Andrey Belenko and Dmitry Sklyarov, security researchers representing Elcomsoft Co. Ltd headquartered in Moscow, give a presentation at Black Hat Europe event to raise relevant issues of data protection on smartphones.
We would like to welcome you on our talk at Black Hat Europe 2012. Today I’m here with my colleague Dmitry Sklyarov. My name is Andrey Belenko.
We work for the company called Elcomsoft which is based in Moscow, Russia. We mostly do software development for computer forensics, and password recovery tools. And today we would like to present our research which will analyze the security of password keepers, password manager applications on modern smartphones. So, let’s start.Today we will start with a short overview of authentication: how it’s done on computers and how it’s done on smartphones. We will then proceed to establish the threat model under which our research was done, to see what the threats are and how we can exploit them. After that we will proceed to actual analysis of BlackBerry password manager applications and iOS password managers. And then we will present you some information to conclude, some summary information about our findings so that you can have an idea of the state of security in this field.
The second means of authentication is something more traditional, it is biometrics, which is something you are. Again, on computers it’s fairly easy to buy a fingerprint reader or something like that, and to integrate this into the authentication process. We are not talking about the reliability of this authentication; the point here is that it can be done on desktop computers with relative ease.
The third way to perform authentication is SmartCard + PIN. It is something you have and something you know, or, as one of my friends says, something you know and something you usually leave at home. Well, again, SmartCard readers are cheap; there are products, solutions that can help you build a corporate environment for two-factor authentication, so it’s possible to do this on desktops.
And the last way – it’s probably still the most popular one and still the reason why our company has some business – is password and passphrase authentication. It’s used everywhere, and I’m not sure if I need to talk about this in more detail.Well, on smartphones the situation is very different. You don’t really have TPM or biometrics, or SmartCards on smartphones, because most of them are pretty restrictive in what you can do, what you can run, and what you can connect to them. So, pretty much the only means of authentication that is applicable on smartphones is PIN, password or passphrase. Well, here I would like to just give a short note about the Trusted Platform Module. Technically speaking, most of the modern smartphones have some secure co-processor inside them, for example the iPhone. But the problem is that application developers cannot talk directly to this co-processor – so the system can, the applications can’t. Applications cannot use this secure piece of hardware to enhance the level of protection. So essentially, there is no such thing from software developers’ perspective. Therefore on smartphones, we’re pretty much left with passwords, passcodes; and the pattern lock looks different from the passcode, but essentially there’s a numeric password. In this example the corresponding password will be something like 1-4-2-5-6-9-8 – the numbers defining the route you swipe as you follow the pattern. So, password is the only common and reliable way of performing authentication on smartphones, but there are problems associated with it. The first problem is that typing passwords on a smartphone is a pain. On PCs, on laptops you have full-sized keyboard, you can utilize your motor memory; well, I’m pretty sure that everyone who is using random or semi-random passwords cannot spell them if they are asked to take a pen and spell them, but they can type them in. With me, this is the case: I don’t know my passwords, I mean how to spell them, but I know how to type them. Again, it’s relatively easy to memorize long and relatively complex passwords on full-sized keyboards using motor memory.
With smartphones, it’s a completely different story. Touch screens do not give you the mechanical feedback to fingers, so you really need to look where you type, and this complicates the process, making it more difficult to use long, and especially random passwords. So, it’s okay to type a word but, again, how many errors do you make even when you’re texting? The spell checker always replaces the typos, you probably don’t notice them sometimes; but if you enter a password, the spell checker will not fix the password for you, so it’s much more difficult to use long and complex passwords on smartphones, especially on smartphones with touch interfaces. On BlackBerries with the small keyboard it’s somewhat easier because you still have some mechanical feedback, but it’s still much more difficult than on full-sized keyboards.
So, we believe it is fair to assume that passwords on smartphones will be shorter than their counterparts on PCs, if used by the same person.
So, we have a challenge here: on the one hand, we need to reduce the complexity of this key computing function to make it usable and make the interface responsive on constrained platform like smartphone; on the other hand, we need to make password recovery slow on fast platforms like PCs with fast CPUs and GPUs. Today, with things like iPhone, A4 chips and A5 chips, this is less of a problem, but a few years ago (and still with BlackBerries today) it was a problem. And like I said, the attackers are smart guys. They can always use GPUs or distributed computing to make password cracking even faster. In this presentation, you will even see some indications of how fast GPU password recovery may be.