Archive for the ‘Security’ Category

UPEK Fingerprint Readers: a Huge Security Hole

Tuesday, August 28th, 2012

Most laptops today ship with a fingerprint reader. Most likely, you have a laptop with one. Until very recently, most major manufacturers such as Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, SONY, Toshiba, and many others were using fingerprint readers manufactured by a single company: UPEK.

Preface

ElcomSoft discovered a major flaw with UPEK Protector Suite, which was the software shipped with the majority of laptops equipped with UPEK fingerprint readers until the company was acquired by Authentec and switched to different software. Even today, when UPEK is acquired by Authentec which now uses TrueSuite® software, many (or most) existing laptop users will simply stay with the old flawed software, not feeling the need to upgrade.

Does Fingerprinting the User Lead to Tighter Security?

Laptops normally come loaded with pre-installed software. Among other things manufacturers install on your brand-new laptop is software communicating with UPEK readers: UPEK Protector Suite. The suite manages fingerprint reading hardware, offering users the convenience of substituting the typing of passwords with a single swipe of a finger. Ultimately, UPEK Protector Suite caches your passwords, offering near-instant login to Web sites and Windows itself.

Logging into Windows by swiping a finger instead of clicking and typing a (probably long and complex) password sounds tempting. And, it works. A simple swipe of your finger, and you’re in. Wonderful; but what about security?

Here’s what UPEK says on its Web site about the Windows login: “Protector Suite QL allows for secure access to Windows by swiping your finger instead of typing a password.” Notice the “secure” part? Well, we found out UPEK makes Windows login anything but secure. In fact, the UPEK’s implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.

The Issue with UPEK Protector Suite

After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft. If you use the Windows auto-logon feature, you’ll see a message saying “Using automatic logon can pose a security risk because anyone that has access to your computer will have access to your programs and personal files.” Simply said, no corporate user will ever use this “automatic logon” feature, which is often banned by corporate security policies.

However, fingerprint logon is rarely, if ever, barred. The common perception is that biometric logon is just as, or maybe more secure than password-based one. While biometric logon could be implemented that way, UPEK apparently failed. Instead of using a proper technique, they preferred the easy route: UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one.

Storing Windows account passwords in plain text is bad practice. It defeats the entire purpose of enhanced security. In fact, with current implementation, we cannot speak of any security as the entire PC becomes extremely easy to exploit to anyone aware of this vulnerability. This time around, UPEK made it completely wrong, introducing a paper link to a stainless steel chain.

If Your Windows Logon Password Is Compromised

What happens if someone gets to know your Windows account password? First, they obviously gain access to all your files and documents. Of course, if they had your laptop and its hard drive at their disposal, they could to that anyway – with one exception: they would not be able to read EFS-encrypted files (those that have the “Encrypt contents to secure data” checkbox ticked in the file properties – Attributes – Advanced). EFS encryption is extremely strong and impossible to break without knowing the original Windows account password.

And here comes UPEK Protector Suite. Conveniently storing your plain-text account password, the suite gives the intruder the ability to access your used-to-be-protected EFS encrypted files. Bummer.

The Scope of the Issue

The scope of this issue is extremely broad. It is not limited to a certain laptop model or manufacturer. All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows logon and typed your account password there, you are at risk.

Course of Action

If you care about security of your Windows account, launch UPEK Protector Suite and disable the Windows logon feature. That should clear the stored password for your account. Note that you should clear all stored account passwords to protect all user accounts.

What We Did

ElcomSoft will not disclose full detail in the interests of public responsibility. We notified former UPEK about the issue (but sure enough they know about it). We also prepared a demo application, which displays partial login credentials of users who enabled fingerprint login. We won’t give it away to general public; only a limited number of hi-tech journalists will receive this software.

Adobe Acrobat X Support in Advanced PDF Password Recovery

Thursday, June 14th, 2012

We updated Advanced PDF Password Recovery to add Acrobat X support, recovering the original password and instantly removing various access restrictions in PDF documents produced by Adobe Acrobat X.

Removing PDF Access Restrictions

Many PDF documents come with various access restrictions that disable certain features such as the ability to print documents, copy selected text or save filled forms. If a PDF file can be opened without a password, the new release can instantly unlock restricted PDF files produced by Adobe Acrobat X even if the original password is not known.

(more…)

New Hardware Key for iPad 3 Passcode Verification or Is It Just Masking?

Friday, June 8th, 2012

Few days ago we have updated our iOS Forensic Toolkit to version 1.15 which includes some bugfixes and improvements and, most notably, supports passcode recovery on the new iPad (also known as iPad 3). There are no significant changes from the practical point of view (i.e. the process of passcode recovery is still exactly the same), but there is something new under the hood. So if you’re interested in iOS security and how stuff works, please read on.

(more…)

Explaining that new iCloud feature

Tuesday, May 29th, 2012

It’s been almost two weeks since we have released updated version of Elcomsoft Phone Password Breaker that is capable of downloading backups from the iCloud and we have seen very diverse feedback ever since. Reading through some articles or forum threads it became quite evident that many just do not understand what we have actually done and what are the implications. So I am taking another try to clarify things.

(more…)

ElcomSoft Helps Investigate Crime Providing Yet Another Way to Break into iOS with iCloud Attack

Tuesday, May 15th, 2012

 

Elcomsoft Phone Password Breaker and Elcomsoft iOS Forensic Toolkit have been around for a while, acquiring user information from physical iPhone/iPad devices or recovering data from user-created offline backups. Both tools required the investigator to have access to the device itself, or at least accessing a PC with which the iOS device was synced at least once. This limited the tools’ applications to solving the already committed crime, but did little to prevent crime that’s just being planned.

The new addition to the family of iOS acquisition tools turns things upside down. Meet updated Elcomsoft Phone Password Breaker – a tool that can now retrieve information from suspects’ phones without them even noticing. The newly introduced attack does not need investigators to have access to the phone itself. It doesn’t even require access to offline backups produced by that phone. Instead, the new attack targets an online, remote storage provided by Apple. By attacking a remote storage, the updated tool makes it possible watching suspects’ iPhone activities with little delay and without alerting the suspects. In fact, the tool can retrieve information from the online storage without iPhone users even knowing, or having a chance to learn about the unusual activity on their account. (more…)

New Features in EPPB

Thursday, April 5th, 2012

When it comes to adding new features to our products we try to focus on our customers’ needs and it is my pleasure today to announce a preview (or beta) version of our Phone Password Breaker tool with new features requested (or inspired) by our valued customers users :)

Here’s the wrap-up of new features.

(more…)

Mobile password keepers don’t keep the word

Friday, March 16th, 2012

We’ve analyzed 17 popular password management apps available for Apple iOS and BlackBerry platforms, including free and commercially available tools, and discovered that no single password keeper app provides a claimed level of protection. None of the password keepers except one are utilizing iOS or BlackBerry existing security model, relying on their own implementation of data encryption. ElcomSoft research shows that those implementations fail to provide an adequate level of protection, allowing an attacker to recover encrypted information in less than a day if user-selectable Master Password is 10 to 14 digits long.

The Research

Both platforms being analyzed, BlackBerry and Apple iOS, feature comprehensive data security mechanisms built-in. Exact level of security varies depending on which version of Apple iOS is used or how BlackBerry users treat memory card encryption. However, in general, the level of protection provided by each respective platform is adequate if users follow general precautions.

The same cannot be said about most password management apps ElcomSoft analyzed. Only one password management app for the iOS platform, DataVault Password Manager, stores passwords in secure iOS-encrypted keychain. This level of protection is good enough by itself; however, that app provides little extra protection above iOS default levels. Skipping the complex math (which is available in the original whitepaper), information stored in 10 out of 17 password keepers can be recovered in a day – guaranteed if user-selectable master password is 10 to 14 digits long, depending on application. What about the other seven keepers? Passwords stored in them can be recovered instantly because passwords are either stored unencrypted, are encrypted with a fixed password, or are simply misusing cryptography.

Interestingly, BlackBerry Password Keeper and Wallet 1.0 and 1.2 offer very little protection on top of BlackBerry device password. Once the device password is known, master password(s) for Wallet and/or Password Keeper can be recovered with relative ease.

In the research we used both Elcomsoft Phone Password Breaker and Elcomsoft iOS Forensic Toolkit.

Recommendations

Many password management apps offered on the market do not provide adequate level of security. ElcomSoft strongly encourages users not to rely on their advertised security, but rather use iOS or BlackBerry built-in security features.

In order to keep their data safe, Apple users should set up a passcode and a really complex backup password. The unlocked device should not be plugged to non-trusted computers to prevent creation of pairing. Unencrypted backups should not be created.

BlackBerry users should set up a device password and make sure media card encryption is off or set to “Encrypt using Device Key” or “Encrypt using Device Key and Device Password” in order to prevent attackers from recovering device password based on what’s stored on the media card. Unencrypted device backups should not be created.

The full whitepaper is available at http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

ElcomSoft Discovers Most of Its Customers Want Stricter Security Policies but Won’t Bother Changing Default Passwords

Wednesday, February 22nd, 2012

We runned yet another Password Usage Bahaviour survey on our Web site and gthered statistically significant data, reflected in the following charts. And the main conclusion was that most people working with sensitive information want stricter security policies but rarely bother changing default passwords.

Less than 50% of all respondents come from Computer Law, Educational, Financial, Forensics, Government, Military and Scientific organizations. The larger half of respondents comes from ‘Other’ type of organizations.

Less than 30% of respondents indicated they have never forgotten a password. Most frequently quoted reasons for losing a password to a resource would be infrequent use of a resource (28%), not writing it down (16%), returning from a vacation (13%).

Only about 25% of all respondents indicated they change their passwords regularly. The rest will either change their passwords infrequently (24%), sporadically or almost never.

The quiz revealed a serious issue with how most respondents handle default passwords (passwords that are automatically generated or assigned to their accounts by system administrators). Only 28% of respondents would always change the default password, while more than 50% would usually keep the assigned one. In ElcomSoft’s view, this information should really raise an alert with IT security staff and call for a password security audit. ElcomSoft offers a relevant tool, Proactive Password Auditor, allowing organizations performing an audit of their network account passwords.

Unsurprisingly for a sample with given background, most respondents weren’t happy about their organizations’ security policies, being in either full or partial disagreement with their employer’s current policy (61%). 76% of all respondents indicated they wanted a stricter security policy, while 24% would want a looser one. The surprising part is discovered in the next chart: of those who are fully content with their employers’ security policies, only 11% would leave it as it is, 20% would vote for a looser policy, and 69% would rather have a stricter security policy.

The complete results and charts are available at http://www.elcomsoft.com/PR/quiz-charts.pdf

Newer iOS Forensic Toolkit Acquires iPhones in 20 Minutes, Including iOS 5

Tuesday, November 1st, 2011

iOS 5 Support

When developing the iOS 5 compatible version of iOS Forensic Toolkit, we found the freshened encryption to be only tweaked up a bit, with the exception of keychain encryption. The encryption algorithm protecting keychain items such as Web site and email passwords has been changed completely. In addition, escrow keybag now becomes useless to a forensic specialist. Without knowing the original device passcode, escrow keys remain inaccessible even if they are physically available.

What does enhanced security mean for the user? With iOS 5, they are getting a bit more security. Their keychain items such as Web site, email and certain application passwords will remain secure even if their phone falls into the hands of a forensic specialist. That, of course, will only last till the moment investigators obtain the original device passcode, which is only a matter of time if a tool such as iOS Forensic Toolkit is used to recover one.

What does this mean for the forensics? Bad news first: without knowing or recovering the original device passcode, some of the keychain items will not be decryptable. These items include Web site passwords stored in Safari browser, email passwords, and some application passwords.

Now the good news: iOS Forensic Toolkit can still recover the original plain-text device passcode, and it is still possible to obtain escrow keys from any iTunes equipped computer the iOS device in question has been ever synced or connected to. Once the passcode is recovered, iOS Forensic Toolkit will decrypt everything from the keychain. If there’s no time to recover the passcode or escrow keys, the Toolkit will still do its best and decrypt some of the keychain items.

Faster Operation

Besides adding support for the latest iOS 5, Elcomsoft iOS Forensic Toolkit becomes 2 to 2.5 times faster to acquire iOS devices. When it required 40 to 60 minutes before, the new version will take only 20 minutes. For example, the updated iOS Forensic Toolkit can acquire a 16-Gb iPhone 4 in about 20 minutes, or a 32-Gb version in 40 minutes.

EPPB: Now Recovering BlackBerry Device Passwords

Thursday, September 29th, 2011

Less than a month ago, we updated our Elcomsoft Phone Password Breaker tool with the ability to recover master passwords for BlackBerry Password Keeper and BlackBerry Wallet. I have blogged about that and promised the “next big thing” for BlackBerry forensics to be coming soon. The day arrived.

(more…)