Advisory ID: DUO-PSA-2014-008
Publication Date: 2014-12-22
Status: Confirmed, Fixed
Document Revision: 2
Duo Security has identified an issue in the iOS Duo Mobile app that may allow credentials to be backed up in an encrypted form to a user's local machine via iTunes.
The Duo Mobile application takes special steps to harden its credential storage on each respective mobile platform. On iOS, Duo Mobile leverages the Keychain service, a platform-provided framework for securely storing Duo user credentials (eg. the private key for Duo Push).
The Keychain service also offers security attributes that can provide additional hardening. In particular, it allows a restriction to be set that Keychain items backed up using iTunes to a local machine via USB must only be restored to the same device. In other words, the encrypted backup is tied to a device-specific key and therefore cannot be restored to a different iOS device.
While this special Keychain attribute requires that a user must reactivate their Duo account upon purchasing a new iOS device (either via an administrator or the user self-service portal), we deemed it a useful hardening measure for Duo Mobile credentials.
However, we recently discovered a regression in Duo Mobile, where that security attribute was not properly being applied to Keychain items containing Duo user credentials, starting with Duo Mobile 3.0.
As the intended Keychain security attribute was not being applied to credentials stored with Duo Mobile, user-initiated encrypted backups of their iOS device using iTunes to a local machine via USB may contain the user's Duo credentials.
Note: Unencrypted iTunes backups, iCloud backups, and the iCloud Keychain are unaffected and will not contain any Duo Mobile credentials.
If an attacker was able to obtain the encrypted iTunes backup from the user's local machine AND capture the password used to encrypt it, they may be able to restore that backup on a different iOS of their choosing and use Duo Mobile to forge second factor authentication attempts to Duo's service.
Duo Mobile for iOS 3.5.1 was published to the iTunes App Store on December 16th, 2014. This version fixes the issue by creating Keychain items with the correct security attribute (kSecAttrAccessibleWhenUnlockedThisDeviceOnly).
In addition, upon upgrading to the new 3.5.1 version, the app will update all existing items in the Keychain with the correct accessibility attribute.
Users should upgrade to this version through the iTunes App Store to prevent any potential exposure of Duo Mobile credentials in their device backups.
There is no complete workaround for this issue. However, users can delete any existing encrypted device backups and avoid performing any new backups until they have updated to Duo Mobile 3.5.1.
Alternately, an administrator can re-activate a user's Duo Mobile account in the administrative interface to force the invalidation of any backed up credentials. Please note that existing Duo Mobile credentials will not be invalidated until users complete the re-activation process (i.e. open a new activation link in Duo Mobile).
Vulnerability Class: Improper Cross-boundary Removal of Sensitive Data (CWE-212)
Remotely Exploitable: No
Authentication Required: Yes
CVSSv2 Overall Score: 2.8
CVSSv2 Group Scores: Base: 4.4, Temporal: 3.8, Environmental: 2.8
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:C/I:N/A:N/E:H/RL:OF/RC:C/CDP:ND/TD:M/CR:M/IR:M/AR:L)
Duo would like to thank the customer who reported this issue to us.
If you require the assistance of our support team regarding this issue, please contact firstname.lastname@example.org and reference "DUO-PSA-2014-008" in the subject.