Evaluating the security of password managers on handphone devices
A password manager is a software that allows users to store, generate and manage their personal passwords. These passwords are in turn, protected by a master password.
Password managers are an enticing target for attackers as they contain the crown jewels — a users’ login credentials. Password managers typically restrict access to the stored passwords unless the master password has been entered. Some may also utilise the master password as the encryption key for the password database. It is therefore important for a manager’s developers to be security conscious when handling the master password.
There are other attack vectors that a password manager must be protected against — such as backend vulnerabilities if the manager syncs its database to the cloud. This article will focus on the security challenges from the client-side that may arise if the device is compromised or if attackers gained physical access.
I will also be taking a closer look at two password managers I tested and the vulnerabilities I discovered in their security design. A quick point of order: as a responsible cybersecurity professional, I alerted the vulnerabilities to the respective vendors prior to publishing this article.
Evaluating the security of “Lock Password Manager”
Back in January 2020, I stumbled upon a backdoor in one of the password managers on the iOS app store.
While setting up the password manager, the user would be prompted multiple times to back up the master password as the application does not have a feature to recover a forgotten master password.
I started by analysing the program’s response to a correct/wrong password. When a wrong password was entered, the password manager did something strange; it was looking out for the fixed string *#06#*
This was unusual behaviour as there was no need to check for a fixed string when the password keyed by the user was already wrong.
It turns out that this was a backdoor programmed by the developer to unlock the password manager. When *#06#* was entered as a password, it acted as a recovery master password, thereby unlocking the password manager. With this knowledge, an adversary with physical access to the phone could gain access to existing password entries in the password manager.
On top of that, the developer was storing the unencrypted master password in the group plist. This could be extracted through a jailbroken device. This meant that an adversary with physical access to the phone could jailbreak it to access this file (Figure 4).
Vulnerable software:
Lock Password Manager Safe app 2.3 for iOS
CVE Registered:
CVE-2020–29392 — Backdoor in a password manager
In the next part of the article, I will be focusing on password authentication. My objective is simple: Is it possible to bypass a master password to access existing entries in popular password managers?
Evaluating the security of LastPass
LastPass is a freemium password manager that stores the user’s saved passwords online and offline in an encrypted format. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and smartphone apps. This popular password manager is used by enterprise and personal users.
I signed up for an account on LastPass and used the default security settings as shown in Figure 5.
By default, users will always stay logged in to LastPass even when the application is closed. In addition, TouchID verification is enabled by default and the vault is only locked after 5 minutes of inactivity.
As shown in Figure 6, when the vault is locked, users can unlock it either through TouchID or by entering the master password.
Vulnerability #1 Password validation bypass through debugging
For this vulnerability, I will be using a wrong master password to unlock the vault.
From the pseudo code above, we observed that the lock screen checks if the input password is the same as that of the master password as shown in Figure 7.
The result of checkPW is then passed to the function handleMasterPassword as shown in Figure 8.
If the master password is correct, the screen will unlock as shown in Figure 9. Throughout the process, the input password is NOT used to decrypt the vault.
This is an insecure design because an adversary can easily bypass this password comparison. This can be accomplished by debugging and changing the assembly registers responsible for password authentication which will bypass the lock screen as demonstrated in the next section.
Proof of Attack
- First, I jailbroke the “clean device” and set up the debug server on my iPhone.
- I then SSH’ed into my iOS device and debugged LastPass by typing
a. “debugserver localhost:6666 -waitfor “LastPass”
3. Following that, I set up my debugger to debug this application
a. iproxy 6666 6666
b. lldb
c. platform select remote-ios
d. process connect connect://localhost:6666
4. Once the application was debugged, I set a breakpoint on the function
a. b ___lldb_unnamed_symbol21245$$LastPass
5. Next, I entered a wrong master password into the password field. This will cause the application to hit the set breakpoint.
6. I followed up by using the lldb command “disas” to show the assembly code at the current section and found the relevant instruction containing the result of the isEqual comparison as shown in the address “0x100ddcbc0” in Figure 12 and set a breakpoint there.
7. I entered the wrong master password which caused isEqual to return 0x0 and store the result in x0 register, indicating a failure. The highlighted assembly instruction (mov x20, x0) as shown in Figure 12 held the results of the isEqual operation. The contents in x0 register were modified from 0x0 to 0x1 before resuming the app, causing the app to think that the correct password had been entered.
8. The vault was now unlocked. As you can see from the screenshot in Figure 14, I was able to access all the saved passwords in the vault.
Vulnerable software:
LastPass Password Manager 4.8.11.2403 on iOS
CVE Registered:
CVE-2020–35208 — Bypass password authentication to unlock vault
Vulnerability #2- Pin validation bypass through debugging
Another vulnerability capable of unlocking LastPass was through the LastPass Pin Code. This 6-digit pin code can be used, as an alternative to the master password, to unlock LastPass. For this vulnerability, I had to enable authentication through LastPass Pin Code.
Once the LastPass pin code is enabled, a new lock screen will be displayed. Users are presented with a different screen to enter their pin code instead of the master password.
Similarly, I discovered that the implementation for pin code verification was insecure. This function merely does a simple string comparison check that can be easily bypassed. The input pin code is once again NOT used to decrypt the vault. The affected function is [LPLockScreenViewController checkPin:].
Proof of Attack
1. First, I jailbroke the “clean device” and set up the debug server on my iPhone.
2. I then SSH’ed into my iOS device and debug on LastPass application by typing
a. “debugserver localhost:6666 -waitfor “LastPass”
3. Following that, I set up my debugger to be ready to debug this application
a. iproxy 6666 6666
b. lldb
c. platform select remote-ios
d. process connect connect://localhost:6666
4. Once the application was debugged, I set a breakpoint on the function
a. b ___lldb_unnamed_symbol1597$$LastPass
5. A wrong pin code was entered on the iOS device which hit the breakpoint. Next, I used the lldb command “disas” to show the assembly code at the current section and found the relevant instruction containing the result of the isEqualTo comparison as shown in the address 0x104e39bc0 in Figure 19 and set a breakpoint there.
6. The highlighted text in Register W0 in Figure 19 held the return result of isEqualTo comparison. Since we entered a wrong pin code, the result will always be 0x0. We can bypass this by performing a register write of 0x1 to w0.
7. Return to the application and you will be able to access all the saved passwords in the vault.
Vulnerable software:
LastPass Password Manager 4.8.11.2403 on iOS
CVE Registered:
CVE-2020–35207 — Bypass pin authentication to unlock vault
Recommendations for security vulnerabilities discovered
In this article, I have demonstrated how password managers can be vulnerable to attacks due to insecure password authentication. To better protect yourselves, you should always:
1. Set a security pin/passcode for your mobile device. This ensures that before an adversary can launch an attack on your stolen iPhone, he would need physical access to an unlocked device.
2. Use the logout feature on LastPass. The methods described above to bypass password authentication would not work if you successfully log out of LastPass.
3. Keeping password managers up to date with the latest version. By maintaining your password managers to the latest version, it reduces the risk of known security vulnerabilities.
