Let me tell you about my BlackBerry security configuration(s)
- BlackBerry Bold 9650 (non-camera model) with OS 6 is my daily driver. I have two security configurations that I alternate between. I use one of the configurations for a while (maybe a month or two) then switch to the other. The first configuration is the stronger configuration, because Contacts are encrypted.
Configuration 1
1. Options>Security>Password
* Check "Enable" (See Note 1)
* Number of Password Attempts: 10
* Lock After: 1 hour
* Check "Prompt on Application Install"
* Check "Allow Outgoing Calls While Locked" (See Notes 2 & 3)
* Uncheck "Lock Handheld Upon Holstering"
2. Options>Security>Encryption
Device Memory
* Check "Encrypt"
* Strength: Strongest (See Note 1)
* Check "Include Contacts" (See Note 2 & 3)
* Check "Include Media Files"
Media Card
Check "Encrypt"
Mode: "Device Password & Device Key" (See important Media Card Encryption Note below)
Check "Include Media Files"
Notes:
1. I use a twenty-one character password. This allows me to take advantage of the "Strongest" Device Memory encryption strength. In case you think it's inconvenient for me to enter it, it's not. I use a one hour security timeout, my BlackBerry is on my person most of the time, and rarely an hour goes by that I don't look at my BlackBerry. If it's locked, it's because I deliberately locked it. In any case, I'm a pretty fast typist.
2. I encrypt my contacts. That way I'm fine with allowing outgoing calls while the device is locked. If someone needs to use my BlackBerry to make a call, I can simply lock it, and he won't see my contact list start to populate when he starts to dial. (I have unlimited calling, so I'm not especially worried about a thief who might place a bunch of calls before I report the phone stolen to my carrier.) This setting also allows me to take advantage of the "Recent Activities" feature in the Contacts application without the concern that someone with UFED/Cellebrite equipment might be able to view any unencrypted recent activities stored in the Contacts application.
3. Password for voicemail is enabled and set to enter manually. Reason: when someone goes to place a call when the BlackBerry is locked and outgoing calls are allowed, he can still press the BlackBerry (menu) key and choose the "Call Voicemail" option; there's no way to disable this.
Configuration 2
1. Options>Security>Password
* Check "Enable"
* Number of Password Attempts: 10
* Lock After: 1 hour
* Check "Prompt on Application Install"
* Uncheck "Allow Outgoing Calls While Locked" (See Notes)
* Uncheck "Lock Handheld Upon Holstering"
2. Options>Security>Encryption
Device Memory
* Check "Encrypt"
* Strength: Strongest
* Uncheck "Include Contacts" (See Notes)
* Check "Include Media Files"
Media Card
Check "Encrypt"
Mode: "Device Password & Device Key" (See important Media Card Encryption Note below)
Check "Include Media Files"
Notes:
1. When contacts are not encrypted, I don't allow outgoing calls while the BlackBerry is locked. Otherwise someone dialing a call will have access to all my contacts even while the BlacBerry is locked. Also, when Contacts are not encrypted, I don't enable the "Recent Activities" feature in the Contacts application. Though I don't know for sure, it's logical to conclude that someone with UFED/Cellebrite equipment who somehow circumvents the device password will be able to read any unencrypted data. If the "Contacts" application is unencrypted, it's likely the "Recent Activities" (emails, etc.) displayed therein are also unencrypted.
2. When I don't allow outgoing calls while the device is locked, I add a pause and password into my voicemail number for convenience. No one will be able to reach the dial out screen and "Call Voicemail" option without first entering my password.
3. When Contacts are not encrypted, I take full advantage of custom Contact Alerts; they'll work even when the Blackberry is locked. If Contacts are encrypted, any custom Contact Alerts will only work when the BlackBerry is unlocked.
Important Media Card Encryption Note
If it's imperative that you're able to view your encrypted media card files in a different BlackBerry, you must use "Device Password" as the media card encryption mode. If you use either of the other two encryption modes, you will not be able to view your encrypted media card files in any other BlackBerry ... ever! I have a mix of encrypted and unecrypted files on my media card. I transfer the encrypted files back and forth between BlackBerry and pc using BlackBerry Desktop Software 6. I transfer the unencrypted files between BlackBerry and pc using the USB (mass storage) mode.Last edited by T�nis; 12-30-11 at 07:18 AM. Reason: edited for typos and clarity
12-29-11 11:51 PMLike 0 - Interesting read. I have one comment.
I read a while back a Russian company has found out how to hack into and break the encryption on a locked down BB. They have made this software available to the public. I assume for purchase. I read about it here on CB but can't remember if it was a blog or forum post.
If I remember right, their hack only works if the media card is encrypted.
For the best security it would seem best to leave the media card unencrypted and to store any files that HAVE to be secured in the device memory.
If I misunderstood what I was reading, I would appreciate if someone would correct me. Most of the stuff concerning encryption and keys etc. is over my head.12-30-11 06:41 AMLike 0 - Interesting read. I have one comment.
I read a while back a Russian company has found out how to hack into and break the encryption on a locked down BB. They have made this software available to the public. I assume for purchase. I read about it here on CB but can't remember if it was a blog or forum post.
If I remember right, their hack only works if the media card is encrypted.
For the best security it would seem best to leave the media card unencrypted and to store any files that HAVE to be secured in the device memory.
If I misunderstood what I was reading, I would appreciate if someone would correct me. Most of the stuff concerning encryption and keys etc. is over my head.Last edited by T�nis; 12-30-11 at 07:30 AM.
12-30-11 07:08 AMLike 0 - I'm really curious because you talk a lot about security. And, yes, I realize it's better to be safe than sorry. And I'll preface this by saying I keep my videos and pictures on gesture lock because if I put down my phone, I don't want my students picking it up and going through my pics or videos.
And I don't want a bicker back and forth like in the last thread.
But I'm genuinely curious as to what the benefit of the average person password protecting their phone that strongly? And is it a common activity that I haven't heard of that strangers asking to you use your phone are installing something while you're watching them use your phone?
Don't get me wrong, I appreciate security. But I think other than the gesture lock on media, all I have is an app to GPS find/locate and remote wipe should my phone get stolen.12-30-11 09:50 AMLike 0 - That's a lot of security concern for the average person to worry about.
And, If you go through so much trouble to secure your phone, why even bother to let a stranger use it? At all? Ever? To be nice? Sure, that's fine and dandy, but you seem(no offense) overly paranoid about phone security and someone possible stealing your info be it by you losing your phone or letting a stranger use it for a 2 or 3 minute phone call.
I doubt the average person deciding on what phone they want, going by the resent smartphone trends(in the US atleast), care that much about security on their phones.
War Is All We Know12-30-11 10:19 AMLike 0 - avt123O.G.My security? Don't let other people touch my phone. Password lock comes on every time I lock my device and after 10 failed attempts it wipes. All my "highly sensitive" data is AES 256 bit encrypted. I also have find my iPhone which allows for remote wiping.
I feel pretty safe this way. Although, I haven't really felt threatened on any smartphone.12-30-11 10:31 AMLike 0 - That's a lot of security concern for the average person to worry about.
And, If you go through so much trouble to secure your phone, why even bother to let a stranger use it? At all? Ever? To be nice? Sure, that's fine and dandy, but you seem(no offense) overly paranoid about phone security and someone possible stealing your info be it by you losing your phone or letting a stranger use it for a 2 or 3 minute phone call.
I doubt the average person deciding on what phone they want, going by the resent smartphone trends(in the US atleast), care that much about security on their phones.
War Is All We Know
That being said I don't like the OPs approach to security. I lock my phone so if I drop it or someone snags it they don't have access to my contacts. I have mine seg to lock on holister and 2 minutes. I use a thirteen # password. It just so happens my password is that long. Anything over 7 chars. Is a strong password when useing mixed #s and letters plus symbols. Lowering the attempts to 5 or below for a short password is really going to help against a brute attack. There's no reason for you to input your pw in wrong that many times in a row.
As far as media card goes you really shouldn't have anything on it that important. If your using your card for a usb drive thenencrypt it w/ software on the machine you'll use to view the files.
Posted from my CrackBerry at wapforums.crackberry.com12-30-11 10:42 AMLike 0 - Sith_ApprenticeMod Team EmeritusIt entirely defeats the purpose of a password (IMO) to have a timeout of 1 hour. I use a 15 digit password (complex) on my device and have the timeout set to 2 minutes. I also lock the device in my holster. This is my work device, but I am the admin so I can change it how I like lol. I allow my users a MAX of 15 min timeout with a minimum of 8 digit passcode. I also use encryption on the media card, contacts, and the file system.12-30-11 11:25 AMLike 0
- My concern is that employees will install an app that gathers unauthorized data from the phone and sends it to someone without the owner's knowledge. That is why BES policy does not allow app install by users in addition to requiring encryption, strong passwords, and short timeouts. This is also the reason why corporate policy is to only allow BB to access corporate email, because we cannot control app install on other types of devices.12-30-11 11:38 AMLike 0
- I'm really curious because you talk a lot about security. And, yes, I realize it's better to be safe than sorry. And I'll preface this by saying I keep my videos and pictures on gesture lock because if I put down my phone, I don't want my students picking it up and going through my pics or videos ...
Michigan State Police are now using an advanced extraction device to download cell phone data from citizens at routine traffic stops.
Some people may be perfectly fine with the friendly revenue agent downloading and looking at all their personal data during a traffic stop, but I am not.
But I'm genuinely curious as to what the benefit of the average person password protecting their phone that strongly? And is it a common activity that I haven't heard of that strangers asking to you use your phone are installing something while you're watching them use your phone?.
I've heard people like BlackBerry Protect, but I don't generally like programs like that. They depend on an active data connection to work. Also, it would seem that a hacker on a pc would have access to your BlackBerry and be able to modify its configuration, wipe it, whatever if he hacks your BlackBerry Protect account. My goal with Blackerry handheld device security is to protect my personal data (contacts, calendar, tasks, passwords, emails, pictures, etc.) from anyone who might download all of it with Cellebrite/UFED equipment in a matter of a few minutes.Last edited by T�nis; 12-30-11 at 01:10 PM.
12-30-11 11:57 AMLike 0 -
And, If you go through so much trouble to secure your phone, why even bother to let a stranger use it? At all? Ever? To be nice? Sure, that's fine and dandy, but you seem(no offense) overly paranoid about phone security and someone possible stealing your info be it by you losing your phone or letting a stranger use it for a 2 or 3 minute phone call.
I doubt it, too.12-30-11 12:06 PMLike 0 - My security? Don't let other people touch my phone. Password lock comes on every time I lock my device and after 10 failed attempts it wipes. All my "highly sensitive" data is AES 256 bit encrypted. I also have find my iPhone which allows for remote wiping.
I feel pretty safe this way. Although, I haven't really felt threatened on any smartphone.12-30-11 12:08 PMLike 0 - Sith_ApprenticeMod Team EmeritusMy security? Don't let other people touch my phone. Password lock comes on every time I lock my device and after 10 failed attempts it wipes. All my "highly sensitive" data is AES 256 bit encrypted. I also have find my iPhone which allows for remote wiping.
I feel pretty safe this way. Although, I haven't really felt threatened on any smartphone.12-30-11 12:12 PMLike 0 -
I use BlackBerry's encryption for ordinary stuff stored on my BlackBerry and its media card (contacts, calendar, passwords, pictures). I also use the media card to store certain files from my computer. I don't encrypt those computer files with the BlackBerry; I use another encryption program for that and just store them on the media card like on a usb.12-30-11 12:16 PMLike 0 - It entirely defeats the purpose of a password (IMO) to have a timeout of 1 hour. I use a 15 digit password (complex) on my device and have the timeout set to 2 minutes. I also lock the device in my holster. This is my work device, but I am the admin so I can change it how I like lol. I allow my users a MAX of 15 min timeout with a minimum of 8 digit passcode. I also use encryption on the media card, contacts, and the file system.12-30-11 12:21 PMLike 0
- Sith_ApprenticeMod Team EmeritusOn a BlackBerry, a longer password is better for the stronger device memory encryption strength settings. If I remember correctly with a thirteen character password you would benefit from the "Stronger" encryption strength setting (not "Strong" or "Strongest").
I use BlackBerry's encryption for ordinary stuff stored on my BlackBerry and its media card (contacts, calendar, passwords, pictures). I also use the media card to store certain files from my computer. I don't encrypt those computer files with the BlackBerry; I use another encryption program for that and just store them on the media card like on a usb.
�Use 256-bit AES encryption to encrypt stored data when the BlackBerry smartphone is locked
�Use an Elliptic Curve Cryptography (ECC) public key to encrypt data that the BlackBerry smartphone receives when it is locked
The strength of the content protection can be adjusted on the BlackBerry smartphone. This will dictate the size of the key used for certain content protection operations. These keys are only used in the process to encrypt data while the BlackBerry smartphone is locked. While the BlackBerry smartphone is unlocked content protection operations use the 256-bit AES key. When the BlackBerry smartphone is locked the 256-bit AES key is removed from memory along with the ECC private key.
The following list describes the content protection strength settings on the BlackBerry smartphone, and the encryption strength that each setting provides:
�Strong � 80 Bit ECC Key size
�Stronger � 128 Bit ECC Key size
�Strongest � 256 Bit ECC Key size
From BTSC
The key is generated randomly when content protection is enabled. I dont believe it has anything to do with a password.12-30-11 12:22 PMLike 0 - My concern is that employees will install an app that gathers unauthorized data from the phone and sends it to someone without the owner's knowledge. That is why BES policy does not allow app install by users in addition to requiring encryption, strong passwords, and short timeouts. This is also the reason why corporate policy is to only allow BB to access corporate email, because we cannot control app install on other types of devices.12-30-11 12:25 PMLike 0
- When content protection is turned on, sensitive data on the BlackBerry� smartphone is protected using the 256-bit Advanced Encryption Standard (AES) encryption algorithm. Content protection of BlackBerry smartphone user data is designed to perform the following actions:
•Use 256-bit AES encryption to encrypt stored data when the BlackBerry smartphone is locked
•Use an Elliptic Curve Cryptography (ECC) public key to encrypt data that the BlackBerry smartphone receives when it is locked
The strength of the content protection can be adjusted on the BlackBerry smartphone. This will dictate the size of the key used for certain content protection operations. These keys are only used in the process to encrypt data while the BlackBerry smartphone is locked. While the BlackBerry smartphone is unlocked content protection operations use the 256-bit AES key. When the BlackBerry smartphone is locked the 256-bit AES key is removed from memory along with the ECC private key.
The following list describes the content protection strength settings on the BlackBerry smartphone, and the encryption strength that each setting provides:
•Strong – 80 Bit ECC Key size
•Stronger – 128 Bit ECC Key size
•Strongest – 256 Bit ECC Key size
From BTSC
The key is generated randomly when content protection is enabled. I dont believe it has anything to do with a password.
"Choose a content protection strength level that optimizes either the ECC encryption strength or the decryption time. If you set the content protection strength to Stronger (to use a 283-bit ECC key) or to Strongest (to use a 571-bit ECC key), consider setting the Minimum Password Length IT policy rule to enforce a minimum BlackBerry device password length of 12 characters or 21 characters, respectively. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide. The BlackBerry device uses the BlackBerry device password to generate the ephemeral 256-bit AES encryption key that the BlackBerry device uses to encrypt the content protection key and the ECC private key. A weak password produces a weak ephemeral key."
(http://docs.blackberry.com/en/admin/...yption_STO.pdf -- Pages 4-5 of the document, page 8 of the PDF)
But I'm not exactly sure about this. Perhaps I don't understand what I'm reading. Maybe it only applies when a BES is in use.
Another thing to bear in mind is that older devices and OS's (like my 8330m on OS 4.5) only support passwords up to twelve or thirteen characters. My 9650 on OS 6 supports up to (I think) thirty characters.Last edited by T�nis; 12-30-11 at 12:43 PM.
12-30-11 12:38 PMLike 0 - Sith_ApprenticeMod Team EmeritusThis seems to apply for the key that protects the content protection key. It does not apply directly to the content protection key lol. Its another layer on top. So you would have to decrypt a 256bit encrypted key to decrypt a 571 bit key in order to get past the content protection. Good luck haha
I am also unsure why it lists a 571bit key whereas the BTSC lists a 256bit key unless this does indeed have to do with BES.12-30-11 12:42 PMLike 0 - avt123O.G.
You can jailbreak a device without unlocking it (devices needs to be turned off to jailbreak connected to a computer and put in DFU mode), but once it starts up you need to unlock it to gain access. I also don't have SSH installed onto my iPhone so there is no root access to gain from there. If I had open SSH (with the stock alpine password) then it would be a little scary.
If the NSA wants to get into my device, I am sure they would find a way anyways. By me not allowing anyone to touch my device, browsing in private mode while on public Wifi and keeping my personal info AES 256 encrypted, I am not really worried.
And this is all hypothetically speaking. Most people don't even know what jailbreaking is. The odds of me lossing my device, and then it falling into the hands of a hacker is pretty slim. Also, the second I realize my phone is gone (which would literally be seconds because my phone goes off nonstop throughout the day), I would wipe the device immediately.Last edited by avt123; 12-30-11 at 12:47 PM.
12-30-11 12:43 PMLike 0 - This seems to apply for the key that protects the content protection key. It does not apply directly to the content protection key lol. Its another layer on top. So you would have to decrypt a 256bit encrypted key to decrypt a 571 bit key in order to get past the content protection. Good luck haha
I am also unsure why it lists a 571bit key whereas the BTSC lists a 256bit key unless this does indeed have to do with BES.Last edited by T�nis; 12-30-11 at 12:52 PM.
12-30-11 12:50 PMLike 0 - My device is jailbroken (haven't jailbroken my iPhone since the 3GS) so I don't protect it from it. If it wasn't, my protection would be not allowing anyone to touch my phone (which I already said) near a iPhone USB connection and a computer. I doubt the majority of people know how to jailbreak an iOS device wirelessly. That jailbreakme website doesn't work with iOS 5.01, and untethered was just released a few days ago.
You can jailbreak a device without unlocking it (devices needs to be turned off to jailbreak connected to a computer and put in DFU mode), but once it starts up you need to unlock it to gain access. I also don't have SSH installed onto my iPhone so there is no root access to gain from there. If I had open SSH (with the stock alpine password) then it would be a little scary.
If the NSA wants to get into my device, I am sure they would find a way anyways. By me not allowing anyone to touch my device, browsing in private mode while on public Wifi and keeping my personal info AES 256 encrypted, I am not really worried.
And this is all hypothetically speaking. Most people don't even know what jailbreaking is. The odds of me lossing my device, and then it falling into the hands of a hacker is pretty slim. Also, the second I realize my phone is gone (which would literally be seconds because my phone goes off nonstop throughout the day), I would wipe the device immediately.12-30-11 12:57 PMLike 0 - avt123O.G.
Also, everything I have read about the iPhone and cellebrite talks about the 4 pin password. That is the "simple password" setup in the iPhone. I haven't seen it mention anything about advanced passwords.
Here is a PDF
http://www.cellebrite.com/images/sto...structions.pdf
And I honestly do not know if my device is 100% secure. The best thing I can do if I knew I had something suspicious on my device or if I really didn't want them to touch my smartphone would be to quickly go into the settings while I'm being pulled over and to reset the device completely. I think NY law requires a warrant though if they even want to search my device. I will never willingly hand it over.
I have had my car searched 3 times and they alway rip up the insides and throw things everywhere. I have also been searched multiple times throughout my life so far and not once have they tried to access my phone. However, one time a cop knew my phone number and my smartphone was still in my pocket. This is also when I had a BB, password locked, encrypted on strongest settings. My 9000 with BBOS 5.Last edited by avt123; 12-30-11 at 01:35 PM.
12-30-11 01:31 PMLike 0 - Jailbreaking allows you to mod your device. I can add things Apple doesn't allow and I have access to another app store called Cydia which is where you get these mods. As far as I know, a jailbroken iPhone is not more vulnerable than a stock iPhone. A jailbroken iPhone is only extremely vulnerable to hacks if you have an SSH client installed and haven't changed the root password. If you don't have it installed they cannot can SSH access AFAIK.
Also, everything I have read about the iPhone and cellebrite talks about the 4 pin password. That is the "simple password" setup in the iPhone. I haven't seen it mention anything about advanced passwords.
Here is a PDF
http://www.cellebrite.com/images/sto...structions.pdf
And I honestly do not know if my device is 100% secure. The best thing I can do if I knew I had something suspicious on my device or if I really didn't want them to touch my smartphone would be to quickly go into the settings while I'm being pulled over and to reset the device completely. I think NY law requires a warrant though if they even want to search my device. I will never willingly hand it over.
"A US Department of Justice test of the CelleBrite UFED used by Michigan police grab the photos and video off of an iPhone within one-and-a-half minutes. 'The device works with 3000 different phone models and defeats all password protections. A complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags,' a CelleBrite brochure explains regarding the device's capabilities. 'The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps.'"
Seems the Cellebrite/UFED equipment can recover deleted data. That's why resetting might be of minimal help (maybe if they don't have a Cellebrite.)
And just to clarify, I don't have anything illegal. It seems police claim they're looking for texting-while-driving evidence, but it's clear that on the less secure devices they can see everything. I don't want them seeing anything. (Nor do I want to help them gather evidence against me.)Last edited by T�nis; 12-30-11 at 01:48 PM.
12-30-11 01:39 PMLike 0 - avt123O.G.And just to clarify, I don't have anything illegal. It seems police claim they're looking for texting-while-driving evidence, but it's clear that on the less secure devices they can see everything. I don't want them seeing anything. (Nor do I want to help them gather evidence against me.)
I don't want they touching my things too. I just don't understand how this program can get deleted data. That means nothing really deletes. If a full reset doesn't delete data off of devices then something is wrong.
I wonder if this can become a lawsuit. It specifically tells you all data will be removed when you reset. If this device has the ability to get that data, then these software companies are straight up lying.12-30-11 02:20 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Let me tell you about my BlackBerry security configuration(s)
LINK TO POST COPIED TO CLIPBOARD