SIK-2017-003
Title:
Insecure Crypto Keys in Lufthansa App
Report ID
SIK-2017-003
Summary:
- Vendor: Deutsche Lufthansa AG
- Product: Lufthansa App
- Affected Version: 5.6.1
- Severity: medium
- Short summary:
The Lufthansa app uses insecure mechanisms for handling crypto keys. The legacy method uses an insecure key derivation and the new method stores the key improperly.
Details:
The Lufthansa app allows the user to store, among other data, his credentials. There are two different techniques for storing sensitive information. The new technique is implemented in the KeyChain class and writes its data to a file called „search.cache“. The older one is implemented in the LegacyKeyChain class and writes its data to the „search2.cache“ file. Both techniques use AES to encrypt the data, where the AES key is derived from a passphrase. If the „search.cache“ file from the old technique is found, the data is automatically migrated to the new technique and the „search.cache“ file is deleted. Both techniques contain security vulnerabilities in how they handle their crypto keys.
1) Old legacy technique: In this technique, the passphrase used to derive the AES key is, in itself, derived from device-specific data such as the device ID (IMEI) or, if no device ID is available, the Android ID. If neither value is available, a constant (0xac99a3c29954389) is used. These values are interpreted as long numbers and are then used as seeds to initialize a random number generator. The output of the random number generator is finally used to construct the passphrase. This generation process can easily be repeated by any other app on the same device, or even offline if the user knows the respective data. Therefore, the AES key is not actually secret.
2) New technique: With this technique, the passphrase is a random UUID stored in a file „ad_id_guid“ in the app’s private data directory. The UUID is generated once and then stored in the file from where it is obtained when needed. Therefore, the security level of the key is the same as the one of the encrypted data stored in the same directory. The encryption does not add any additional security. An attacker who manages to access the encrypted data automatically also has access to the key, making the encryption useless.
In conclusion, with both techniques, the encryption is useless. An attacker who manages to extract the encrypted data from the device can also easily obtain the key and decrypt the data. The security of the user’s credentials is reduced to simple file protection, which is equivalent to no encryption at all.
This issue is marked „medium severity“, because the attacker still needs another vulnerability to access the encrypted data for a full attack (e.g., combination with SIK-2017-004).
Workaround
Do not root your phone. Make sure to have a secure screen lock so that attackers cannot easily gain access to files stored on the device.
Suggested Mitigation
For the encryption to add any extra security, the key must be properly protected. Consider using the Android keychain instead of custom approaches.
Timeline
- 2017-01-12: Vulnerability Discovered.
- 2017-02-15: Reported
- 2017-05-17: Vulnerability Fixed.