Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackBerry's Encryption Hacked; Backups Now a Risk

Posted by Soulskill on from the good-news-for-india dept.

GMGruman writes "InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

3 of 120 comments (clear)

  1. Simple solution by Prune · · Score: 4, Interesting

    Back up to a non-encrypted IPD file and put it into a TrueCrypt volume--or better yet, don't back up to an insecure machine! This story would have been much more newsworthy if they had broken the actual phone's encryption, AES and elliptic curve D-H.

    --
    "Politicians and diapers must be changed often, and for the same reason."
    1. Re:Simple solution by mlts · · Score: 4, Interesting

      It is still a hole though, and one that is completely preventable. Most serious crypto products around uses key strengthening, be it KeePass with its variable number of rounds that are user selectable, TrueCrypt with its 1000 rounds, or iOS 4's 10,000 rounds. Heck, even the venerable crypt(3) mechanism had a number of rounds to slow down people running Crack over 20 years ago back before passwords were stored in /etc/shadow.

      How can this be fixed? Use a reasonable amount of rounds (enough so it slows down brute forcing, but not too many that it kills day to day normal operation.) Also, use a salt, so rainbow table pre-computation of keys is impossible.

      In the meantime, the parent poster probably has the best solution. For maximum security, add a cryptographic token and store a TC keyfile on that. This way, if someone tries to brute force the token's passphrase, they have 3-20 tries before the token permanently fries itself.

  2. You're doing it the hard way. by McGregorMortis · · Score: 4, Interesting

    This "weakness" seems a little silly.

    You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.

    Cracking a Blackberry backup file would be the hardest way to get access to that data.