iOS Vulnerability and 1Password Security
Interesting article in Wired magazine describing how advanced hackers (including law enforcement and other government entities) are gaining access to iOS devices. Central point is that encryption keys used by most apps - according to Johns Hopkins - are stored in After First Unlock (AFU) storage vs. Complete Protection after an iOS device has booted and been unlocked one time. Access to these keys is possible in the clear using any iOS vulnerability. Apps can use the Complete Protection storage for encryption keys but only at their option. Given what most of us have stored in our 1Password vault, it would be nice to know if iOS 1Password stores encryption keys in Complete Protection vs. AFU.
Note that Andrioid doesn't even provide a Complete Protection option so 1Password data is available to anyone with access to an Android vulnerability (assuming the device is powered up and has been unlocked at least once).
Link to article: https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Welcome to the forum, @pdp11! I read that article with interest as well, happy to discuss how it relates to 1Password. Put simply, 1Password is likely different than most of whatever else is on your iOS device. What I mean by that is that we use our own encryption (AES256), which is separate from iOS encryption, to encrypt your data. The keys are secured by your Master Password (and to a lesser degree, your Secret Key). The encryption key is derived anew each time you enter your Master Password into 1Password for iOS, and it is not stored anywhere on your device when 1Password is fully locked.
If you enable biometry (either Face ID or Touch ID), your 1Password data is still protected by your Master Password, but 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your Master Password. The secret is used to unlock 1Password when your fingerprint or face is recognized. The links above have some additional information and tips on how to tighten security on an iOS device, if you're interested, but the bottom line is that you can lock 1Password on your iOS device at any time by tapping Settings > Security > Lock Now in 1Password. This will require your Master Password, not biometry, on next unlock. You can also do this more automatically by choosing Settings > Advanced > Security > Require Master Password After: Device Restart. With this setting enabled, turning off your device will cause 1Password to require your Master Password the next time you open 1Password after restarting the device. Finally, if you don't mind the inconvenience, you can simply disable Touch ID or Face ID altogether in 1Password, which would require your Master Password every time you unlock it. Finally, don't forget to also set "Lock on Exit" and set the auto-lock timeout to a comfortably short period -- from 1 minute to 1 hour.
It's also good to keep in mind -- as that Wired article points out -- that the types of attacks described therein require both physical access to a device as well as specialized smartphone access tools. If your estimation of your own threat profile leads you to conclude you will regularly be a person of interest to people or organizations with the finances and the interest in acquiring such tools and the desire to use them on you specifically, then you might wish to take the additional step and inconvenience of leaving your devices fully powered off when not directly in use, or at least to turn them off prior to any expected encounters with such people. 1Password itself can help you with the use of Travel Mode, which entirely removes any vaults not marked "Safe for Travel" from your device(s). And again, on your devices themselves, tapping Settings > Security > Lock Now will mean your Master Password is required to unlock 1Password the next time it's launched, even if an attacker is able unlock your device itself.
0 -
Lars, thanks for the feedback. I’m glad to hear 1Password uses its own encryption engine vs iOS APIs. If I read your “Lock Now” suggestion, that is for protection if Apple places the encryption key for access to iOS KeyChain itself in the AFU space vs. Complete Protection? I sure hope they don’t do that but we’re unlikely to be told one way or the other.
I appreciate that this type of attack will be rare and requires physical access. However, as someone who has had a device taken from me and brought to a back room (“just to verify the serial number is valid”) by a certain large Asian country not known its freedoms, I’m going to take note of these recommendations :-)
0 -
@pdp11 - speaking not for 1Password but just for myself, if I were traveling to some of the countries on the globe where routine electronic surveillance of an invasive nature was known to be common, I might consider taking a "burner" device if I absolutely required one, or simply forgoing devices entirely for the duration of my visit, if that were an option. If you must travel to such places and you also expect to need one or more of your devices, I would take advantage of all the security protections you can - turn on full disk encryption if it is not already, choose a long and strong device password (in addition to your Master Password), tighten the timeout settings in 1Password and/or temporarily disable biometry, and make use of Travel Mode to remove sensitive vaults altogether from your device(s).
0 -
Interesting conversation.
Lars, how is the "Wired" issue addressed on Windows 10 PCs & Android devices (phones)?
Thanks
0 -
@55208wcgk - the Wired article referred only to mobile operating systems/devices, so Windows PCs aren't really in-scope there, though if you'd like to read more in general about 1Password’s security model or about 1Password 7 for Windows, those are good jumping-off points.
As far as Android is concerned, the answer would be "similarly" - on every platform, we are not depending on the OS's own keychain, but rather our own implementation of AES256. If you don't enable biometry, then you will be required to enter your Master Password every time you use 1Password on your Android device. This is arguably the most secure method of using 1Password anywhere, as we do not store your Master Password or secrets equivalent to it anywhere on disk when you do it this way, and the encryption keys necessary to decrypt your 1Password data are required to be derived anew -- by entering your Master Password -- each time you launch 1Password.
When you turn on Biometric Unlock in 1Password for Android, the following is how we keep it secure:
1Password stores an encrypted version of a secret that is equivalent to your Master Password:
- Random Key. 1Password generates a Random Key that requires authentication. This Random Key is saved in the Android Keystore.
- Authenticated Key. 1Password prompts to scan your fingerprint, face, or eyes, which it uses to authenticate that Random Key. The Authenticated Key is never stored on your device.
- Master Key. 1Password uses the Authenticated Key to encrypt a copy of the Master Key. This encrypted Master Key is saved in the sandboxed preferences for 1Password.
There are now two encrypted copies of the Master Key: one encrypted with your Master Password and one encrypted with the Authenticated Key. This makes sure that use of Biometric Unlock is cryptographically enforced:
- Your data can’t be decrypted without the Master Key.
- The Master Key can’t be decrypted without the Authenticated Key.
- The Authenticated Key can’t be generated without authenticating your fingerprint, face, or eyes.
0