06-23-14 08:19 AM
27 12
tools
  1. Black-Buried's Avatar
    Baffled by the OS 10 way of Encrypting the Device.

    I own both a Q5 and a Z10, both with 10.2.1.2941
    As I recently discovered, after testing, both phones data, although with Device Encryption turned ON, are Not Encrypted, and can be copied without the need to enter a Device Password after I connected the phones with a USB cable to a PC.

    Here are my case data:
    Q5 SQR100-2 OS 10.2.1.2941
    Z10 STL100-2 OS 10.2.1.2941
    --------------------------------------------
    Device Password = ON
    Media Card Encryption = ON
    Media Card = Not Present on any of the Q5/Z10
    Picture Password = OFF
    Smart Card Authenticator = OFF
    Allow Apps from Other Sources to be Installed = ON
    Wi-Fi = OFF
    Bluetooth = OFF
    NFC = OFF
    Mobile Hotspot = OFF
    Internet Tethering = OFF
    BB Link = ON
    BB Link Use Mobile Network = OFF
    Paired Computers = 0
    Developer Mode = OFF
    Parental Control = OFF
    PC Environment:
    WIN 7 Ultimate SP1 x32bit
    Using both Bitlocker and EFS encryption.
    Blackberry Link v.1.2.3.48
    --------------------------------------------

    Now that I have exhausted the settings that I believe could have something to do with the problem, let me describe the problem itself.
    After purchasing a Q5 and a Z10, both used , I did the rest:
    1. Security wipe.
    2. Insert SIM & register with Mobile Network.
    3. Input a Device Password (alphanumeric).
    4. Enable Device Encryption.
    5. Enable Media Card Encryption (although never inserted one).
    6. Installed BB Link on my computer.
    7. Linked my 9810s and backed them up.
    8. Linked my new Q5 & Z10 and partially restored the data from my 9810s (not all were transferred though and of the data transferred, not everything was correctly transferred, like notes and some alarms).
    9. Passwords were asked by BB Link on my PC for both the old and the new phones, and entered appropriately.
    10. Each time I disconnect and reconnect the phones, passwords are being asked also.
    11. Backed up my new phones, with the data from my old 9810 in them.
    So far, everything was looking fine.
    But then I remembered something that had occurred to me using OS 7 some 2+ years ago. Back then when connecting the 9810 with Desktop Software to my Computer WIN XP Pro SP3, I found out that if I use the USB Drive mode on my phone, and not copy the data through the Desktop Software (after entering the Device Password), then the data copied in my 9810 were not Encrypted, hence the Orange Padlock sign on each file I transferred like that, was not present on the file thumbnail.
    So in order for the data you transfer to your OS 7 mobile phone to be Encrypted, you have to do that through the Desktop Software after of course entering the appropriate Device Password.
    Having seen that behavior in the past, I decided to give it a check with the new OS 10.

    So I:
    1. Restarted my computer and then didn’t even start the BB Link.
    2. Restarted both Q5 & Z10
    3. Didn’t even enter the SIM card PIN so the SIM card didn’t register with the Carrier, nor the Device Password. So both phones are Locked and without any kind of Network Coverage, not 3G/4G, not Wi-Fi, Bluetooth, not even GPS.
    4. Now only available way to connect with Phones is with a USB cable, which the user cannot change whether to allow it or not. Only setting allowed is to choose between Windows PC or Mac connection, from the phones connection menu.
    5. When each phone is connected, the Device Password is asked. I didn’t enter any Device Password, and skip the Device Password Confirmation Boxes.
    6. And then … !!! to my astonishment, I discovered that a small taskbar notification Pop Up informed me that the new hardware found was recognized and assigned the drive letter Z: !!!
    7. Checked with drive Z: and there they were almost all of my phone data, pictures, camera, documents, downloads, videos etc. (Contacts, Calendar, emails, I didn’t found).

    Now to make it clear again, BB Link is not running (as a program).

    There are processes running in the background:
    1. BB Link Auto Update
    2. BB Link Helper
    3. BbDevMgr (obviously from Desktop Software which is still present but not compatible with OS 10 Devices.
    But the computer is restarted, and no Device Password is entered either in the BB Link (in spite asked for them) nor the Phones themselves, the phones are locked without any kind of signal.

    I went through all the settings I thought off being relevant to this, but nothing that I could change and see a difference.
    Then I decrypted my Q5 and encrypted it again from within the phone setting. Went to all the previous step again, and the result was the same. The data was there, free for anyone to take them.

    So now I’m really baffled by the finding.

    Normally it’s not a hardware problem, since both phones have the same behavior.
    It shouldn’t be normal for the Program (BB Link) to remember the Device Password, since I restarted the PC and since I’m asked for the Device Password and I don’t enter it. So I don’t think it’s a Permanent Pair PC/Phone Device thing, since I’m asked for the Device Password again and since it would be outrageous for a program to work in this way.
    Right now I’m out of ideas, literature that I could find, is very limited and poor. So now the only thing coming to my mind is someone with Device Encryption turned ON, could check that this is a common behavior.
    Because if that’s the case, pretty much plain and simple, the OS10 devices are partially unlocked.

    In any case thanx.
    Last edited by Black-Buried; 06-18-14 at 02:57 PM.
    serbanescu likes this.
    06-18-14 02:35 PM
  2. nah.uhh's Avatar
    I think you may have told BlackBerry Link to remember your device.
    I don't use BlackBerry Link.. but I think you have to "forget device" and next time don't link the device to the computer
    06-18-14 02:51 PM
  3. Superdupont 2_0's Avatar
    Bypassing the password is already a security hole, although still on your own computer.

    Would be interesting to see if you can reproduce it on another computer (preferably without BlackBerry Link installed).

    Will try to reproduce that by myself.
    06-19-14 05:01 AM
  4. serbanescu's Avatar
    I tried and failed to reproduce it. Maybe I didn't copy all your settings.

    By the way, it's fairly hard for me to make the tests, BlackBerry Link refuses to detect the device 3 out of 4 attempts to connect it. I guess it would take a very patient data thief to break into the system

    --------------------

    Screen Timeout app - keep your BB10 screen awake as long as you need
    06-19-14 06:22 AM
  5. fadmin's Avatar
    I think encryption will not prevent you from seeing files on your bb storage but you won't be able to open anything stored and that is encrypted.
    06-19-14 06:51 AM
  6. Black-Buried's Avatar
    I think you may have told BlackBerry Link to remember your device.
    I don't use BlackBerry Link.. but I think you have to "forget device" and next time don't link the device to the computer
    No such option in BB Link.
    But even if its somewhere i cant find it, it simply shouldn't exist.

    BB Link is like BB Desktop for OS 7 and lower, in the way of finding a device in its interface. The device is discovered so forgetting it means you need to to re discover the phone again and re do the settings for each device (Backup settings, Sync settings etc) every time you connect it. So that's not an option obviously.
    Problem is not forgetting it, is that it should ask for a password, each time i reconnect any phone to my PC.
    Imagine having to leave my office, and lock my phone, but don't lock my PC, then anyone can connect and take the data in it.
    The old timer BB Desktop for OS 7, in case the job took longer than the time one had set in his phone to lock, and then wanted to do something else with phone, keeping the phone connected with the USB cable all that time, it would ask you to renter the password.
    06-19-14 06:54 AM
  7. Black-Buried's Avatar
    I think encryption will not prevent you from seeing files on your bb storage but you won't be able to open anything stored and that is encrypted.
    Nope,
    i thought of that myself to, so i have tried and successfully made some file copy.
    I also have checked that the file that i had copied to my PC is working, and they were. (Because i had to eliminate the fact of still being scrambled)
    06-19-14 06:58 AM
  8. Black-Buried's Avatar
    I tried and failed to reproduce it. Maybe I didn't copy all your settings.

    By the way, it's fairly hard for me to make the tests, BlackBerry Link refuses to detect the device 3 out of 4 attempts to connect it. I guess it would take a very patient data thief to break into the system

    --------------------

    Screen Timeout app - keep your BB10 screen awake as long as you need
    Well if that will comfort you :-) yes BlackBerry Link is stubborn in my computers also. In one refuses to install properly, in the other its just a matter of luck to detect the devices or not. So yes, its no you its BlackBerry Link :-)
    Thats the reason i cant reproduce it myself in an other computer.
    So in the event of successfully detect your phone, and if its still locked and W/O entering any password in BB Link, have you checked Explorer (or whatever program you r using for file browsing) to check that the phone is not assigned a drive letter?

    Also do you have any AV software? Mine which is ESET Smart Security v5.0.95.0, after connecting the phone with the USB cable, detects the new network and asks me to either accept it as a Public or a Home network. I set it to Home and then a POP Up for the drive letter is shown
    06-19-14 07:07 AM
  9. serbanescu's Avatar
    Well if that will comfort you :-) yes BlackBerry Link is stubborn in my computers also. In one refuses to install properly, in the other its just a matter of luck to detect the devices or not. So yes, its no you its BlackBerry Link :-)
    Thats the reason i cant reproduce it myself in an other computer.
    So in the event of successfully detect your phone, and if its still locked and W/O entering any password in BB Link, have you checked Explorer (or whatever program you r using for file browsing) to check that the phone is not assigned a drive letter?

    Also do you have any AV software? Mine which is ESET Smart Security v5.0.95.0, after connecting the phone with the USB cable, detects the new network and asks me to either accept it as a Public or a Home network. I set it to Home and then a POP Up for the drive letter is shown
    When is detected and the password pop-up appears, I click on "Cancel" and nothing happens - no drive letter is asigned, the device is not visible in Windows Explorer (which is the expected, correct behavior).

    --------------------

    Screen Timeout app - keep your BB10 screen awake as long as you need
    06-19-14 07:13 AM
  10. nah.uhh's Avatar
    The device is discovered so forgetting it means you need to to re discover the phone again and re do the settings for each device (Backup settings, Sync settings etc) every time you connect it. So that's not an option obviously.
    Problem is not forgetting it, is that it should ask for a password, each time i reconnect any phone to my PC.
    Imagine having to leave my office, and lock my phone, but don't lock my PC, then anyone can connect and take the data in it.
    precisely why I don't use BlackBerry Link ^.

    Also the forget device option is.. I think.. at the bottom of BlackBerry Link there is a tab that shows your device nam. Opening the menu on that tab should give a forget device or remove device option.

    Also.. try enabling the 'access using wifi' in the storage and access settings.. might work.. the password set there is then password I have to enter to mount my device on Linux.
    06-19-14 07:14 AM
  11. Black-Buried's Avatar
    Well, my bad, when writing "Forget Device" i meant forgeting the credentials, when yes the Forget is there in both the new and the old BB desktop software. But it meant to forget the settings for that device (PIN, Device Name, Backup & Sync settings).
    So yes there is but its not relevant, because if it even is relevant and with the above settings is saving the password also, then something is not right.

    precisely why I don't use BlackBerry Link ^.

    Also the forget device option is.. I think.. at the bottom of BlackBerry Link there is a tab that shows your device nam. Opening the menu on that tab should give a forget device or remove device option.

    Also.. try enabling the 'access using wifi' in the storage and access settings.. might work.. the password set there is then password I have to enter to mount my device on Linux.
    06-19-14 07:23 AM
  12. fadmin's Avatar
    Actually there is a way. If you ever used link with that device in the left pane you should see what device was connected to it in the past. Click on the photos of the device and once right pane displays, there would be an option to remove device.
    I basically did it and close all rim/bb related tasks. Connected device and could not even map the device any more. When I opened link it prompted me for a password. Canceled it and could not see anything. So there may be a reason why it "remembers" if device was successfully connected once in the past.
    06-19-14 07:27 AM
  13. Ed Gar's Avatar
    You lost me in "exhausted..

    BBQ10
    fadmin likes this.
    06-19-14 07:34 AM
  14. Black-Buried's Avatar
    OK, I get what you are saying, and going to try that also, but right now, since its the only properly working BB Link i've got so far, and if something happens and lose connectivity i will be entirely lost.
    Also at that point and although you are probably right with what you are saying, this not so important. The important thing is that we shouldn't do that in order to have our protection enabled. One shouldn't register his phone with the BB Link every time he needs a back up and do all the settings from the beginning.
    Added to that, if the behavior i have found, is indeed typical and not a problem of my way of connecting the phones, and setting the settings (which i honestly hope so), that means that any computer one has successfully connected his mobile phone once, keeps being a backdoor to this phone, if you dont go and forget the device.
    If its working like that, it is the first example of anything carrying a password to be paired with a machine without the need of entering the password. Imagine for example that the behavior is the same with your local ATM and your Cash Card. So then anyone could use it there. I really dont think Blackberry could work it out like this, its not a security at all.
    So there must be a setting i wrongly set, or something other i wrongly did. And actually thats what im trying to find.
    Thats why i turned off all WiFi and Bluetooth and NFC, in case the mobile phone was paired with my computer through them and so it is skipping the Device Password, i even closed the 3G/GSM in case the BB Link was using this for authenticating the device.


    Actually there is a way. If you ever used link with that device in the left pane you should see what device was connected to it in the past. Click on the photos of the device and once right pane displays, there would be an option to remove device.
    I basically did it and close all rim/bb related tasks. Connected device and could not even map the device any more. When I opened link it prompted me for a password. Canceled it and could not see anything. So there may be a reason why it "remembers" if device was successfully connected once in the past.
    06-19-14 07:59 AM
  15. nah.uhh's Avatar
    that means that any computer one has successfully connected his mobile phone once, keeps being a backdoor to this phone, if you dont go and forget the device.

    So there must be a setting i wrongly set, or something other i wrongly did. And actually thats what im trying to find.
    When you connect the device either for the first time (or for the first time after using "remove device") it will ask you to set the device up and give two options. - one is essentially 'remember forever' while the other is 'one time use'
    06-19-14 08:10 AM
  16. Black-Buried's Avatar
    Yes I saw that setting, but does that means it saves the
    Password as well?
    I've chose "Remember for Ever".
    I can't find documentation for that setting.

    Posted via CB10
    06-19-14 09:28 AM
  17. serbanescu's Avatar
    I managed to reproduce the behavior consistently several times and I came to the conclusion that this is how BlackBerry wanted BlackBerry Link to behave - if you don't choose the option to forget the device, BlackBerry Link would remember the password and use it every time the device is connected, without prompting the user to enter the password.

    That said, I am of the opinion that this solution is wrong and if you have a password on your device, BlackBerry Link should ask for that password every time you connect the device to your PC.

    The simplest workaround for those concerned with their data security would be to lock your PC every time you leave the room (which is the standard procedure for anyone working with sensitive data) if you are not taking your phone with you (which is not a good practice, anyway).

    I believe CrackBerry should have an article about this, also, because I'm sure there are BlackBerry 10 users out there who are not familiar with this behavior.


    --------------------

    Screen Timeout app - keep your BB10 screen awake as long as you need
    nah.uhh and Black-Buried like this.
    06-19-14 09:29 AM
  18. Black-Buried's Avatar
    Very much appreciate your prompt answer, actually now I can move on, knowing that this is the "Normal Behaviour" and not a fault of my actions. I had put both phones on hold till I got to know what was going on. And actually I waited till I'm sure that It was really happening before posting it in CB. I googled also what I imagined I could find something about that, but couldn't find anything solving my questions.
    Now this off course is not proper behaviour, because if one is not a security buff like me and you obviously, then he assumes that everything is secured. Most people don't have acc loging passwords, and even if they have the majority of them don't have encrypted their data so then even if you have your phone locked, and an Win Login Pass, the BB data are open to enyone.
    It's obvious that in order to achieve a level of security, you now have to:
    1. Encrypt your phone with a Device Passwors
    2. Use an Administrative acc in Windows
    3. Enable the Admin acc in win and set a password
    4. Set a password to your personal administrative acc
    5. Encrypt your data.
    6. Install BB Link
    7. Make sure it's saving it's backup data in your encrypted folders
    Then yes you are somewhat safe.
    Although a behaviour of this king in BB Link makes me wonder for bigger holes and glitches that might be around to discover.
    Most amazing of all is if the phone is locked but despite that, BB Link is unlocking it no questions asked. Which means, leaving your phone locked, doesn't provide any security if your PC is unlocked. And let's say you r playing VLC and doesn't go to sleep, so then your PC stays unlocked, and your phone also!!!

    Posted via CB10
    06-19-14 10:01 AM
  19. MrGlenn's Avatar
    I fail to see how this is an encryption error/failure/whatever.

    BBDevMgr is the program controlling the connection between your Desktop and BB10 device and handles any on-the-fly encryption/decryption when transferring files as long as the password has been entered. And it remembers this password as long as your Desktop has not rebooted.

    How is that unsecure, when the only possible way for people to get unencrypted data off of your device is if they have access to both your Desktop (running and unlocked) and Phone (USB connected) at the same time? While you are not around?

    BlackBerry 10 signed.
    rthonpm likes this.
    06-19-14 10:19 AM
  20. Black-Buried's Avatar
    Read the post carefully,
    -Computer is rebooted
    -Phone is locked

    Long post, but unfortunately you got to read it all


    Posted via CB10
    06-19-14 10:28 AM
  21. serbanescu's Avatar
    I fail to see how this is an encryption error/failure/whatever.

    BBDevMgr is the program controlling the connection between your Desktop and BB10 device and handles any on-the-fly encryption/decryption when transferring files as long as the password has been entered. And it remembers this password as long as your Desktop has not rebooted.

    How is that unsecure, when the only possible way for people to get unencrypted data off of your device is if they have access to both your Desktop (running and unlocked) and Phone (USB connected) at the same time? While you are not around?

    BlackBerry 10 signed.
    A simple scenario would look like this:

    You are working as an "on site" consultant for a client, for a period of time.

    If you have worked for some of your client's competitors before, there is a very high probability that on your devices you'll have many files of high interest for your current client (competitors market data, business practices, product pipeline etc.). Maybe you prefer having much of those data on your phone so you'll have an easy access on every occasion.

    You just forgot to take your BB10 device with you when going to a short meeting, but you are not overconcerned because your BB10 phone is locked and encrypted.

    Well, if you forgot to lock your laptop too (higly unlikely, I must admit, in such a job, but not impossible) you may find that data on your phone were not that safe.


    --------------------

    Screen Timeout app - keep your BB10 screen awake as long as you need
    06-19-14 10:41 AM
  22. Black-Buried's Avatar
    And this is only one example.
    The list could go on and on with examples.
    To make the long story short, I was just wondering if that behaviour was normal or from my faulty actions, and since serbanescu reproduced it, it's normal way of BB Link to work.
    Problems now are:
    1. It doesn't warn the user about the choices when he connects his devices with his PC for the first time. So that he knows what the consequences are.
    2. Talking about either the program should ask for your Password or not, is in the philosophical area only. When a device / Bank card or whatever is password protected, the used is expecting that if not entering the password, the device remains locked. If someone wants it in an other way, the program could have that option to, but not by default.
    3. I dont know of any such example of devices being unlocked just because i was one time connected with them, even web browsers ask the user whether to remember the user name and password or not. Excel files etc could be open if one was loged in his Windows Acc. But they ask u for password every time, and so are all the apps incorporating password security that i know off.
    4. Back then with BB Desktop SW OS7 i could have my phone backed up with an Encrypted Backup File, in my job or at a friends house if for any reason i couldnt get to mine, and be sure that either my backup or my phone is safe. Now, this is not the case, U either do it with your PC with Security all turned on and set up appropriately or you dont do it at all.



    A simple scenario would look like this:

    You are working as an "on site" consultant for a client, for a period of time.

    If you have worked for some of your client's competitors before, there is a very high probability that on your devices you'll have many files of high interest for your current client (competitors market data, business practices, product pipeline etc.). Maybe you prefer having much of those data on your phone so you'll have an easy access on every occasion.

    You just forgot to take your BB10 device with you when going to a short meeting, but you are not overconcerned because your BB10 phone is locked and encrypted.

    Well, if you forgot to lock your laptop too (higly unlikely, I must admit, in such a job, but not impossible) you may find that data on your phone were not that safe.


    --------------------

    Screen Timeout app - keep your BB10 screen awake as long as you need
    Last edited by Black-Buried; 06-19-14 at 11:35 AM.
    06-19-14 11:21 AM
  23. MrGlenn's Avatar
    My bad, I thought that you had said it did ask for a password after rebooting.

    Because it does work like that on my end. Each time I reboot my pc and restart BBLink/reconnect my device to USB it asks for my password. But as long as the PC is on (Sleep mode does not count against this) the password is indeed remembered. Even if I come back after a full day.

    So then I concede, it is something that should be brought to their attention. It cannot be that this is intended behaviour even after a reboot, not without a setting for it at least.

    BlackBerry 10 signed.
    06-19-14 04:17 PM
  24. Superdupont 2_0's Avatar

    5. When each phone is connected, the Device Password is asked. I didnt enter any Device Password, and skip the Device Password Confirmation Boxes.
    6. And then !!! to my astonishment, I discovered that a small taskbar notification Pop Up informed me that the new hardware found was recognized and assigned the drive letter Z: !!!
    7. Checked with drive Z: and there they were almost all of my phone data, pictures, camera, documents, downloads, videos etc. (Contacts, Calendar, emails, I didnt found).

    Now to make it clear again, BB Link is not running (as a program).

    Sorry to come back to this.
    My only problem is that the software obvioulsy asked you for a password and although you skipped it, the device was mounted.

    If you (and others) can reproduce this, it MUST be a bug.
    Because there cannot be a "I did ask for your password, but you know, today I feel a bit crazy so I gonna mount your device even without it."-software.

    However security-wise it's not a problem, IMHO, because if your computer is compromised you have a much bigger problem.

    The encryption feature should protect your data when you lose your *mobile* phone (so ideally all mobile stuff should be always encrypted, there are numerous stories about lost usb sticks with sensitive data on it)...if people have unauthorized access to your machine, your smartphone security is not your biggest problem.
    06-20-14 10:39 AM
  25. undone's Avatar
    Something stuck out there for me. I dont use any encryption first off. When my device maps drives, its two of them. One Flash (Z) the other SD (Y). Are both drives mapping?
    06-20-14 10:51 AM
27 12

Similar Threads

  1. Bluetooth Z10 not working after new update 10.2.1.2941
    By thayward10 in forum Ask a Question
    Replies: 8
    Last Post: 06-25-14, 10:02 AM
  2. I love BB10 OS...... BUT!
    By moyah8 in forum BlackBerry 10 OS
    Replies: 6
    Last Post: 06-18-14, 09:13 PM
  3. Amazon Prime on BlackBerry 10 in Canada
    By Peevish in forum BlackBerry 10 OS
    Replies: 1
    Last Post: 06-18-14, 01:26 PM
  4. Z10's excellent keyboard for other OS?
    By CrackBerry Question in forum Ask a Question
    Replies: 3
    Last Post: 06-18-14, 10:09 AM
  5. Here's the "10.3.0.512" password - for real
    By DarcyTallGuy in forum BB10 Leaked/Beta OS
    Replies: 17
    Last Post: 06-18-14, 09:05 AM
LINK TO POST COPIED TO CLIPBOARD
";