Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really?

Andrey Belenko Andrey Belenko and Dmitry Sklyarov, security researchers representing Elcomsoft Co. Ltd headquartered in Moscow, give a presentation at Black Hat Europe event to raise relevant issues of data protection on smartphones.

We would like to welcome you on our talk at Black Hat Europe 2012. Today I’m here with my colleague Dmitry Sklyarov. My name is Andrey Belenko.

We work for the company called Elcomsoft which is based in Moscow, Russia. We mostly do software development for computer forensics, and password recovery tools. And today we would like to present our research which will analyze the security of password keepers, password manager applications on modern smartphones. So, let’s start.

Issues to be covered

Issues to be covered

Today we will start with a short overview of authentication: how it’s done on computers and how it’s done on smartphones. We will then proceed to establish the threat model under which our research was done, to see what the threats are and how we can exploit them. After that we will proceed to actual analysis of BlackBerry password manager applications and iOS password managers. And then we will present you some information to conclude, some summary information about our findings so that you can have an idea of the state of security in this field.

Authentication: PC vs. Smartphone

Authentication on conventional computers

Authentication on conventional computers

So, let’s talk about authentication. On conventional computers like PC or desktop Macs, there are a number of options which are available for developers to use as a means of authentication. First of all, this is the Trusted Platform Module which is a piece of secure hardware installed on computers, on some of them. What it basically does is it authenticates the hardware before performing some sensitive operations such as decryption. So, if you just change the hardware and introduce some malicious part to it, it will not pass the authentication process.

The second means of authentication is something more traditional, it is biometrics, which is something you are. Again, on computers it’s fairly easy to buy a fingerprint reader or something like that, and to integrate this into the authentication process. We are not talking about the reliability of this authentication; the point here is that it can be done on desktop computers with relative ease.

The third way to perform authentication is SmartCard + PIN. It is something you have and something you know, or, as one of my friends says, something you know and something you usually leave at home. Well, again, SmartCard readers are cheap; there are products, solutions that can help you build a corporate environment for two-factor authentication, so it’s possible to do this on desktops.

And the last way – it’s probably still the most popular one and still the reason why our company has some business – is password and passphrase authentication. It’s used everywhere, and I’m not sure if I need to talk about this in more detail.

Authentication on smartphones

Authentication on smartphones

Well, on smartphones the situation is very different. You don’t really have TPM or biometrics, or SmartCards on smartphones, because most of them are pretty restrictive in what you can do, what you can run, and what you can connect to them. So, pretty much the only means of authentication that is applicable on smartphones is PIN, password or passphrase. Well, here I would like to just give a short note about the Trusted Platform Module. Technically speaking, most of the modern smartphones have some secure co-processor inside them, for example the iPhone. But the problem is that application developers cannot talk directly to this co-processor – so the system can, the applications can’t. Applications cannot use this secure piece of hardware to enhance the level of protection. So essentially, there is no such thing from software developers’ perspective.

Password / passphrase – the only option

Password / passphrase – the only option

Therefore on smartphones, we’re pretty much left with passwords, passcodes; and the pattern lock looks different from the passcode, but essentially there’s a numeric password. In this example the corresponding password will be something like 1-4-2-5-6-9-8 – the numbers defining the route you swipe as you follow the pattern. So, password is the only common and reliable way of performing authentication on smartphones, but there are problems associated with it.

Typing a password: PC vs. smartphone

Typing a password: PC vs. smartphone

The first problem is that typing passwords on a smartphone is a pain. On PCs, on laptops you have full-sized keyboard, you can utilize your motor memory; well, I’m pretty sure that everyone who is using random or semi-random passwords cannot spell them if they are asked to take a pen and spell them, but they can type them in. With me, this is the case: I don’t know my passwords, I mean how to spell them, but I know how to type them. Again, it’s relatively easy to memorize long and relatively complex passwords on full-sized keyboards using motor memory.

With smartphones, it’s a completely different story. Touch screens do not give you the mechanical feedback to fingers, so you really need to look where you type, and this complicates the process, making it more difficult to use long, and especially random passwords. So, it’s okay to type a word but, again, how many errors do you make even when you’re texting? The spell checker always replaces the typos, you probably don’t notice them sometimes; but if you enter a password, the spell checker will not fix the password for you, so it’s much more difficult to use long and complex passwords on smartphones, especially on smartphones with touch interfaces. On BlackBerries with the small keyboard it’s somewhat easier because you still have some mechanical feedback, but it’s still much more difficult than on full-sized keyboards.

So, we believe it is fair to assume that passwords on smartphones will be shorter than their counterparts on PCs, if used by the same person.

Password Cracking

Password cracking: key differences device-wise

Password cracking: key differences device-wise

Next problem is password cracking. People who want to crack the password are usually smart guys, and they will utilize the most powerful platform they can find. I mean, if the password they want to crack protects some data on a smartphone, it doesn’t mean that the attackers will use the same smartphone to perform the actual cracking. They will offload the computation to more powerful processors, to CPUs, to GPUs and so on, and this will increase their chances to crack that password. The problem here is that the passwords are usually used in a way that there is some encryption which is based on the password, and the encryption key is computed from the password. Usually it is computed using some complex cryptographic transformation, like performing 1 Million hash iterations. And there is a problem when you try to do this on a slow platform like for example BlackBerry, because the CPU is slow, and you don’t really want to create a program which will take five minutes to verify the correctness of the password. But really, the way to avoid this is to reduce the number of iterations to make this password-to-key transformation less complex. But at the same time, this will lead to faster password recovery attacks on more powerful platforms like PCs.

So, we have a challenge here: on the one hand, we need to reduce the complexity of this key computing function to make it usable and make the interface responsive on constrained platform like smartphone; on the other hand, we need to make password recovery slow on fast platforms like PCs with fast CPUs and GPUs. Today, with things like iPhone, A4 chips and A5 chips, this is less of a problem, but a few years ago (and still with BlackBerries today) it was a problem. And like I said, the attackers are smart guys. They can always use GPUs or distributed computing to make password cracking even faster. In this presentation, you will even see some indications of how fast GPU password recovery may be.

Authentication Wrap Up

PC vs. smartphone authentication - summary

PC vs. smartphone authentication – summary

So, let’s look into some more things about authentication. On computers, you usually do not enter you complex, long passwords too often. Typically, when you start your working day you log in to your workstation, you continue working until break, then you lock your screen, go to lunch, return, unlock your screen, continue working, and so on. We think this is a typical scenario. It may be five, maybe ten times a day that you need to enter the password on a PC. With smartphones, it’s a completely different story. You need to enter the PIN or passcode every time you want to make a call, read a text, send a text, read an email, send an email, and so on. This forces people to use shorter passcodes, I would say. At the same time, handling passwords on smartphones is more difficult than on PCs for the reasons I have explained above – because you need to have a high level of protection with fewer resources. This is the problem.

Read next: Secure Password Managers and Military-Grade Encryption on Smartphones 2: Device Backup and BlackBerry Password Managers

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: