Quantcast

Secure Password Managers and Military-Grade Encryption on Smartphones 2: Device Backup and BlackBerry Password Managers

This part of the presentation accentuates data backup on smartphones, and provides an overview of popular password management applications for BlackBerry.

Threat Model

Assumptions to verify

Assumptions to verify

Let’s now move to the threat model. Throughout the research we assume that the attacker has physical access to the device, or the attacker can read the backup files of your device, or the attacker can in some other way access the files that comprise the password manager database. We believe these are fair assumptions, and I will try to explain that a bit later. And the objective of the attacker is essentially to get your passwords from your password manager database. It may be recovering the master password for your password keeper, or just decrypting the database itself. And I would like to point out that we will focus only on data at rest; we will not analyze the networking functions, the exploits in the password manager applications. We will solely analyze the data at rest – how the program handles encryption of the data stored on the device.

Third-party physical access to devices

Third-party physical access to devices

What about physical access? Well, there are lots of computers stolen every year, and also there are lots of phones stolen, left at the bars and so on. Since a typical phone is much smaller than a typical laptop, again, it’s much more probable that you will lose your phone than it is that you will lose your laptop.

Device backup: iOS and BlackBerry

Device backup: iOS and BlackBerry

So, let’s now talk about device backup. Both iOS and BlackBerry platforms provide a user with the opportunity to create device backups. Device backup contains a lot of sensitive information. Apart from passwords and databases of password keepers, typical backup contains information about email accounts, texts, call logs, pictures, application data – lots of sensitive stuff. This is the reason why both platforms have some protections to guard your backups.

On Apple iOS, to be able to create a backup you need your phone to be unlocked. This can be done either by entering your passcode on the phone, or if your phone is already paired with a computer on which you are trying to create a backup. Also, there is optional encryption of the backup, and on the iOS platform we believe it is done in a proper way, because encryption is enforced by the device. So, once you configure your device to produce encrypted backups, it will always encrypt a backup before sending it to the computer.

To disable this encryption, you will need to specify the original backup password which you had entered. This backup password is only requested when you try to restore from the backup, not when you create a backup. This actually creates a usability problem for many users. For example, when half a year ago iOS 5 was released it was initially released in a version where you couldn’t update the operating system, you needed to do device restore. So, essentially, everything is wiped out from the device, and then iTunes restores your last backup on the initially installed iOS 5. This created problems because many users turned out to have had backup encryption switched on at some point in the past, but since they are not asked for the password they just don’t remember it. And there were lots of people saying something like: “iTunes has a bug, it switched on encryption on its own, I never specified the password,” and so on. And when you ask these people some questions, it turns out that the password was 1234, or their cat’s name, or their neighbor’s name. We have difficult time explaining to them why iTunes knows their cat’s name.

On the BlackBerry platform, backup encryption is pretty much the same, in that you still need the device password for BlackBerry to be able to create a backup. It is not possible to pair a BlackBerry with a PC, so you will need to enter it every time you create a backup. There is also optional encryption of the backup, but it’s done in a somewhat strange way – it is not enforced by the device, it’s performed by the desktop application. So, if you have a BlackBerry device and you know the password, the backup encryption will not be a problem for you because you can just bypass it, instruct the desktop application not to encrypt anything. But still, if you only have the encrypted backup then you need to recover the password, and this can be quite difficult because there is really slow transformation involved.

Alternative ways of data retrieval

Alternative ways of data retrieval

If you don’t have the backup but you have the device, there are some scenarios where you may be able to obtain the required files from the device itself. On iOS platform this is possible through three different ways.

First of all, you can use the AFC protocol via which iTunes talks to the device when it syncs applications, that kind of thing. There are programs that can access the application sandboxes on the phone and transfer files between the phone and your PC, so you can pair your phone with the computer to transfer certain application folders.

Well, of course we still believe jailbreaking is a bad thing because it reduces security, so if you have a jailbroken phone and there is an SSH server running, you can access pretty much every file on the device remotely. It’s also possible to obtain files this way.

It’s also possible to get the required files through mobile forensics way of doing things, which is called physical imaging. When you obtain a bit-to-bit image of the iPhone disks, again, you can decrypt that and get the required files.

On BlackBerry it’s more difficult because, again, there are solutions to perform physical imaging of BlackBerries, but they all require device password. So, on BlackBerry platform it’s up to device password: whether you know it or not. On Apple iOS there are different scenarios.

BlackBerry Password Managers

BlackBerry password management apps

BlackBerry password management apps

So, enough for the background, let’s do the actual application reviews. Let’s start with BlackBerry. We will consider two applications. The first is BlackBerry Password Keeper, it was included with OS 5, I believe. And the second application is BlackBerry Wallet.

BlackBerry Password Keeper: essentials

BlackBerry Password Keeper: essentials

Let’s have a look at BlackBerry Password Keeper. If you know a little about password cracking, you probably know that three iterations of PBKDF2 is not much, and that password recovery will be very fast. In this case, we have three iterations of password-based key derivation function with SHA-1 hash, and the data inside the database is encrypted, it’s okay. So, if you just have the file you cannot read the stored passwords in plaintext, but still you can mount a password recovery attack which will be very fast, it’s about 5 Million passwords per second on a modern CPU, and up to 20 Million on GPUs.

PKCS7 data padding explained

PKCS7 data padding explained

There is one quite interesting thing which we can exploit in many different password keeper applications, and this is actually the PKCS7 data padding (see image). So, what is this about? When you encrypt data using the block cipher, you can only encrypt data in chunks, and the size of the chunk is the size of the block of this cipher. For most of the modern ciphers, the block is 16 bytes. And the data must be padded before encryption, it must also be padded in a way which will allow removing the padding after decryption, so you need to somehow store the length of the original data explicitly or implicitly. There is a standard for this, which is PKCS7 – well, part of standard defining the padding. The standard says that you need to add to your plaintext data a certain number of bytes, so that the length of your data plus the length of the padding will fit evenly in the block of the cipher, so all blocks will be completely filled. The value of the byte which gets appended to the data is equal to the number of bytes that get appended.

In the first example on the image, the grey area is the plaintext data which we want to encrypt, and numbers 7, for example, in the first line are the bytes, each byte having the value of 7, and we have 7 of them – this is how it works. There is one special case when our plaintext already fits evenly in the block size – in this case we just add an additional block consisting of padding only.

What this allows us to do is quickly reject wrong keys. So, when we’re trying different keys and performing decryption, we can actually decrypt only the last block and check if the padding is correct. In the worst case scenario, if there is only one byte of padding, this will give us the survival rate of keys of 1 key in 256, which is actually very good. This padding essentially provides some sort of known plaintext attack, limited but still…And a great thing is it allows gaining better password recovery rates. This trick is used for many different applications in our research.

BlackBerry Wallet v1.0 in a nutshell

BlackBerry Wallet v1.0 in a nutshell

BlackBerry Wallet is our second application to be reviewed. There are two versions. Version 1.0 was used with OS 5; it was not included with the operating system, but it was a free download from the App World, I guess. This one is pretty straightforward. It stores the double hash of the password; password verification is very fast: 6 Million on CPU and about 300 Million on GPU. This is actually very fast, and I’m not sure why “Research In Motion” did this. Again, there is no randomness, no salt involved, so if you really want to do this fast you can always build Rainbow Tables for this particular type, and recover passwords in minutes and seconds.

BlackBerry Wallet v1.2 features

BlackBerry Wallet v1.2 features

Version 1.2 was a little different, it’s definitely better than Version 1.0, but still it’s not good enough, in our opinion. It took the approach similar to that of the Password Keeper, so it is using the PBKDF2 with a random number of iterations – between 50 and 100. I’m not sure why it’s still using that amount of iterations, but still it’s much better than 3. The estimated recovery speed is 200,000 on CPU and about 3 Million on GPU. By today’s standard, this is very-very fast. Just to give you an idea, password cracking for Microsoft Office 2007 documents is like 1000-5000 passwords per second, so it’s nowhere near millions. And here we have devices with a small keyboard, where you cannot really type a complex passphrase, and the recovery speed of millions of passwords per second. This is basically it about BlackBerry password managers.

Read previous: Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really?

Read previous: Secure Password Managers and Military-Grade Encryption on Smartphones 3: Free Password Keepers for iOS

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: