Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackBerry's Encryption Hacked; Backups Now a Risk

Posted by Soulskill on from the good-news-for-india dept.

GMGruman writes "InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

6 of 120 comments (clear)

  1. Simple solution by Prune · · Score: 4, Interesting

    Back up to a non-encrypted IPD file and put it into a TrueCrypt volume--or better yet, don't back up to an insecure machine! This story would have been much more newsworthy if they had broken the actual phone's encryption, AES and elliptic curve D-H.

    --
    "Politicians and diapers must be changed often, and for the same reason."
    1. Re:Simple solution by mlts · · Score: 4, Interesting

      It is still a hole though, and one that is completely preventable. Most serious crypto products around uses key strengthening, be it KeePass with its variable number of rounds that are user selectable, TrueCrypt with its 1000 rounds, or iOS 4's 10,000 rounds. Heck, even the venerable crypt(3) mechanism had a number of rounds to slow down people running Crack over 20 years ago back before passwords were stored in /etc/shadow.

      How can this be fixed? Use a reasonable amount of rounds (enough so it slows down brute forcing, but not too many that it kills day to day normal operation.) Also, use a salt, so rainbow table pre-computation of keys is impossible.

      In the meantime, the parent poster probably has the best solution. For maximum security, add a cryptographic token and store a TC keyfile on that. This way, if someone tries to brute force the token's passphrase, they have 3-20 tries before the token permanently fries itself.

  2. Re:But... the playlists! by gstoddart · · Score: 2, Interesting

    Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

    Whole thing smacks of desperation.

    Well, initially the Black Berry was a corporate device. Then a lot of consumers decided they want one so they could do messaging and email.

    However, Apple and other manufacturers have been making smart phones which have way more consumer features than business and have been correspondingly taking a lot of market share away from RIM. In fact, I heard analysts saying the other week that while sales of BlackBerries are growing, they're not growing as fast as Apple and Android phones are. So, their corresponding market share is decreasing even while their sales are increasing -- they're just not increasing as fast as the rest of the market.

    I'd say that they're getting very desperate. Like 'em or hate 'em, the iPhone and its ilk have become hugely popular for non business users -- arguably, a much larger market.

    Of course, if you want to schedule a meeting or use powerpoint, get a Black Berry (or a PC ;-).

    --
    Lost at C:>. Found at C.
  3. You're doing it the hard way. by McGregorMortis · · Score: 4, Interesting

    This "weakness" seems a little silly.

    You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.

    Cracking a Blackberry backup file would be the hardest way to get access to that data.

  4. Down with blackberry by Anonymous Coward · · Score: 0, Interesting

    I can't believe anyone uses crackberries. We used them for a year and everyone has hated them. We bought Droid Incredibles for our office and love them so far. The only thing keeping blackberries around I would guess is the ability to lock them down with the BES server I believe its called. But they still suck....

    Down with Blackberry, Windows Mobile, etc hale to iOS and Android!!

  5. Re:But... the playlists! by Anonymous Coward · · Score: 1, Interesting

    How the hell is this "insightful?"

    Wake me up when Apple provides end-to-end encryption for e-mails. Oh that's right: they don't. That's why you don't see India or any other 3rd world country threatening to "shut off" iPhones. BBM isn't simply a stupid e-mail application accessing a POP3 server someplace.

    The iPhone is great for people who are distracted by shiny things. But don't fool yourself into thinking what RIM is doing is "nothing special."

    In addition, the summary is bogus. RIM's encryption has NOT been hacked, just some backup application. Were it that easy I don't think the Saudis would be kicking up the stink they are.