The Russian software developer ElcomSoft with it’s Russian competition, AccentSoft, has created a password-cracking programs targeted at BlackBerry with a Phone Password Breaker that previously was useful on only iPhone devices. The software has a double standard because it can help you retrieve your backup should your BlackBerry get stolen, but in the wrong hands can leave you exposed.
The following was stated by the ElcomSoft CEO Vladimir Katalov (via InfoWorld):
“All data transmitted between a BlackBerry Enterprise Server and BlackBerry smartphones is encrypted with a highly secure AES or Triple DES algorithm. Unique private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Even more, to secure information stored on BlackBerry smartphones, password authentication can be made mandatory through the policies of a BlackBerry Enterprise Server (default, password authentication is limited to ten attempts, after which the smartphone’s wiped clean with all its contents erased). Local encryption of all data, including messages, address book and calendar entries, memos and tasks, is also provided, and can be enforced via the IT policy as well. With the supplied Password Keeper, Advanced Encryption Standard (AES) encryption allows password entries to be stored securely on the smartphone, enabling users to keep their online banking passwords, PIN codes, and financial information handy — and secure. If that’s not enough, system administrators can create and send wireless commands to remotely change BlackBerry device passwords, lock or delete information from lost or stolen BlackBerries. “( BlackBerry Smartphones to be correct Vladimir).
But the weak point of this starts with the offline backup mechanism. Katalov also goes on to say:
“Backup encryption uses AES with a 256-bit key. So far, so good. An AES key is derived from the user-supplied password, and this is where the problem arises.
In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one. Another significant shortcoming is that it’s BlackBerry Desktop Software that encrypts data, not the BlackBerry device itself. This means that the data is passed from the device to the computer in a plain, unencrypted form. Apple devices act differently; the data is encrypted on the device and never leaves it in an unencrypted form. The Apple desktop software (iTunes) acts only as a storage and never encrypts/decrypts backup data. This is quite surprising since the BlackBerry platform is known for its unprecedented security, and we’ve been expecting BlackBerry backup protection to be at least as secure as Apple’s, which turned not to be the case.
What does that mean for us? We can run password recovery attacks on BlackBerry backups really fast — even without GPU acceleration, we can go over millions of passwords per second.”
In other words, in three days they can crack a seven-letter mixed case password, longer if special characters or numbers are used as well or is longer, and less time if it’s all one case if it’s partially known or using a dictionary attack. Pretty scary isn’t it? It’s even more unsettling to think that they have exploited such a weakness and able to implement it. What are your thoughts about it?
I suppose my theory would be that as a BIS user, if you were to keep your pc online for updating only, and backup your device on that pc only, and keep it offline the rest of the time except to update then you would be able to keep your backups safe. As a BES user, I don’t believe that’s possible since you are connected to the enterprise. I have to wonder how this would apply to the BlackBerry Protect that BlackBerry has in private beta. Any thoughts?
[story via: InfoWorld]