Russian Software Company Says Its App Can Crack BlackBerry Security

← Back to Stories (view on slashdot.org)

Russian Software Company Says Its App Can Crack BlackBerry Security

Posted by timothy on Sunday October 2, 2011 @04:25AM from the put-down-that-wrench dept.

AZA43 leaps into the ranks of accepted submitters, writing "Russian security software vendor Elcomsoft has released an app that it claims can determine BlackBerry handheld passwords. The software supposedly hacks the BlackBerry password via an advanced handheld security setting that's meant to encrypt data stored on a user's memory card. And a hacker doesn't even need to have the BlackBerry to determine a password, just the media card."

22 of 78 comments (clear)

Min score:

Reason:

Sort:

In Soviet Russia... by ksd1337 · 2011-10-02 04:29 · Score: 2

...software cracks YOU!
Do Russians contribute anything useful? by Beelzebud · 2011-10-02 04:38 · Score: 2, Insightful

It seems like the only time I read about anything Russians do with computer tech, it involves botnets, stealing passwords, and ripping off peoples bank accounts. Are there any Russians that contribute something positive to the world of software?
1. Re:Do Russians contribute anything useful? by thht · 2011-10-02 04:43 · Score: 2, Funny
  
  Kaspersky?
2. Re:Do Russians contribute anything useful? by Anonymous Coward · 2011-10-02 04:46 · Score: 4, Funny
  
  Are there any Russians that contribute something positive to the world of software?
  Tetris alone puts them way ahead of most countries.
3. Re:Do Russians contribute anything useful? by Osgeld · 2011-10-02 04:47 · Score: 2
  
  they have pinouts for everything!
  http://pinouts.ru/
4. Re:Do Russians contribute anything useful? by ripdajacker · 2011-10-02 04:53 · Score: 3, Insightful
  
  One might view the testing and breaking of security as a valuable contribution. How else will companies like RIM learn?
5. Re:Do Russians contribute anything useful? by fuzzyfuzzyfungus · 2011-10-02 05:37 · Score: 4, Funny
  
  I'm told that they are currently hunting for a third, because they think that a Mismanage à trois would be totally hot...
6. Re:Do Russians contribute anything useful? by Reservoir+Penguin · 2011-10-02 05:41 · Score: 2
  
  Parallels.
  
  --
  US-UK-Israel: The real Axis of Evil
7. Re:Do Russians contribute anything useful? by TheRaven64 · 2011-10-02 06:08 · Score: 2, Informative
  
  How did this borderline racist shit get modded up? Two of the biggest open source projects that I work on (LLVM and FreeBSD) have a lot of Russian contributors. You are almost certainly using code (at least partially) written by Russians on a daily basis.
  
  --
  I am TheRaven on Soylent News
8. Re:Do Russians contribute anything useful? by fatphil · 2011-10-02 07:29 · Score: 2
  
  Plenty working on Linux are from Russia too. The input layer subsystem is Dmitry Torokhov's ward, for example, and Artem Bityutskiy gave us UBI(FS). Not to mention a great number of footsoldiers contributing a whole host of drivers, features, fixes, etc. I've worked alongside a great many Russians, and they were highly skilled and rigorous engineers.
  
  --
  Also FatPhil on SoylentNews, id 863
9. Re:Do Russians contribute anything useful? by Hentes · 2011-10-02 08:26 · Score: 2
  
  If they disclose the vulnerability instead of just exploiting it than it's useful. Also, Russians are very good at IT in general, you just only hear about the hackers as they are the ones to make the news.
10. Re:Do Russians contribute anything useful? by gtall · 2011-10-02 11:48 · Score: 2
  
  Racist? Errrm...okay, I give up, how does casting aspersions on Russians constitute racism?
  The GP though should give the Russians a break. First the Tsars, then Stalin, and now Putin. Russkies do have a knack for finding the least capable people to run the country. Having a government which is the moral equivalent of La Cosa Nostra isn't a recipe for success. The Russkies should be hailed for still trying to succeed in spite of their leaders.
Not reliable... by hawkbat05 · 2011-10-02 04:39 · Score: 5, Interesting

If you actually read this one you'll realize it's useless if the card isn't encrypted (ironically) or the user chose one of the other 3 options. Plus this option is designed to be less secure so you can put the card in another device and decrypt it with just a password. I also wonder what character set is included in their claim of cracking a 7 character password in just hours. http://xkcd.com/936/
Re:I wonder how they managed that... by hawkbat05 · 2011-10-02 04:41 · Score: 2

They're brute forcing it
Re:someone cracks blackberry security by PsychoSlashDot · 2011-10-02 04:43 · Score: 5, Informative

news at 11...big freaking deal...
You act like this is either unimportant or not news. I'm not sure which.
Fact is while there's a lot of FUD floating around regarding things like RIM "caving in" and dropping BIS servers in questionable countries, there haven't actually been very many actual real-life exploits for the phones or their communications. Blackberry phone remains the only ones on the market that encrypt all data traffic by default and that encryption can't be disabled. If you're on BIS or if you're on BES, your unencrypted web traffic, e-mail traffic (even POP3) is encrypted at the device. That's still worlds ahead of the other devices.
There's reports that one exploit exists that can decrypt Password Keeper data from a phone backup on a PC. There's this report that discusses recovery of phone unlock passwords. There's the widely discussed and misunderstood reports about RIM dropping BIS MDS servers in unfriendly countries and what that allows (hint: it has zero to do with Blackberries not in those countries).
RIM's stuff is by and large still very, very secure by any comparison and their phones are unique in that regard. So the way I see it, this is both news (being a genuine security hack) and relevant (these phones being the best on the market).
So stuff your ignorant sarcasm.

--
"Oh no... he found the .sig setting."
Re:I wonder how they managed that... by Sqr(twg) · 2011-10-02 04:53 · Score: 3, Informative

The password is not stored in any form, of course. But if there's encrypted data on the card, and that data can be decrypted using only the password, then you can just try every possible password until you find one that doesn't result in gibberish. This is called a known-plaintext attack.
In other news by G3ckoG33k · 2011-10-02 05:38 · Score: 4, Funny

In other news "Other Russians Say They Cracked BlackBerry Years Ago" but kept mum about, for "financial and business reasons". ;)
Re:Why does this matter? by jkflying · 2011-10-02 05:40 · Score: 2

Dunno. Here in South Africa, everybody has a BB. In an average week I probably see 3 people posting their new BBM number on facebook. Just because the US all went iPhone doesn't mean the rest of the world particularly agrees.

--
Help I am stuck in a signature factory!
Re:someone cracks blackberry security by Bert64 · 2011-10-02 07:00 · Score: 3, Interesting

RIM stuff is largely security by obscurity at this point however, very few people have seemingly tried to pull their stuff apart, and the few that have didn't find good things, see the pwn2own contest from this year for one such example.
Android, iphone and even windows mobile devices are much easier to target because they are largely based on existing systems which are well understood... RIM are using a totally obscure black box that requires significant investment of time to reverse engineer. This doesn't mean it's secure, it just means that hackers will need to spend more time to find holes in it. On the other hand, it means that whitehats will also require more time to reverse engineer the system, whereas its highly possible that blackhats have already stolen the sourcecode.
Most devices provide the option to run a VPN between the handset and a server under your control, only RIM require that there be a server under their control sitting in between.
Most devices (RIM included) can also boot up and start talking to the network without requiring any user input, therefore the keys used for this encryption must be stored on the device somewhere, just waiting for someone appropriately skilled and motivated to work out how to extract them...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Sergey Brin? by circletimessquare · 2011-10-02 07:12 · Score: 2

http://en.wikipedia.org/wiki/Sergey_Brin

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Blast to the past: Dmitry Skylarov by metallic · 2011-10-02 14:06 · Score: 4, Informative

Let's try not posting this as an Anonymous Coward by mistake.
This is the same company that employed Dmitry Skylarov, one of the first people to be arrested under the DMCA for breaking the encryption on Adobe's eBook format.
http://en.wikipedia.org/wiki/Dmitry_Sklyarov

--
Karma: Positive. Mostly effected by cowbell.
Notthing to see here... by Prune · 2011-10-02 15:42 · Score: 2

This is simply brute-forcing the password, relying on a short user password. It is only viable if the user has set up the phone security options in a weak way: selected to encrypt media card with user password only, rather than user password plus device key. So really there is nothing surprising in this attack. If you want good security on a Blackberry, it's a matter of setting it up in the options.

--
"Politicians and diapers must be changed often, and for the same reason."