Some hardware password managers do not provide adequate security for the data stored in them and allow reading passwords in unencrypted form even after resetting the settings.
According to Phil Eveleigh of PenTestPartners, users can get information from problematic devices by connecting directly to their flash memory chips on the motherboard.
Using the Raspberry Pi microcomputer, Iveli managed to access and extract information from the flash memory of the hardware password manager RecZone Password Safe. The researcher used the hexdump utility to read the data and found that it was not encrypted.
“I could not believe it, the data was stored on the chip, in plain text! These are the details that I input into the device at the start of this process. This data should be encrypted as an absolute minimum for this… But it gets worse, I used the reset on the device and was asked to set a new master pin (as I had to at the very first bootup)”, — writes Phil Eveleigh.
Moreover, the information was stored in memory even after resetting the device to factory settings. Only one thing has changed – the PIN-code to unlock the device, which could also be removed from the flash memory.
Read also: Researchers Discover Critical Vulnerabilities in GoAhead Web Server
According to Iveli, the problem is not limited to RecZone Password Safe devices. Exploring the Royal Password Vault Keeper, he discovered a CMOS chip. Unlike RecZone, where data could be extracted using inexpensive equipment, the researcher had to spend money here, but the costs paid off. The device also implemented basic protection mechanisms, but managed to bypass them.
In Royal Password Vault Keeper, the data was encoded, but with the help of cryptanalysis Iveli was able to decrypt it. In his opinion “Encryption is not unique to each device and is one for all. That is, by breaking the encryption of one password manager, you can crack all of them”, – says Phil Eveleigh.
The third device examined is passwordsFAST that uses the I2C bus. In this case, the data was encrypted, and it was not as easy to extract it, in contrast to the previous two scenarios. Although the researcher was not able to decrypt it, he was able to access microcontrollers. In his opinion, theoretically, in the end, this may allow to obtain data.