerned about this sort of attack in general or specifically about 1Password data then they may wish to consider going beyond the 4 digit passcode for the device. Launch Settings > General > Passcode Lock and turn “Simple Passcode” to OFF. This will allow for device passcodes which go beyond the 4 digit ones.

      Cheers,

      -j

      • celerity
        celerity says:

        Jeff, I don’t claim to know how it’s done, I just assume it’s theoretically possible. Unfortunately turning off “Simple Passcode” would compromise the usability. Perhaps manual syncing might be a better option.

        • Jeff
          Jeff says:

          Ultimately that is a choice that users will have to make. We are certainly looking at ways to give users finer control of this (again, without compromising ease of use), as well as looking to see ways in which we can support convenient syncing without depending so heavily on the iOS keychain.

          One thing that I didn’t mention in the blog post is that the actual techniques behind the recent headlines have been long known. What changed last week was the amount of press attention the issue has received. So even though this is “old news” to us it still highlights that security is a dynamic process. We don’t just produce a product, declare it secure, and then let things stand. We actively look at both the changing landscape as well as for things that we may have overlooked previously.

          Cheers,

          -j

  7. Robin Parduez
    Robin Parduez says:

    Thanks for taking the time to write this detailed article. I heard the news about the vulnerability in iOS and was hoping for some clarification on the safety of my 1Password data on my iPhone and iPad. You’ve done that! Great work as always guys. 1Password is so convenient and saves me so much time. Thanks

    • Jeff
      Jeff says:

      Hi, Robin.

      Thank you very much. We want our users to be fully informed about the security measures in 1Password and where we see potential threats.

      Cheers,

      -j

    • Jeff
      Jeff says:

      You can change your master password for your data stored on Dropbox on either the Mac or PC version of 1Password by going to the Security tab in Preferences and clicking the button that says “Change Master Password…” On the Mac, you can get to Preferences under 1Password in the menubar at the top of your screen when 1Password is running. On Windows, click on the Preferences icon in the 1Password application.

      Cheers,

      -j

  8. Alpesh Patel
    Alpesh Patel says:

    thanks jeff for sharing this info its very important for person’s like me who keep all there data on iphone. Easy to cary anywhere you go but at times it becomes deadly when you lose it.

    • Jeff
      Jeff says:

      Hi Alpesh,

      You are very welcome. I hope that by going into some of the details I’ve helped clarify what the (known) risks are.

      Cheers,

      -j

  9. Peter
    Peter says:

    But maybe i am wrong but apple should just allow each application to read its own content from the keychain. how/why this is possible for a regular application to querry other applications information then?

    g peter.

  10. RudyG
    RudyG says:

    A quick question about DropBox .. Many of us have the DropBox app on our iOS device. My concern is regarding how well this app stores the pwd compared to how 1Pass does. By default, the DropBox app will cache user and pwd to log you in automatically. This would seem to me to compromise integrity of the whole 1Pass security if the device should falls in wrong hands. Comments?

  11. Andras
    Andras says:

    I have two questions regarding the article:

    As you mention 1Password stores the following in iOS keychain:

    1. Your Dropbox credentials (email address and Dropbox password)
    2. Your master password for your data as stored on Dropbox
    3. Your master password for 1Password on your iOS device

    My question is: if I delete 1Password from my iOS device, will these passwords still remain in the keychain?

    And my other question is: are password stored on devices with older iOS (3.1.3 in my case) are safe? As per the article only iOS 4 and above has that extra security. I have a 3G, so iOS 4 is not an option due to performance issues.

  12. Andras
    Andras says:

    One more question: why do you store the Dropbox password in the keychain? In the Dropbox Mobile API (https://www.dropbox.com/developers/docs) they advice not to store the password, instead:
    “Get a token once and reuse that token forever unless they manually unlink. The SDKs actually does this for you, so use it right. You should never need to store user login data to use the API.”

    I think it would be more secure storing only that “token/secret pair” not the actual credentials.

    • Felipe Castro
      Felipe Castro says:

      Nice question but I think that even if they stored only the token/secret, an attacker would still be able to access the dropbox account. Of course your dropbox email and password wouldn’t be visible but then again, this info would probably be accessible through your 1password data the attacker is after in first place.

      The only really secure method is to NOT store ANY sensitive data in the keychain unless it is encrypted with some external key obviously not stored in that keychain.

      As I see, the only real weakness about 1password is in the auto-sync method they chose. I`m hoping to have a “manual-sync” option that would not need to store any sensitive data in the keychain.

      On another thought, why not store dropbox information (token) on the same encrypted file used to all the passwords and then asking the user for his master password before synching?

      Regards

Comments are closed.