Bitwarden PINs might be brute-forced
Summary
and you have configured a Bitwarden PIN as within the picture beneath, the attacker can brute-force the PIN and acquire entry to your vault’s grasp key.
Successfully, Bitwarden could as properly retailer the info in plain textual content on disk.
Bitwarden doesn’t warn about this threat.
The Bitwarden desktop consumer and browser extensions permit the person to unlock Bitwarden with a PIN.
This PIN might be set-up per machine after logging in to an account utilizing the grasp password.
All data pertaining to the PIN is saved regionally on the machine.
It can’t be used to register to an account (learn: authenticate with the Bitwarden backend server), however it may be used to acquire entry to the vault knowledge, that has been synced and saved regionally in encrypted kind.
Let’s now assume that the person allows the PIN unlock and configures Bitwarden in order that it does not require the grasp password on restart.
Then a secret derived solely from the person’s e-mail and PIN will likely be used to encrypt the grasp vault key.
It shops roughly
on disk, the place (mathcal{Ok}) is a key derivation operate.
This implies if an attacker can at any level acquire entry to the encrypted vault knowledge saved on the machine the attacker can brute-force the PIN:
the attacker can verify whether or not decryption of (c) succeeds utilizing the guessed PIN.
This brute-force will very seemingly achieve success, since PINs are often very low-entropy.
Now, granted, the important thing derivation operate is PBKDF2 with 100000 iterations (+ HKDF), however that will not assist with a 4 digit pin.
Bitwarden appears to be conscious that PINs are low-entropy and that many PIN guesses are an issue: the consumer permits solely 5 PIN unlock makes an attempt.
Nonetheless this 5 guesses restrict is enforced utterly inside the consumer’s logic: it depends on the attacker utilizing the official Bitwarden consumer.
As a substitute, an attacker can immediately assault the ciphertext (c) above, attempting completely different PINs till the ciphertext efficiently decrypts.
A proof of idea exploit for Linux solely might be discovered here.
It makes use of the truth that the encryption is authenticated and checks whether or not the MAC verifies utilizing the important thing derived from the guessed PIN.
It solely assessments the PINs 0000 by means of 9999, so you’ll have to use a type of if you’d like it to succeed.
Ensure to uncheck the “Lock with grasp password on restart” choice (in any other case the required data would must be learn from the Bitwarden software’s reminiscence (fairly a distinct assault situation)).
It finds any 4 digit PIN in lower than 4 seconds:
$ time ./goal/launch/bitwarden-pin
Testing 4 digit pins from 0000 to 9999
Pin discovered: 9999
./bitwarden-pin 81.73s person 0.03s system 2384% cpu 3.429 complete
Bitwarden’s response
I’ve reported the difficulty to Bitwarden beforehand, nevertheless it was marked out of scope because it belongs to considered one of these classes:
Assaults requiring bodily entry to a person’s machine
or
Eventualities which might be extraordinarily complicated, tough or unlikely when using already compromised administrative accounts, self-hosted server, networks or bodily units which might render a lot simpler and alternate technique of compromising the info contained inside Bitwarden
That is nevertheless not totally true: solely the device-local encrypted vault knowledge must be accessed.
If accessing device-local knowledge is exterior of the risk mannequin, why are we encrypting these knowledge in any respect? We would as properly retailer them in plain textual content.
1. Inform higher in regards to the threat
The chance of this assault is comparatively low (relying in your risk mannequin): the attacker wants to achieve entry to the encrypted vault knowledge saved on the machine, and the person should configure Bitwarden in a particular manner for the assault to be attainable.
Dumpster diving might give entry to those knowledge when the disk has not been erased and no extra measures like full-disk encryption have been taken.
Nonetheless, if somebody features entry to the machine knowledge (e.g. by means of coercion) they will begin a brute-force assault, and do not require you to ever enter the PIN/belief the machine.
Benefits:
Drawback:
- PIN is brute-forceable when machine knowledge is obtained
2. Depend on a third-party to implement an unlock try restrict
Secret-share the grasp key with a backend that enforces an unlock try restrict.
Benefits:
Disadvantages:
- Shopper must be on-line
- Entry to the backend database and machine permits quick decryption (with out a brute-force assault), the backend may be coerced into releasing the ciphertext
3. Depend on some {hardware} safety magic
Do the above (no. 2) in a Trusted Execution Setting, Intel SGX or one thing alike.
Benefits:
- Would seemingly work offline
Disadvantages:
- Not all platforms help {hardware} safety magic
Utilizing a protracted passphrase as a PIN in bitwarden is protected right this moment. Nonetheless, Bitwarden takes little effort in speaking the dangers of selecting a brief low-entropy PIN.
At the moment there’s little or no data to be discovered in regards to the PIN in Bitwarden documentation, and it’s not talked about within the Safety Whitepaper.
A motivated attacker (e.g. a dumpster diver) can recuperate complete Bitwarden vaults right this moment, except extra measures like full-disk encryption have been taken.