Would a 1Password database be vulnerable to a compromised iOS system?
Specifically, such an exploit mentioned by Tim Cook in his letter to Apple customers:
http://www.apple.com/customer-letter/
"They have asked us to build a backdoor to the iPhone. Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession."
And this, which raised this concern, in particular:
"Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.
In today’s digital world, the 'key' to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge."
So, in general:
Would a 1Password database be vulnerable to a compromised iOS system, in any way?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Would my 1Password database be vulnerable to a compromised iOS system?
Comments
-
Hi @Magne,
Thanks for taking the time to write in about this important issue. My colleague jpgoldberg has written in extensive detail about this here:
Apple vs the Feds - AgileBits Support Forum
I hope that helps answer your question, but if you have any follow up or additional questions please feel free to reach out!
Ben
0 -
Thanks. I read the entire thread, and the linked articles.
Although it gave a good general overview, it didn't precisely answer my question.
I'm specifically wondering if a compromised iOS system could potentially compromise the data in a 1Password database, in any way?
Some potential attack vectors that comes to mind:
Keylogging, while typing in the master password into the 1Password app
Fetching the master password from live memory.
Subverting the Touch ID on the phone to access the 1Password app (if the user is using Touch ID)
Fetching the data while 1Password is syncing (although I hope it is as encrypted here as in the DB itself)
Using the compromised iOS system to try multiple guesses per second on the master password. With a super-computer at hand, and some smart inferences based on 1Password's password generation scheme, it might be viable, even if the generated password is many times better than a human made one.
cheers,
Magne
0 -
Thanks for the follow up questions Magne.
I suppose the answer to your "big picture" question is "yes, depending on the level of compromise."
- There are protections built into the operating system to prevent keylogging in password fields, but depending on how deep the compromise goes this could have been navigated around.
- This one I'm honestly not sure about. I'll see if someone from our security team can comment more specifically (cc: @jpgoldberg )
- In theory this one is prevented by hardware. Unless the hardware is also compromised, which I haven't seen any reports of even a proof of concept on this, a software based attack should not be able to do this.
- Right -- they could intercept the sync data in transit, but it is still encrypted at this stage.
- This one isn't very practical. While possible, if you have a secure Master Password, PBKDF2 makes this approach much less than desirable. We have a blog article you may be interested in: Strong Security Requires Strong Passwords. It brings this comic which we've referenced on occasion, from our friends over at xkcd, to mind:
For anyone else reading: these answers are assuming a compromised version of iOS were to be installed, which would almost definitely require physical access to the device... At least, I've not seen or heard of any attacks on modern iOS devices where an attacker was able to install a modified version of iOS without physical access.
Thanks.
Ben
0 -
Hi @Magne!
The reason that it is so hard get a straight answer to the question that you asked a question that needs a great deal of refinement to be able to answer. But let's start by distinguishing two cases:
- The target interacts with a compromised system
- The user does not interact with a compromised system
Safe in Case 2
If we are considering only cases like the second, in which the user does not unlock their device (or unlock 1Password) on a compromised device then the protection of your 1Password data depends on the strength of your Master Password. (Assuming that all of Apple's defenses are gotten around.)
One caveat to this is if you you TouchID to unlock 1Password and the particular settings and circumstances. It might be the case that given a certain combination of TouchID settings and device capture timing that your data would be as safe as your device passcode. It is too tricky to try to work through all of the cases that apply here. In one sense the question is moot because TouchID doesn't apply to an iPhone 5C. And a compromise of a 5S or later would involve more than what Apple is being asked to do in the San Bernardino shooter case.
Case 1 is a basket case
In the first case, where the target is actively using 1Password on a compromised system, then once the user unlocks 1Password the compromise of the system could capture their decrypted data. This is going to be the case with any compromised operating system and there isn't anything in the 'verse anyone can do about such a thing.
0 -
Thanks to you both for comprehensive and clear answers to my question. :-) What you both say makes a lot of sense.
One small follow-up to case 2, @jpgoldberg:
One caveat to this is if you you TouchID to unlock 1Password and the particular settings and circumstances. It might be the case that given a certain combination of TouchID settings and device capture timing that your data would be as safe as your device passcode. It is too tricky to try to work through all of the cases that apply here.
You don't have to work through all of the cases that apply here, I'm just curious about one thing:
Does this mean in general that I shouldn't use TouchID to unlock 1Password, because an iOS stored fingerprint
opens up a potential shortcut to the master password (even when I'm not interacting with the phone)?What would have been nice was if one TouchID fingerprint was stored inside the 1Password database itself. Then I'd only use a special finger to open 1Password, haha. :-)
From what I understand from your comment part 1 in your response to the San Bernadino case, it seems that the hardware key on iPhone 5S and beyond would protect against a remote hacker gaining access to this stored fingerprint in any case.
0 -
Does this mean in general that I shouldn't use TouchID to unlock 1Password, because an iOS stored fingerprint opens up a potential shortcut to the master password (even when I'm not interacting with the phone)?
I'm certainly not saying that you shouldn't use TouchID. I am happy to use it and support it as a feature available for 1Password users. But it is a choice we leave up to users.
TouchID unlock and the iOS Keychain
For TouchID to work with 1Password, it means that we have to store an (equivalent) of your Master Password outside of 1Password in a way that can be retrieved when the phone tells us that you have successfully used a fingerprint. That Master Password Equivalent (MPE) is protected by the device and operating system and not by us. It is extremely well protected, but it is protected by some complex interactions between the device hardware and the operating system.
With a corrupted operating system together with the device passcode it may be possible to retrieve the obfuscated version your Master Password from where we store it for TouchID. We store this obfuscated Master Password in the iOS Keychain using the most restrictive data protection class available in iOS 8.1
The difficulty in saying exactly when this might be available to an attacker is because it depends on a lot of things including the fact that there are circumstances under which we try to remove item from the keychain and there are circumstances under which the operating system automatically removes such items from the keychain. And, of course, even if it remains in the iOS Keychain, whether it is available to anything other than the 1Password app depends on the nature of the attack on iOS.
What should you do?
If your threat model includes an attacker who is capable of and is willing to bear the expense do all of the following
- An attacker who is capable of capturing and holding on to your device
- Is able to get Apple to install a specifically weakened version of the operating system on it.
- Can find a way around the rate limiting of the secure enclave in passcode guessing. (Note that the San Bernardino shooter's phone is a 5C, which does not have a secure enclave. Any iOS device with TouchID does have a secure enclave.)
then this line of attack would mean that you should reconsider using TouchID unlock for 1Password. Where or not that is a threat that you face for your data is something only you can decide. Personally, I am happy to use TouchID.
-
There is one more available constraint that was introduced in iOS 9 but escaped our attention until Per Thorsheim and Paul Moore brought it to our attention just a few days ago. ↩︎
0 -
Thanks again for a very good and comprehensive answer @jpgoldberg, and for summarising the consequence so neatly. It alleviates my concern, as well. :-)
From what I understand then, the Touch ID case basically boils down to the xkcd comic mentioned above.
0 -
On behalf of jpgoldberg you are most welcome! :)
Ben
0