Protecting your Master Password from Shoulder-Surfing Apps and Security Cameras

benfdc
benfdc
Community Member
edited July 2014 in iOS

Simply pretend to be fiddling with your phone or tablet a few meters away from an iPad user while he or she enters their PIN or password, and shoulderPad can uses your device’s camera to read and interpret the target’s keystrokes. …

>

[The researcher] says that the same trick could be easily applied to recorded footage from a surveillance camera. “Any time you’re entering your iPad password in a public area, someone might be able to decode it later at their leisure,” he says.

Oy! Here is the article. Is there anything that AgileBits can do to help here? Any advice for your users? Will more secure keyboards be available in iOS 8?

Comments

  • Megan
    Megan
    1Password Alumni

    Hi @benfdc,

    Please see @jpgoldberg‌'s comments in Security When Using 1Password 4. I think the short answer is this:

    [A]n ordinary criminal who gets a substantial portion of your Master Password through shoulder surfing (already unlikely) would have either steal data off of your computers or devices or find a way into your iCloud or Dropbox account to capture your data. Unless you are being targeted by trained specialists, I really don't see this happening.

    Being aware of your surroundings while entering sensitive data into your phone is always a good practice (just as banks encourage you to shield yourself when entering your PIN into an ATM or debit machine.) Jeff also mentions that practicing your Master Password and getting really good at entering it quickly will help to thwart shoulder surfers.

    Of course we're all excited about the new features Apple has introduced for iOS 8, and our developers are still looking into how to make the best use of all of these tools to improve 1Password. I can't say much more than that at this time, but I'm sure there will be more updates as the iOS 8 release approaches.

  • benfdc
    benfdc
    Community Member
    edited July 2014

    @Megan—

    Thanks for that link, although I do not take a huge amount of comfort from it.

    Agile’s position on the security of cloud storage of keychains is that the security of the cloud service should not be of great concern because your real protection is the strength of your password. (You might quibble with my wording, but I do think that I have the gist of it right.) In the thread that you link to, the emphasis seems to be reversed—in the unlikely event that someone obtained your password, it would do them no good unless they also managed to get hold of your data.

    Perhaps not a big worry unless one is being specifically targeted. But in an age of ubiquitous surveillance and big data it has become easier and easier to track more and more people through multiple channels, which makes it harder to be blasé. In fact, it is very easy for me to imagine that security camera feeds might be routinely scanned in order to construct a database of passwords that is linked to individuals via facial recognition algorithms. A few years ago this would have seemed impossibly far-fetched. Today, not so much.

    @jpgoldberg’s suggestion that one practice smooth, quick entry of one’s master password does not seem to me to offer any protection against the attack in the article I cited. To the contrary, I would think that the quicker the entry the greater the chance that the entire password or passphrase will be captured by a shoulder-surfer or security camera rather than just a portion of it.

    At an ATM or debit machine you can use one hand to try to obscure the PIN that you enter with the other hand. Is this really a practical strategy on a physical or virtual keyboard? And while it always makes sense to practice situational awareness, this has its limits in an age of ubiquitous smartphones, tablets, and security cameras.

    Hard problem.

  • Megan
    Megan
    1Password Alumni

    Hi @benfdc,

    I'm sorry that I can't provide you more comfort! For a more in-depth discussion of this, you'll have to be patient until our security guru is able to respond here. Everything that I've learned about security while working here has come from him, and I'm sure he'll be able to address your concerns more directly.

    Thanks for your patience!

  • Rabbit32
    Rabbit32
    Community Member
    edited July 2014

    I have to agree with benfdc's well-written response.

    It's not hard to imagine someone getting your master password from one of the ways discussed, then getting in to your hotel room and stealing your laptop. Unless your hard drive is encrypted, your vault has just become a sitting duck (once they remove the hard drive from the PC). Or they can capture your password while you type it in your airplane seat and then swipe your device while you and everyone else is asleep flying over the ocean on a 10-hour flight.

    I'm not saying that preventing this is AgileBits' responsibility, because it is a difficult problem to defend against and falls outside the scope of what it's currently designed to do. But it would certainly be a very nice feather in your cap to have a good countermeasure available! :-)

    Maybe you can team up with a developer who's creating a new keyboard for iOS 8. Like have one that you can optionally activate at login time, where it has these attributes:
    - Mask the typed characters right away rather than waiting 2 seconds like you currently do
    - Use lower contrast markings on each key (button)
    - Make the space bar, keypad-switcher, and Go buttons smaller so you can move the shift and backspace buttons onto the same row with them
    - Move the row of these special keys in between one of the other rows, with the exact position varying randomly with each successive login attempt
    - since the first row of letters has 10 keys, the second has 9, and the third has only 7, you can insert some dummy keys (in random locations) so that each row has 10.

    The key is to maintain the relative positions of the letter rows as they normally are, along with the relative position of each letter in a row, but change the absolute position of some of the rows and letters therein. This should have a minimal effect on password typing speed while making things rather difficult for the attacker.

  • MikeT
    edited July 2014

    Hi guys,

    @Rabbit32:

    Maybe you can team up with a developer who's creating a new keyboard for iOS 8.

    Keep in mind that custom keyboards on iOS 8 are explicitly prohibited when iOS detects a password field for security reasons. In this case, the master password field in 1Password will not show you any custom keyboards beside the iOS one. This allows iOS to isolate it from any other processes to prevent keylogging.

    I'm not sure there is a way to customize the default iOS keyboard while also keeping the iOS security in place.

    We have in fact been thinking about this problem for a long time, the camera/shoulder surfing is a big problem that many folks don't pay too much attention to.

    We even thought about randomizing the numpad, pictures, patterns, and so on. All of them have cons and pros.

    One cool thing about iOS 8 is the new TouchID APIs and as you may have saw already on the Internet, we will add it to 1Password. TouchID should definitely solve this specific problem since there is nothing to record for the eyes.

  • Rabbit32
    Rabbit32
    Community Member

    Are you implying that using Touch ID will become a substitute for typing in the master password? I would rather that it be used as a 2-factor authentication in conjunction with the master password (or maybe a PIN instead).

  • Rabbit32
    Rabbit32
    Community Member

    Within the current keyboard that you use, is it at least possible to mask the types characters immediately rather than after 2 seconds?

  • Are you implying that using Touch ID will become a substitute for typing in the master password? I would rather that it be used as a 2-factor authentication in conjunction with the master password (or maybe a PIN instead).

    No, you can't decrypt your 1Password database without the master password. However, you can unlock the app with the master password in private and then unlock it with TouchID when you're in public. It does require building a habit of doing this if you're often in public. You just have to adjust the timing in the Security area to accommodate this. There may be an option to store the MP in the iOS keychain but it is too early to say anything at this moment. We'll share more when we get closer to the iOS 8 release.

    Within the current keyboard that you use, is it at least possible to mask the types characters immediately rather than after 2 seconds?

    I'll have to double check, I think it may be possible but that wouldn't matter if we can't stop showing the actual keys you're typing from expanding outward. You know when you type A and it expands outward in the big bright fashion that anybody can see it. If we can hide that, than it may make sense to add an option to disable both at once. I'll add this to our tracker to see if it is possible to do this.

    On the other hand, without seeing what you're typing and if you made a mistake, re-typing would likely make it easier for someone to see what you're doing. Humans are very good at pattern recognition, not the actual random stuff. If they see how you're repeating it, they'd likely to recall it better.

  • benfdc
    benfdc
    Community Member
    edited July 2014

    @MikeT wrote:

    Keep in mind that custom keyboards on iOS 8 are explicitly prohibited when iOS detects a password field for security reasons.

    If that is the case, then it seems to me that the ball is in Apple’s court to make its iOS keyboard less vulnerable to shoulder-surfer apps and security cameras when the user is filling in a password field.

    TouchID should definitely solve this specific problem.

    Whoa!! I have been under the impression that, at least on the iPhone 5S running iOS 7, TouchID can be defeated with less effort than a well-chosen unlock code. TouchID’s principal (and considerable) virtue, I thought, is that it represents a vast improvement over the average user’s default security practices (either no unlock code whatsoever or a four-digit PIN).

    If TouchID is seen as the higher-security option in iOS 8, I would infer that shoulder-surfing and security camera attacks now occupy a prominent position in the threat matrix. To me, that might call for a re-evaluation of the wisdom of “all of your eggs in one basket” security tools like 1Password.

  • Rabbit32
    Rabbit32
    Community Member

    I think it may be possible but that wouldn't matter if we can't stop showing the actual keys you're typing from expanding outward. You know when you type A and it expands outward in the big bright fashion that anybody can see it. If we can hide that, than it may make sense to add an option to disable both at once.

    I think that immediate masking is beneficial in and of itself (and the expanding key display should be left as is, for the reason you mentioned). The expanding key display only shows the character for a fraction of a second, and the location moves all over the screen (near where the key is located). But the password field display shows each typed character for 2 seconds, and is conveniently located in one specific place. As there are definite uses cases where a shoulder surfer may be able to see the password field quite clearly while having compromised visibility to the entire keyboard, it can make a meaningful improvement to simply mask the typed characters right away.

    Keep in mind, we're not necessarily trying for the perfect solution, but for meaningful improvements.

  • Hi guys,

    @benfdc:

    If that is the case, then it seems to me that the ball is in Apple’s court to make its iOS keyboard less vulnerable to shoulder-surfer apps and security cameras when the user is filling in a password field.

    That's why they're pushing to expand the use of TouchID in iOS 8.

    Whoa!! I have been under the impression that, at least on the iPhone 5S running iOS 7, TouchID can be defeated with less effort than a well-chosen unlock code.

    TouchID can be defected if the device is stolen and there is a usable fingerprint to print off and made into a mold, then printed out into plastic and then use it on the iPhone. Plus, all of this has to be done with 48 hours or the iPhone switches to the device's passcode. You can see this in action here: http://istouchidhackedyet.com/. In addition, 1Password times out after 30 minutes and it'd then revert to the master password, so all of this work has to be done within 30 minutes.

    At this point, shoulder-surfing/camera issue is pretty much moot because now, your problem is you lost the device. At this point, the next best step is do a remote wipe via iCloud.com.

    Like you guys mentioned, this is a hard problem because there are pros and cons for each situation.

    Again, these are all optional and TouchID would not replace the primary authentication, each user will have to figure out the best settings for their needs.

    @Rabbit32:

    it can make a meaningful improvement to simply mask the typed characters right away.

    I'll ask to see if we can do this.

  • benfdc
    benfdc
    Community Member
    edited July 2014

    @MikeT—

    Thanks for the interesting info.

    I think you have confirmed that compromising TouchID is easier and faster than compromising the sort of strong device unlock code discussed in a 2012 post on the AgileBits blog. Therefore, the conservative assumption is that, if TouchID unlock is enabled, whoever gets your iPhone or iPad can get in.

    Question: is it possible under iOS 7, or will it be possible under iOS 8, to configure TouchID to unlock your phone but not unlock the iOS keychain?

    There was an interesting discussion of remote wiping in last month’s Supreme Court decision on warrantless searches of smartphones, Riley v. California, No. 13-132 (Jun. 25, 2014). 48 hours is more than enough time to procure a search warrant and make a fingerprint mold. Moreover, as the Court notes, it is becoming standard law enforcement procedure to put confiscated smartphones and tablets into Faraday bags in order to prevent remote wiping (and, one presumes, to preserve fingerprints).

    Unless a user is being targeted, 1Password’s 30-minute timeout should offer reasonable protection against TouchID attacks. Targeted attacks are another matter, because a fingerprint mold can be prepared in advance.

    p.s. I think that the discussion in that 2012 blog post of 1Password’s quick unlock feature is outdated.

  • khad
    khad
    1Password Alumni

    There are methods of attack that are easier and far cheaper than cloning fingerprints and "enhanced" shoulder surfing. :)

  • benfdc
    benfdc
    Community Member
    edited July 2014

    Ah yes, the Jack Bauer attack. Definitely not Supreme Court-approved!

    More importantly for these purposes, this is a 1Password discussion forum. 1Password is based on crypto nerd engineering. It is designed to resist hashcat attacks running on Gosney machines, not Jack Bauer attacks, so anyone who is concerned about $5 wrenches should not be entrusting sensitive info to 1Password in the first place. In other words, that xkcd comic is a thread-killer. Cf. Godwin’s law.

    Fingerprint molds and shoulder-surfing smartphone apps are not more exotic than Gosney machines.

    That said, it is a great comic, although omitting the title attribute from the image link deprives your readers of the tooltip punchline. :( For anyone interested:

    Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)

  • khad
    khad
    1Password Alumni

    Surely there is a "Security Wrench Law" for these sorts of discussions.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    I always enjoy any reference to xkcd (and have to confess I do love that particular one).

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Well according to one commenter:

    [Glenn] Greenwald once said how at first he thought [Edward] Snowden was a maniac because he [...] covered his laptop and head with a towel while he entered his credentials to access the documents in the first place.

    So be the frood who really knows where his towel is. (Also useful if you encounter the ravenous bugblatter beast of Traal.)

  • interfer0n
    interfer0n
    Community Member

    As long as they don't get a hold of your iPad or your Apple ID Password for iCloud, your 1Password information won't be compromised even if they know your Master Password. Is this true?

    I'm asking because whenever I type my Master Password on my iPad, it feels like someone is watching me due to the large screen of the iPad.

  • Megan
    Megan
    1Password Alumni

    Hi @interfer0n‌

    I've merged your question with an existing discussion on a similar matter. Please see my initial response in post #2 above, and the rest of the thread as well for some great discussion. It gets pretty technical, as security discussions often do, but you're correct in that someone would need to have both your Master Password and your datafile to get into your database. Simply knowing part of the Master Password is not enough.

    I hope this helps, but we're here if you have any further questions or concerns! :)

  • interfer0n
    interfer0n
    Community Member

    Ah, thank you for this!
    I thought my post got deleted and was trying to figure out what I exactly violated..

    Great, my classes are huge and open, and it'd be awkward for myself to continue turning my head around and watching my back for any "shoulder surfers". Haha, I like it.

  • Megan
    Megan
    1Password Alumni

    Hi @interfer0n‌

    My apologies! I didn't want you to think that you had been silenced, I just sometimes have a bit of an obsessive need to keep things organized. It's great to hear that you are concerned about your security - that's always a good thing. :) I'm glad to hear the answers in this thread have helped.

    Please let us know if we can be of any further assistance.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    As so many have noted, if we wish to use Apple's Secure Input modes (and we do) then we have very little control over the keyboard, and so there aren't many options upon to us to reduce the risk of shoulder surfing from that angle.

    TouchID is clearly less vulnerable to shoulder surfing, but given its own security properties, it needs to be deployed with care. It can be used to reduce the frequency with which a high security password is entered.

    There is a sense in which TouchID is stronger than a default (four digit) device passcode. That is, if you are an entity that already has the equipment and training and resources to attack either, you are probably going to break in faster by going after the passcode. (This is assuming that some other flaw of iOS has been found that allows such an attack in the first place.) But there is another sense in which TouchID can be no stronger than the device passcode. If an attacker has the device and the passcode, then she can enroll a new fingerprint.

    Using TouchID also involves making decisions about what kind of information is stored where. Should the Master Password be stored on the phone long term protected only by TouchID/passcode? Or should TouchID be used in the same way that the PIN is used for quick unlocking the app? These are all questions we've been facing and which you will have the answers to when 1Password for iOS 8 is released. (Betas may give strong hints, but are never the final word.)

This discussion has been closed.