Duo Product Security Advisory

Advisory ID: DUO-PSA-2014-008
Publication Date: 2014-12-22
Status: Confirmed, Fixed
Document Revision: 2

Overview

Duo Security has identified an issue in the iOS Duo Mobile app that may allow credentials to be backed up in an encrypted form to a user's local machine via iTunes.

Description

The Duo Mobile application takes special steps to harden its credential storage on each respective mobile platform. On iOS, Duo Mobile leverages the Keychain service, a platform-provided framework for securely storing Duo user credentials (eg. the private key for Duo Push).

The Keychain service also offers security attributes that can provide additional hardening. In particular, it allows a restriction to be set that Keychain items backed up using iTunes to a local machine via USB must only be restored to the same device. In other words, the encrypted backup is tied to a device-specific key and therefore cannot be restored to a different iOS device.

While this special Keychain attribute requires that a user must reactivate their Duo account upon purchasing a new iOS device (either via an administrator or the user self-service portal), we deemed it a useful hardening measure for Duo Mobile credentials.

However, we recently discovered a regression in Duo Mobile, where that security attribute was not properly being applied to Keychain items containing Duo user credentials, starting with Duo Mobile 3.0.

Impact

As the intended Keychain security attribute was not being applied to credentials stored with Duo Mobile, user-initiated encrypted backups of their iOS device using iTunes to a local machine via USB may contain the user's Duo credentials.

Note: Unencrypted iTunes backups, iCloud backups, and the iCloud Keychain are unaffected and will not contain any Duo Mobile credentials.

If an attacker was able to obtain the encrypted iTunes backup from the user's local machine AND capture the password used to encrypt it, they may be able to restore that backup on a different iOS of their choosing and use Duo Mobile to forge second factor authentication attempts to Duo's service.

Affected Product(s)

• Duo Mobile for iOS >= 3.0 and < 3.5.1.

Solution

Duo Mobile for iOS 3.5.1 was published to the iTunes App Store on December 16th, 2014. This version fixes the issue by creating Keychain items with the correct security attribute (kSecAttrAccessibleWhenUnlockedThisDeviceOnly).

In addition, upon upgrading to the new 3.5.1 version, the app will update all existing items in the Keychain with the correct accessibility attribute.

Users should upgrade to this version through the iTunes App Store to prevent any potential exposure of Duo Mobile credentials in their device backups.

Workaround

There is no complete workaround for this issue. However, users can delete any existing encrypted device backups and avoid performing any new backups until they have updated to Duo Mobile 3.5.1.

Alternately, an administrator can re-activate a user's Duo Mobile account in the administrative interface to force the invalidation of any backed up credentials. Please note that existing Duo Mobile credentials will not be invalidated until users complete the re-activation process (i.e. open a new activation link in Duo Mobile).

Vulnerability Metrics

Vulnerability Class: Improper Cross-boundary Removal of Sensitive Data (CWE-212)
Remotely Exploitable: No
Authentication Required: Yes
Severity: Low
CVSSv2 Overall Score: 2.8
CVSSv2 Group Scores: Base: 4.4, Temporal: 3.8, Environmental: 2.8
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:C/I:N/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:M/CR:M/IR:M/AR:L)

References

• iOS Security - https://www.apple.com/br/privacy/docs/iOS_Security_Guide_Oct_2014.pdf
• iOS Keychain Services Reference - https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/index.html
• CWE-212: Improper Cross-boundary Removal of Sensitive Data - https://cwe.mitre.org/data/definitions/212.html

Timeline

2014-12-02

• A Duo customer reports unexpected behavior of their accounts being restored successfully to a new iOS device.
• Duo acknowledges receipt of report; begins investigation.

2014-12-04

• Additional communication with the customer to confirm the reported issue.

2014-12-08

• Duo confirms the issue in the iOS version of Duo Mobile and begins implementing a fix.

2014-12-10

• Duo completes the fix and submits an updated Duo Mobile 3.5.1 to the iTunes App Store.

2014-12-16

• Duo Mobile 3.5.1 is approved by Apple and is released to end users.

2014-12-22

• Duo shares advisory with affected Enterprise customers.

2015-01-12

• Advisory is updated to clarify re-activation procedure.
• Duo shares advisory with affected Business customers.

Credits/Contact

Duo would like to thank the customer who reported this issue to us.

If you require the assistance of our support team regarding this issue, please contact support@duosecurity.com and reference "DUO-PSA-2014-008" in the subject.