1P icons, name can lead to insecurity (and lost fingers)
I use 1PW on my iPhone to store all the amazingly long, complex passwords I use. Recently I was considering the following scenario:
I get mugged in an alley / robbed at home / held up in a McDonald's, and the thieves take my phone
Threatening violence, they convince me to tell them my phone's unlock code
Opening the phone, they notice an icon of a lock and key and an app name of "1Password." Instantly intrigued, they ask for the code for that app as well. I refuse, of course, but three fingers later I break, and these lowlifes now have access to every password I use.
I wonder if an icon of a unicorn and an app name of "Pink Pony" wouldn't be a lot more secure against this kind of uninformed attack. Of course sophisticated thieves would know the app aliases... so perhaps there's a custom service 1Password could offer where I could pick the icon, and the app name. That would be hard to scale, of course, but some of us may be willing to pay a lot extra for the added security.
Or am I being paranoid (or overly protective of my fingers?)
Comments
-
Hi @akimbo,
If you think you can pass yourself off as Wendy Appleseed, you could always try telling them that your Master Password is "demo", assuming that you have enabled demo mode.
You know that I have to start off by pointing out that the scenario you describe really doesn't come up all that often. Thieves who really seriously want your encrypted data (and they are rare) won't be fooled by such a trick. Other thieves will just wipe and the phone when they realize that they can't easily get the data. So really, this just isn't something that plays a meaningful part in our threat model.
OK, with that out of the way, I'm going to throw out some buzzwords. What you are looking for is something that is "steganographic". Steganography is about concealing that you have information. For example, using the least significant bits for the color pixels in an image file can store 3 bits per pixels. There are other techniques as well, but that was to give you they idea.
1Password, as you correctly note, is not a steganographic tool. It makes no effort to conceal that fact that you've got secrets stored in it. steganography is hard to do right. Those who will seriously try to go after the data will also know all of the tricks. It's just not a road I think we will go down.
Furthermore we know from the case of Orbicule's Uncover that Apple simply will not allow apps that do something very different from what they pretend to do. Undercover is a sort of a "phone home" system for stolen Macs. Of course you have to install and register the system before it gets stolen, but once you report it stolen when the Mac next connects to the net it will go into "stolen" mode and sneak off iSight pictures and location info and screenshots to Orbicule's system.
Well, Orbicule wanted to bring Undercover to the iPhone (This was before "Find my iPhone"). But unlike the Mac, where some software can be running silently in the background as soon as it is booted, Apple doesn't allow such daemons. "So," thought the clever folks at Orbicule, "let's make it look like an attractive game or something that will trick the thieves into launching it." Apple said, "no." So despite very good reasons for having a deceptive looking icon and name it still gets barred. So even if we wanted to go in this direction, we couldn't.
For people who have serious reasons to worry about such threats, one technique that is often proposed is to have a fake operating system. You'd install (huge jailbreak required) something that looks like the normal iOS unlock screen. But the unlock screen would have two distinct passcodes. One would be your real one, and the other would be a "duress" one. If you enter the duress passcode (this is the one that you give to the thugs to preserve your fingers) it boots to a false home screen with innocuous data and apps on it. The real passcode will have the system boot to your real system. This is sort of like the Demo Mode thing I mentioned earlier, but actually designed for your purpose.
Now such systems would not only require a big whopping jailbreak, but also consume a huge amount of "disk" space to make the fake system look real enough. I also don't know whether people have actually built such systems or just sort of talked about how cool they might be. And I don't know if they really work. After all, the situations in which they could be put to the test are not things that happen every day.
So this sorts of things might be fun and interesting to think about, but as we really don't know how effective they would be against what turns out to be a very unlikely threat, it's not something I anticipate putting serious effort into.
Still, it was fun to talk about.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com[Edited to correct auto corrected spelling of "steganography". Hat-tip @benfdc]
0 -
Jeffrey,
Thanks for the thoughtful (and potentially finger-preserving) answer. You've given me some good things to consider, and, probably more importantly, some reasons to calm my paranoia.
Best,
Doug0 -
Wow, Jeffrey, great post! I'd like to add: My answer in such a scenario is this. Get to a friend's iPhone/PC ASAP and wipe my phone immediately using Find My iPhone (using your unbroken fingers... lol). Some people don't know or recall that you can use it from anywhere on any PC or device with a web browser (go to http://icloud.com and login with your Apple ID that is on your iPhone/iPad; of course Find My iPhone needs to be running on the stolen device!).
Even if you did give up your master password, if you then wipe the phone in five minutes or something, the odds that they've gotten anything out of it that quickly are slim (IMHO).
Jeffrey, an interesting idea would be for us to be able to change the demo password to something more non-obvious. Now, that would be really useful. :)
-Lee
0 -
Perhaps a 'duress' mode is in need, where a second configurable password is saved to the 1Password data file, and exposes a set of generic or invalid entries.
0 -
I think the problem remains the same. Anyone who is sufficiently motivated to force you to enter your password under duress either already knows about the "duress mode" and won't buy it or will become much more upset with you when none of the passwords actually work.
0