Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackBerry's Encryption Hacked; Backups Now a Risk

Posted by Soulskill on from the good-news-for-india dept.

GMGruman writes "InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

9 of 120 comments (clear)

  1. Re:Simple solution by mbourgon · · Score: 4, Informative

    Um, no. My last two jobs mandated them. They work exceptionally well in a business environment, and while I love the iPhone it's not yet as good for the enterprise. So for personal use, "don't get one hurr" may work, for the majority of bberry users it's not an option. That being said, most users don't back it up - if you're tied to exchange, all the important stuff is synched to it and all you need to do with a new bberry is to associate it to the same acct.

    --
    "Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
  2. Not "encryption hacked" by blueg3 · · Score: 5, Informative

    The encryption itself is just fine (at least, for now). While it's interesting that the data is transmitted in the clear and then encrypted by the backup software, they don't propose exploiting this (which would be an inconvenient attack).

    This is simply a brute-force password cracker that's specific to BlackBerry backups. It's not particularly specific, either, as the backups are encrypted with AES and the key is derived from a password using the standard PBKDF2. There are tons of PBKDF2-crackers out there (like coWPAtty). The surprising thing is that they only use single-iteration PBKDF2, which is a joke.

    This, incidentally, is what is meant by the statement in TFS that cracking BlackBerry backup passwords is easier than cracking iOS passwords. Difficulty in password cracking (amount of computational time per password) for PBKDF2 is roughly proportional to the number of iterations. IIRC, WPA uses 4096, Apple's FileVault uses 1000, and BlackBerry backups apparently use 1.

  3. Re:Simple solution by blueg3 · · Score: 2, Informative

    PBKDF2, which the BlackBerry backups use, always uses a salt. One round is a joke, though. The 4096 rounds of WPA aren't really sufficient, and the 1000 rounds of FileVault are really a mistake.

  4. Re:But... the playlists! by Anonymous Coward · · Score: 1, Informative

    Ahhhhh I wouldn't say that necessarily. Flash? Remote Desktop to a Linux tower or server? Enterprise server?

    Yes, that may not entice the "average" user, whatever that happens to be, may not see the need for such things, but that is why there are options.

    I love my Blackberry. I put my professors' powerpoints and my notes on it to study wherever I'm at. I have it set up to run my tower at home. I use it as a USB mass storage device as well, so I don't have to worry about forgetting my USB drive at home. This may be accomplished using another phone, but setting up my personal, free enterprise server at home can not be. With the exception of Android, where else can you create your own hybrid operating systems for your phone? Or update it with any operating system created by any phone manufacturer, not just my own? Plus the business uses, might as well get used to using this phone now, instead of when I get a job where their required? (Although rare, could happen. Happened to my boyfriend, but he already had one as well and did not have to buy one)

    I am admitting I am a blackberry fangirl, but hey, I found the perfect phone for me. I also admit I'm not a fan of "pretty" but a fan of functionality. Also, operating systems are my favorite aspect of CS, so naturally I'm drawn to this. (I've tried android a few times by mounting it on my netbook, and so far, not so impressed to be honest). Perhaps blackberry is more for the poweruser, Android in between, and iPhone for the "average". Whatever floats your boat.

  5. Why Blackberry still works by markdowling · · Score: 4, Informative

    Remote Application Deployment from BES
    Application Policies
    Applications can be installed from PCs or BES, not just The Apps Steve Likes
    They sell an integrated keyboard, or a narrow-factor phone, not just The Touchscreen Steve Likes

  6. Decryption Snake Oil, or Panic? by ratboy666 · · Score: 3, Informative

    So, it takes 3 days to crack the 7 character password. Adding 8 characters to the set (say, !@#$%^&*) would then increase that 3 days to...
      2^21 more effort. Or, roughly 3 to 4 million days. Seems from the discussion that elcomsoft was able to brute force quickly (millions of passwords per second).

    Add a few more characters and the effort to brute-force the thing goes up... exponentially. Unless, of course, elcomsoft has actually "cracked" the encryption, and not simply reduced the time to try a key.

    What I would warn about is my "usual" advice for password generation (optional random character) word (optional random character) word (optional random character), because, as far as I can tell, that can be now be broken by elcomsoft in 2 to 3 days (assuming they know that this is the pattern used, which we have to).

    Very curious to see a review of this (before panic sets in).

    ratboy666

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  7. Re:But... the playlists! by Anonymous Coward · · Score: 0, Informative

    To be honest, Bill was right. That would be a breakthrough.

  8. Re:But... the playlists! by Anonymous Coward · · Score: 1, Informative

    You fail.

    10 in base 10 is 10.
    2 in base 2 is 10.

    Get the pattern?

  9. Re:But... the playlists! by Anonymous Coward · · Score: 2, Informative

    10 in base 10 -> 10
    2 in base 2 -> 10
    16 in base 16 -> 10

    pi in base pi .... -> 10 ....