Posts

The NSA can do what to my iPhone?

30c3After Der Spiegel, along with Jakob Appelbaum at the 30th meeting of the Chaos Computer Club, published an astonishing trove of documents revealing a great deal of the extent of their penetration of the network and capabilities to install spying mechanisms into individuals’ computers and devices, one of the least significant documents is getting the most press attention. That document, is of course, the one describing the DROPOUTJEEP program.

If you were to believe press reports, you would believe that every iPhone on Earth could be (or is) infected (“implanted” in NSA jargon) with NSA spyware. But what happens if we actually look at the document?

S3222_DROPOUTJEEP

Overlooked facts about DROPOUTJEEP

  1. The document is from 2008 describing 2007 technology. Thus it only applies to the first iPhones.
  2. The “implant” can not be done remotely. It requires “close access” which probably means physical access to the phone.
  3. It had not been deployed at the time the document was drafted.

For a fuller discussion of what the documents do and don’t say, I refer you to an excellent article by Graham Cluley, “DROPOUTJEEP. Can the NSA spy on every iPhone on the planet?“. Indeed, Cluley wrote the article that I would have liked to write; so I will just highlight a few points instead of repeating things.

Where do things stand now?

Question: What can we conclude about the NSAs current capabilities and attacks against recent iOS devices (iPhones, iPads, iPod Touches)?

Answer: Almost nothing.

iDevice security has improved enormously since the first iPhones. The difference between the iPhone 3G and the iPhone 3GS alone was a huge leap. (Not a minuscule “quantum leap”.) Though of course there have been several publicly disclosed or discovered vulnerabilities in various versions of iOS over the intervening years. So while we know about improvements in iOS security, we don’t have any information about how successfully the NSA has been at keeping up (or staying ahead) of that. The only thing we can safely assume is that they would like to have the capabilities (incorrectly) described in the media and that they will have had highly skilled people working on it.

Would NSA spyware be able to break or work around 1Password security?

We have no idea of whether the NSA can break or go around 1Password security. The tool described in DROPOUTJEEP would have been able to ship your encrypted 1Password data to the NSA. That is, it could “remotely pull/push files from the device”, which would include any files—documents, photos, and that sweet GarageBand track you’re tinkering with. But there is no indication from the listed capabilities that it could grab your Master Password, keys, or encrypted data. Still, the “safer” assumption is that they could have.

As for today, we again have no idea. The question of how well any security product stands up against threats from a compromised operating system is tricky. In a technical sense, once the operating system is compromised then nothing running on it can be trusted. But in a practical sense, applications can sometimes put up meaningful defenses against some of the attacks that do exist from a compromised operating system.

Nobody can realistically claim that they are safe from the NSA. We simply don’t know their full capabilities. But 1Password does provide end-to-end encryption, with no reason to believe that the encryption we use can be broken by the NSA. So we can say that 1Password is “PRISM Resistant“. When the NSA captures your encrypted 1Password data, they – in all likelihood – need to guess your Master Password to decrypt your data. If they already control the computer or device you are using, then they can probably get around 1Password’s security.

The ends of end-to-end

[Update: This section was added on January 1 2014 to more explicitly spell out the implications of the previous paragraphs.]

1Password provides end-to-end encryption. This is what makes it “PRISM Resistant”.  If your data is captured by any attacker, governmental or otherwise, from your machine or from a sync service, we believe that the best attack is to try to guess your Master Password. PRISM represents a threat that end-to-end encryption does defend against.

End-to-end encryption does not cover the situation where the attacker has compromised the system on which you are decrypting your data. That is, if the attacker controls something that you use at either “end” of your end-to-end encryption (such as the operating system), then this poses a threat that end-to-end encryption does not solve.  Thus DROPOUTJEEP represents the kind of threat that end-to-end encryption does not defend against.

DROPOUTJEEP doesn’t tell us about NSA current capabilities, but it does tell us that the NSA in the past has had the capability and intention to compromise iPhones.  It is more than plausible that they have continued to develop the program over the past six years. To the extent that they have been successful (something we simply don’t know), then we can only advise people to behave as if nothing on their devices is protected from the NSA.

Although it should go without saying, I will repeat myself:  If the US government is aware of vulnerabilities in iOS (or any other system) and has failed to disclose those vulnerabilities to Apple, we have absolutely no choice but to consider the US government to be “black hats”.

Miscellany

I started out saying that I think that DROPOUTJEEP is one of the least significant of the documents released. I haven’t studied more than just a few, but I find the overall penetration of the Internet the most disturbing at this point.

AgileBits is a Canadian company comprised of people from a variety of different countries. But I am a US Citizen, and as one I am furious that my own government is working to make my job harder. My job is to help you keep your data secure. Every time my government discovers (or even creates) a vulnerability in network and application security that they don’t disclose to the vendor is a time when they are harming everyone’s security.

Their activity also makes it extremely difficult for people to know who they can trust. I will state again that we have never been asked, pressured, or ordered to do anything that would weaken our products or your security, nor have we ever deliberately weakened our products. For a discussion of what reasons you might have to believe us when we say that, see 1Password and the Crypto Wars.

Update: Apple statement

Apple appears to have issues a statement saying that it had no knowledge of any back door into iOS. The statement, as reported by All Things D reads:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

[Update: This post has been edited to correct the Spelling of Appelbaum's name and to explicitly mentioned that there have been several vulnerabilities in more recent versions of iOS over the intervening yeas. It has also been updated to include a section that explicitly spells what end-to-end encryption does and doesn't protect you against.]

1Password and The Crypto Wars

Of all of the revelations about the NSA that began in June and continue to this day, the one that has shocked me the most is the fact that the United States National Security Agency has been deliberately inserting weaknesses into security products and even into NIST standards. In light of this, it is fit and proper for anyone who relies on 1Password for their security and privacy to ask whether 1Password has been, or could be, tampered with to deliberately weaken it.

The easy questions

Has 1Password been deliberately weakened?

No.

Have we, AgileBits, ever been asked/compelled/pressured/contacted by any entity asking us to weaken 1Password?

No.

Could we be compelled to weaken 1Password or allow for the weakening of 1Password?

Not without substantial risk that such attempt would become public.

Those questions are the easy ones to answer. The harder question is why you should believe those answers.

Why should you believe us

It is impossible to absolutely prove that our answers to the easy questions above are truthful. But what I can do is provide a number of more verifiable claims, each of which makes it harder for us to lie about any of this. In combination, these should be enough to persuade you that there is no backdoor (deliberate weakness) in 1Password and that it would be very unlikely for one to be introduced.

They can’t gag all of us

We have developers in four separate countries: Canada (AgileBits is a Canadian company), the United States, the United Kingdom, and the Netherlands. The gag orders that accompany National Security Letters in the US would not bind non-US citizens outside of the US. Likewise the Canadian, British, or Dutch analogues to National Security Letters wouldn’t bind US citizens. To compel all of us to betray our customers and principles, they would need to coordinate that legal compulsion in four jurisdictions.

This doesn’t entirely rule out the possibility of such a set of gag orders, but it does make such compelled silence much harder to achieve. This also doesn’t rule out other avenues of attack. In particular, could just one or two people within AgileBits sneak in a backdoor? We’ll talk about that below, but note that the inability to gag so many of us means that a backdoor would have to remain unknown to most of us.

Our lack of data collection is verifiable

Your 1Password data is under your control. Out of the box, 1Password creates a local data file (your “vault”) and sync is disabled. We never have the opportunity to see your Master Password or even your encrypted 1Password data. 1Password not only gives you “end-to-end” encryption, but our overall design means that we are never in a position to turn over or intercept your data. We simply never see it in any form whatsoever.

Furthermore, we never see how you use 1Password. We don’t know what sites you log into, we don’t know how many 1Password items you have. Indeed, we don’t even know whether you use 1Password or not. We offer a soon-to-be-incremented number of data synchronization methods, none of which involve us ever having the opportunity to intercept your data. When 1Password 4 for Mac arrives soon, Wi-Fi sync (currently in testing) will allow you to sync locally, meaning your data never has to leave your local network.

You can monitor 1Password network activity for yourself to confirm that your data, even encrypted, is never sent to us. All of this dramatically reduces where a backdoor could be inserted.  Indeed, it eliminates the otherwise easiest to insert and most difficult to detect backdoors. So an entire range of attacks is already off the table.

As always, this doesn’t rule out all kinds of mischief, but it substantially limits the scope and opportunity for an attack.

Our data format is verifiable

We have been very open about providing the details of the encryption and data format that 1Password uses. Anyone can verify that 1Password does produce the files we say it does. They can also examine whether that over all design is strong.

This doesn’t rule out every kind of sabotage that could be done, but it does rule out a broad range of some of the easiest lines of attack. Because this limits where a weakness could be introduced, it’s harder for a deliberate weakness to be introduced that isn’t noticed by others who can access the source code.

As a consequence of this, everyone with access to the source code knows where to look for possible tampering. This makes it harder for a backdoor to be introduced without it being noticed by many of us. As pointed out above, they can’t gag us all.

Lavabit has set a precedent

One company, Lavabit, has shut itself down rather than comply with betraying their customers. This increases the risk of discovery to those trying to compel developers to introduce weaknesses.

It is impossible to predict how we would react in absence of having the full details of such compulsion in front of us; there are just too many unknowns and too many forms of compulsion. But the very real possibility that we would shut ourselves down (which would be public) rather than sabotage what we do and love should act as some deterrent to those who might wish to compel us to introduce a backdoor.

Only communications tools appear to be targeted

From the most recent revelations, the targets appear to be communication tools and protocols. 1Password is not such a tool. This doesn’t mean that the NSA couldn’t change their focus, but from what we know so far, 1Password is not the kind of thing they are after.

Going around crypto instead of through it

Even if you don’t find any of the individual reasons listed above to be persuasive, they interact powerfully. In combination, they make it much harder to get a weakness into 1Password without taking on large risks of getting caught and failing. Any attacker, including the NSA, will avoid high risk, high cost attacks if there are safer and easier alternatives. I’m therefore confident that the NSA would rather go around 1Password than through it.

Crypto Wars II

In the 1990s, there was a series of debates, pressure, civil disobedience, and cryptographic developments that have come to be known as “The Crypto Wars”. At the heart of this was the US and other governments’ efforts to prevent people from having access to cryptographic tools which those governments couldn’t break. In the end, governments (seemingly) surrendered, in large part because the tools they wished to use to enforce those restrictions (export restrictions, the Clipper Chip) just weren’t going to work.

What the 5 September, 2013 revelations show is that the US government has taken a different tack. The Crypto Wars may never have ended. Instead of explicitly and openly trying to limit the power of the cryptographic tools allowed to the public, they are now surreptitiously sabotaging the tools that we all use. As before, this will be fought on the political front—people telling their representatives that they don’t want hobbled security tools—and on the technological front—building better, stronger, more robust and verifiable systems.

Our role in this as a company is to be transparent about our approach to security while keeping your 1Password data protected.

On the NSA, PRISM, and what it means for your 1Password data

PRISM: 'really freaky'.It should come as no surprise that the NSA (United States National Security Agency) has easy access to data that ordinary people store online. Section 215 of the PATRIOT Act (of 2001) and section 702 of FISA (renewed and extended many times over its long history) give the US government the legal authority to gather such data and to keep the fact of gathering that data secret.

What is new is that there are confirmations of the prior suspicions that they are gathering telephony metadata about everyone, even if there is no specific reason to connect those people to a specific investigation, and that they have mechanisms in place to make it quick and easy to obtain data stored with various Internet service providers.

If the US government wants your data stored with Apple or Dropbox, it is easy for them to obtain it with no notification to you that they are doing so. This fact is not news. The laws have long enabled them to do that.

The news is (a) that the NSA and FBI have been collecting data about telephone calls on a large and indiscriminate scale while publicly stating that they weren’t, and (b) that they have mechanisms in place with various service providers, including Apple, to be able to collect data from individuals. The latter, we are now being told, is not indiscriminate; and the actual mechanisms are unclear.

Does this matter for 1Password users?

I think this matters for everyone, but here I will focus only on what this specifically means for 1Password. The latest news really changes little. We have gone from a situation where the government could “easily obtain the data” to one where “it’s so easy that they may have already made a copy.” Looking only at implications for 1Password, this is not anything new. The US government can easily obtain data you may store on iCloud and Dropbox. That just isn’t anything new, and so it isn’t anything new for 1Password.

Nonetheless, this does give us an opportunity to talk both about what data we at AgileBits may have about you and also with how resistant your 1Password data might be to the NSA.

We don’t know who you are, but we love you

We’ve never been asked to turn over data about you. Sure, some of that is because we are a Canadian company, but most importantly is the simple fact that we really don’t have any data to turn over. The easiest way for us to protect your data and data about you is to not have that data in the first place. We can’t reveal or abuse data that we don’t have. You can read the details of the data we do and don’t have.

In summary, we only have information about you that you explicitly provide to us. If you sign up for our Newsletter, we will have your email address. If you purchase from our store directly, then we have the information you provided at time of purchase (though we only retain partial credit card details). If you contact use through support, we have a record of those communications. If you make your purchase of 1Password through Apple’s app stores, we are only given aggregate information (how many people from which countries).

We do not have your 1Password data. We do not know your 1Password Master Password, We don’t even know if you use 1Password. We do not know how many items you have in your data or their type. Our image server (used for Rich Icons in 1Password 4) is set up in a way that we never see the IP addresses of individual requests. That server never gives us information about what is in any individual’s 1Password data.

Quite simply, you don’t have to be concerned about AgileBits gathering information about you. We just don’t have much information in the first place.

How NSA-proof is your 1Password data?

Returning to the (unsurprising) fact that the US government can easily obtain your data from cloud services, we can ask about how resistant the 1Password data formats might be to an attack by the NSA.

As we’ve often said, we designed the data format used in 1Password with the knowledge that some people would have their data stolen. It might get stolen because their computer is stolen or it might get stolen because of a data breach at a service like Dropbox. Either way, we’ve assumed that there would be circumstances where an attacker may get hold of your 1Password data, and so we designed the data formats with encryption to keep your secrets secret.

We can only guess (but make reasonable guesses) about the NSA’s capabilities. We can’t rule out that there might be some flaw in the design of our data format that neither we, nor anyone whose studied it, have found but that the NSA is aware of and able to exploit. Finally, there is the potential use the NSA could make from your 1Password data even without decrypting it.

In judging NSA capabilities, we need to keep in mind that they have a history of discouraging the US government from using systems that the NSA could break. If the NSA could break AES-CBC-128, then they would not be advising US government agencies to use it. Interestingly there is a history of the US and UK governments advising foreign governments to use cryptographic systems derived from Enigma, which the US and UK could break at the time.  But the NSA has (correctly) operated under the assumption that if they have found a way to break something, others will too.

Tweet from @EdwardTufte: PRISM "providers": classic PPT statistical graphic: 13 logos, 10 numbers, 9 bubbles, 1 giant green arrow. #powerpoint

It’s also reasonable to assume that the gap between the kinds of cryptanalytic techniques that the NSA has, and what the academic community has, is not as large as it was in the past. We did see evidence of the NSA (presumably) using a novel technique in Flame. We know that they are ahead, but as the number of people who publicly study cryptanalysis increases, the gap should narrow significantly. It certainly appears that their skills in designing presentation slides are more than a decade behind readily available and documented public techniques.

From these I comfortably operate on the assumption that the actual building blocks (AES, etc) and the constructions (CBC) we use are not broken.

Of course, one area where the NSA has clear, unmatched power is with computing resources. Our estimations of how long it would take a password cracker to guess a Master Password have been based on the kinds of tools that the public password cracking community has available.

A Master Password with the equivalent of 60 bits of entropy is going to be out of the reach of even the most dedicated civilian password cracker, but may be within reach of the NSA.

Cray XMP

There may be non-cryptographic flaws in cryptographic software, including 1Password, that the NSA is able to exploit, and that nobody else knows of. That is, they may know a way to break 1Password’s security without having to break the crypto. Naturally, we work  hard to keep 1Password free of such vulnerabilities, but that is no guarantee that there aren’t some which the NSA is aware of and that we are not.

Finally, if they are collecting massive amounts of data, they may be able to make use of the non-encrypted data within our data formats. Our newest format reduces that particular threat, but it is still possible to see when items were created and modified along with how many items a person has in their 1Password data. Also, item categories (whether something is a Secure Note or a Login or a Credit Card) is not encrypted. As discussed in many places, the Agile Keychain format, which we developed in 2007 and began phasing out with 1Password 4 for iOS in December, leaves Title and Location unencrypted, so it’s similar to a browser bookmark file. However, in the case of an investigation by the NSA, that probably tells them little that they already didn’t have access to.

The right tool for the right task

Security failures often happen when people don’t use the appropriate tool for the task they are trying to achieve. 1Password is extremely good at what it does. It keeps the secrets (passwords in particular) you store within it safe, and makes it easy for you to use those secrets when you need them. This is an extremely important part of your security, and we are very pleased to provide that.

If, however, your goal is to keep your online activity secret from the government, then 1Password can only be a tiny part of what you need to do. As an analogy (and all security analogies ultimately fail; so don’t take this too far), consider a system, say 1Passlock, as providing a very good lock on your house making it impossible for someone to break into it. 1Passlock, however, would do little to prevent someone from learning the location of your house, so you would also need to find something in addition to 1Passlock to conceal your house’s location.

The point of this terrible analogy is that you need to find the right tools for your particular security goals and try to make sure that those tools work together.

Avoiding the cloud

1Password in DropboxOur approach has been to plan and design for the case where your data can be captured from anywhere, whether it is stored on services like iCloud or Dropbox, or not. However, we have learned that a notable number of people don’t agree with storing their data in the cloud at all. There are 1Password users who reject the idea of storing their 1Password data on any system outside of their control no matter how strongly their 1Password data is encrypted.

iCloudWe would like you to have as much control over your own data as possible. This way, it doesn’t matter whether you agree with me about the relative risks of capture from local computers. It should be your choice to make. We have provided a (beta, Mac only) USB Syncher, but we are also exploring other approaches that may work out as better solutions for synchronizing your 1Password data without having to rely on services outside of your control. At this point, I can tell you nothing about the kinds of approaches we are exploring, and I do not yet have a timeline to share.

In conclusion

The latest news does not substantially change the security situation for 1Password. It does, however, focus more attention on the relative safety of your 1Password data when using Dropbox or iCloud to store and synchronize said data.

We anticipate that there will be some creative discussion of this, and so have already created a specific place for this in our forums.