CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hardware-based Password Managers Store Credentials in Plaintext

A security researcher has analyzed three hardware-based password vaults and discovered that credentials are stored in plaintext and survive hardware resets. 

A security researcher has analyzed three hardware-based password vaults and discovered that credentials are stored in plaintext and survive hardware resets. 

The investigation into these three standalone password managers has revealed that, through hardware hacking, it is possible to read data directly from the chips on the board, security researcher Phil Eveleigh explains. 

Eveleigh tested RecZone Password Safe, passwordsFAST, and Royal Vault Password Keeper devices. A passcode is used to secure these devices, and users are also provided with the ability to add in the URL, username, and password for each site. 

“However one thing I did find consistent across all devices is the keyboard is hard to use and doesn’t encourage strong, complicated passwords,” the researcher explains. 

The analysis, Eveleigh says, starts with adding data to the device, then removing the device’s case to access the board and inspect it. 

The RecZone device has a basic board and uses an 8-pin flash chip to store data. The researcher was able to power the device’s chip through a Raspberry Pi and discovered that, once connected, the Pi could read the data on it and that the data was stored in plain text. 

Furthermore, he discovered that, even after resetting the device, the data was still present on the chip. The master 4 digit pin set after the reset was also present on the device, also in plaintext. 

“What this means is if a user presses the reset button and sells the device, all of their passwords can still be read in plain text directly off the chip,” the researcher notes. 

Advertisement. Scroll to continue reading.

Eveleigh says he contacted the manufacturer to inform them on the vulnerability, but did not receive a response. 

passwordsFAST requires a specific debugger and software to read the firmware from the chip, doesn’t support JTAG and doesn’t have a built in AES encryption module. 

The researcher was able to power it via the Raspberry Pi and discovered that the data was stored encrypted, apparently using a different encryption key for each device. 

To access the data, one would need to dump the firmware of the MCU and analyze the manner in which the information is being processed, or to try cryptoanalysis on the encrypted data, both techniques believed to be rather difficult to perform.

“There are some similarities between the two devices so far, they both use flash to store the data which means that the data can be read from both of them with basic cheap equipment,” the researcher notes. 

Royal’s Vault Password Keeper uses two boards, one with a SPI flash on it, which was found empty, and another with CMOS flash, which requires a universal programmer is required to read the chip.

What the researcher discovered was that the CMOS flash chip contained data from multiple users, suggesting the device was repurposed several times. 

While the data was held encrypted, the researcher identified the master pin within the data and then was able to decrypt the data by discovering encryption patterns. 

“This opens the device up to exploitation, where all the data off any of the devices can be decoded. We reached out to Royal to inform them of this security vulnerability, however they did not respond,” Eveleigh says. 

Related: Google’s USB-C Titan Security Key Arrives in the U.S.

Related: 1Password Raises $200 Million in Series A Funding

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.