The Reader

If there are users here who have heard about the Ubuntu Linux "Lucid Lynx" iPhone security hole, and wondered whether their iPhone password manager was safe, I recently wrote to the makers of 1Password (since I have 1Password on both my Macs and my iPhones, managing my passwords).

I wrote:
> Perhaps you have already heard of the huge security hole recently discovered.
> Ubuntu Linux "Lucid Lynx" (the latest version) will mount and open even a turned-off, passcode-locked iPhone, allowing direct access to its entire contents.
>
> I believe 1Password for iPhone keeps my passwords encrypted until I enter the 1Password Master Password into the iPhone. I am concerned that, with this Linux attack, that Master Password itself could be discovered, rendering all the other passwords accessible.
>
> Is this correct? Is there something else I could be doing for security (besides not losing my iPhone)?

They replied:
> Thank you for taking the time to contact us. Yes, we are aware. You're right, keeping your iPhone close by is a good first step ;)
>
> Regarding the vulnerability, 1Password uses its own encryption. Whether your phone is protected by a PIN or not, your 1Password database is protected by a PIN and, in my cases, a master password as well. I imagine that any application data protected by the application's own password wouldn't be susceptible to this either.

Not satisfied, I wrote back:
> I guess what I was wondering was:
> Are the 1Password pin and master password kept somewhere where they are accessible to that Linux user?

They answered:
> Thanks for writing back. As far as I'm aware your 1Password unlock code and master password are stored within the application and wouldn't be exposed to the file system, so the exploit couldn't gain access to them, we certainly don't store your details in the clear so even if they were they wouldn't be able to determine your details.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Saklad mailto:jimdoc@me.com

• New Members 71