When the ‘net is abuzz with videos and headlines like Lost iPhone? – Lost passwords! and iPhone Attack Reveals Passwords in Six Minutes and iPhone passwords succumb to researchers’ attack and hundreds more like it, it is more than natural for users of 1Password for iPhone and for 1Password for iPad to be concerned about what happens when their iPhone, iPad or iPod Touch falls into the hands of the bad guys.
As we reported earlier today, the bad guys get nothing from or about 1Password. We’ve had lots of queries, so I wanted to just write up a quick note at the time. But now I would like to take the time to discuss things in more detail.
The crucial point can be found in the full report (PDF) by Jens Heider and Matthias Boll of the Fraunhofer Institute for Secure Information Technology:
Secrets within other protection classes, such as passwords for websites, could not be revealed in our lost device scenario. In our proof of concept implementation, these secrets [...] were available to the script only after entering the passcode to unlock the device, which by assumption should not be possible for an attacker.
The lesson here is that only some of the passwords stored on the device are available to an attacker. None of your 1Password data or the data that 1Password needs to perform automatic syncing falls into the vulnerable class. We designed 1Password with the knowledge that phones get stolen and that devices can be jail broken. Those design decisions are why we remain confident about 1Password even in light of these recent headlines.
The rest of this article just provides some background and spells out our security measures in more detail. At the very end, I talk about what you should do if your iPhone, iPad, or iPod Touch is stolen. You may wish to skip directly there.
Where’s your data?
The bulk of your 1Password data is in an encrypted database file. There is encryption provided by iOS (the operating system) and our own encryption based on your master password on top of that. Reports like what we’ve seen today are not about that data. What we have seen are attacks against things stored in iOS keychains.
For automatic syncing via Dropbox, 1Password does store some extremely sensitive information in an iOS keychain. When 1Password fetches your data with Dropbox it needs three things: It needs to login to your Dropbox account, it needs to decrypt the data that it fetches from Dropbox, and it needs to re-encrypt that data to store it in the data format we use on iOS. (All of this encryption and decryption is performed only on your device.) To do this automatically 1Password stores the following in an iOS keychain.
- Your Dropbox credentials (email address and Dropbox password)
- Your master password for your data as stored on Dropbox
- Your master password for 1Password on your iOS device
If those three things fell into the hands of the bad guys your data would be entirely compromised. We want to make sure that that never happens.
iOS Protection classes
I mentioned up top that 1Password data in the iOS keychain is not in the vulnerable “Protection Class.” Here are the gory details about what that means.
When items are saved to an iOS keychain on iOS 4 or later there are different settings that can be used to define how they are encrypted and which keys are needed to decrypt them. There are six setting combinations that matter for this discussion. Items can be set to “Accessible Always”, “Accessible after First Unlock”, or “Accessible only when Unlocked”. Each of those three can be set as either “Migratable” or “Non-migratable.”
The keychain information that can be retrieved by the attacks described are only those that fall into the “Accessible Always” Class. Things stored this way are items that should be available to software on the phone as soon as it is turned on, even if the user doesn’t unlock it. These are typically network passwords, such as WiFI login information. It also includes MobileMe passwords and MS-Exchange passwords.
The data that 1Password stores in an iOS keychain has the most restrictive settings. It is set with both “Only when Unlocked” and “Non-migratable.” The first setting is what protects it against the kind of attack demonstrated by the researchers at Fraunhofer. The disadvantage of using this setting is that syncing won’t start happening immediately when your phone is turned on. We are very happy with the design choice we made in that respect.
The “Non-migratable” setting prevents attacks against device backups, as it ensures that the information is always encrypted with a unique hardware key built into the device. The disadvantage of using this setting is that if you wish to migrate all of your device settings and data to a different device you will have to re-enter the passwords needed to set up Dropbox syncing. Again, I think you will agree that we made the correct design choice with that.
“So what should I do if my device is stolen?”
The first thing to remember if your iPhone, iPod Touch or iPad are the simple words, “don’t panic.” The fact that you have been using 1Password already means that you’ve done 90% of what you need to do to protect your data. All the actions described here are just extra precautions.
As discussed above some sensitive data (though not from 1Password) can be revealed through the attacks above. Network passwords (WiFI passwords, VPN settings) can be exposed. More importantly MobileMe and Exchange logins can be exposed. So those are passwords that you will need to change. If those passwords aren’t unique, you should change passwords for every login that uses those. Users of 1Password on the desktop will find great tools to manage that chore.
Your 1Password data is safe from known attacks. But we also need to be concerned about attacks that we don’t know about. So it would be a good idea to change your Dropbox password quickly after discovering that your iPhone has been stolen. Your 1Password master password is actually the kind of thing that should be made strong from the beginning and rarely changed, but you may wish to change that as well.
If you subscribe to MobileMe you may also try the Remote Wipe feature. This is a good thing to try if your iPhone is stolen, but keep in mind that anyone who would launch a sophisticated attack against your iPhone would know to remove the SIM card first to foil Remote Wipe and Find My iPhone.
In the vast majority of cases of a stolen iPhone, iPad or iPod Touch the thief is far more interested in selling the device than the data it contains. Once they see that your device is password protected, they will just wipe it themselves. But we aren’t only interested in the vast majority of cases. We have designed 1Password to withstand sophisticated attacks as well as casual ones. The recent news has given me the opportunity to discuss some of the guts of what we do to keep your data secure against sophisticated, resourceful attackers.
Thanks, and stay safe out there.