Quicken’s secret backdoor?

Here’s one thing I bet the millions of Quicken users probably don’t know: Intuit has a secret back door that allows it to access your password-protected financial files — or so says Elcomsoft, a security software vendor based in Moscow.

Elcomsoft claims it has discovered the heretofore undisclosed back door to Quicken files, which would allow Intuit to open the files without a customer’s password. Elcomsoft also claims to have cracked the RSA encryption that protects the files. (Elcomsoft did not disclose how many millions of monkeys working on millions of computers it took to factorize the 512-bit key.)

Among other things, Elcomsoft sells password recovery software, so naturally it’s hawking a product that can allegedly strip the encryption from Quicken and allow users to access files after their password has disappeared down the memory hole.

According to Elcomsoft:

This backdoor allows Intuit to offer their own affordable service whereby Intuit will unlock a customer’s file. To deliver this service, Intuit uses a 512-bit RSA key known only to Intuit. Before Elcomsoft’s discovery of Intuit’s backdoor, Intuit was the only organization that could unlock their customers’ files.

“It is very unlikely that a casual hacker could have broken into Quicken’s password protection regimen,” said Vladimir Katalov, Elcomsoft’s CEO. “Elcomsoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit’s undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key.”

Perhaps Intuit included the Quicken backdoor to make it possible for the United States Internal Revenue Service (IRS), FBI, CIA, or other law-enforcement and forensics organizations to use an “escrow key” to gain entry into password-protected Quicken files. Unfortunately, the existence of such a backdoor and escrow key creates a vulnerability that might leave millions of Quicken users worldwide with compromised bank account data, credit card numbers, and income information.

Elcomsoft says it has reported this vulnerability to US CERT.

What does Intuit have to say? Nothing yet — they haven’t gotten back to me. If and when they do, I’ll post their response here.

[UPDATE: Since posting this yesterday, I have heard briefly from both Elcomsoft and Intuit. My colleague Gregg Keizer has posted a news story with more details.

Here’s what Elcomsoft’s CEO Vladimir Katalov had to say about cracking the 512-bit encryption scheme:

Well, nowadays, 512-key is crackable in a very reasonable time. It took only about three weeks on 10 to 15 computers, and we could make it even faster — some of the computers were uptime only at non-working hours (at nights), and only a few were realy fast (dual-core). We have also spend (in total) about two weeks in preparing the data, merging the results (intermediate data collected on workstations) and some other work. And from 2 to 6 weeks (hard to say more exactly) understanding all the details of Quicken encryption (what particular data is encrypted, how the key is modified after encrypting every next block, where are the checksums and auxilary flags in data headers and how to set them etc) — it was really troublesome.

Here is Intuit’s initial response to my post:

As the report noted, Quicken already has very strong password protection. To date, we have seen no incidents where Quicken customer data has been compromised. We take all claims related to information security seriously and will conduct a thorough investigation related to this matter. If we determine that improvements are warranted, we will address them appropriately.

I suspect Intuit may have more to say later. As they say in the TV biz, stay tuned for further developments.]

Got other Quicken dirty tips? Post them belor or email them to me here. Top tipsters will receive some unencrypted swag for their troubles.