12-31-11 09:39 PM
50 12
tools
  1. T
    BlackBerry Bold 9650 (non-camera model) with OS 6 is my daily driver. I have two security configurations that I alternate between. I use one of the configurations for a while (maybe a month or two) then switch to the other. The first configuration is the stronger configuration, because Contacts are encrypted.

    Configuration 1

    1. Options>Security>Password

    * Check "Enable" (See Note 1)
    * Number of Password Attempts: 10
    * Lock After: 1 hour
    * Check "Prompt on Application Install"
    * Check "Allow Outgoing Calls While Locked" (See Notes 2 & 3)
    * Uncheck "Lock Handheld Upon Holstering"

    2. Options>Security>Encryption

    Device Memory
    * Check "Encrypt"
    * Strength: Strongest (See Note 1)
    * Check "Include Contacts" (See Note 2 & 3)
    * Check "Include Media Files"

    Media Card
    Check "Encrypt"
    Mode: "Device Password & Device Key" (See important Media Card Encryption Note below)
    Check "Include Media Files"

    Notes:
    1. I use a twenty-one character password. This allows me to take advantage of the "Strongest" Device Memory encryption strength. In case you think it's inconvenient for me to enter it, it's not. I use a one hour security timeout, my BlackBerry is on my person most of the time, and rarely an hour goes by that I don't look at my BlackBerry. If it's locked, it's because I deliberately locked it. In any case, I'm a pretty fast typist.
    2. I encrypt my contacts. That way I'm fine with allowing outgoing calls while the device is locked. If someone needs to use my BlackBerry to make a call, I can simply lock it, and he won't see my contact list start to populate when he starts to dial. (I have unlimited calling, so I'm not especially worried about a thief who might place a bunch of calls before I report the phone stolen to my carrier.) This setting also allows me to take advantage of the "Recent Activities" feature in the Contacts application without the concern that someone with UFED/Cellebrite equipment might be able to view any unencrypted recent activities stored in the Contacts application.
    3. Password for voicemail is enabled and set to enter manually. Reason: when someone goes to place a call when the BlackBerry is locked and outgoing calls are allowed, he can still press the BlackBerry (menu) key and choose the "Call Voicemail" option; there's no way to disable this.


    Configuration 2

    1. Options>Security>Password

    * Check "Enable"
    * Number of Password Attempts: 10
    * Lock After: 1 hour
    * Check "Prompt on Application Install"
    * Uncheck "Allow Outgoing Calls While Locked" (See Notes)
    * Uncheck "Lock Handheld Upon Holstering"

    2. Options>Security>Encryption

    Device Memory
    * Check "Encrypt"
    * Strength: Strongest
    * Uncheck "Include Contacts" (See Notes)
    * Check "Include Media Files"

    Media Card
    Check "Encrypt"
    Mode: "Device Password & Device Key" (See important Media Card Encryption Note below)
    Check "Include Media Files"

    Notes:
    1. When contacts are not encrypted, I don't allow outgoing calls while the BlackBerry is locked. Otherwise someone dialing a call will have access to all my contacts even while the BlacBerry is locked. Also, when Contacts are not encrypted, I don't enable the "Recent Activities" feature in the Contacts application. Though I don't know for sure, it's logical to conclude that someone with UFED/Cellebrite equipment who somehow circumvents the device password will be able to read any unencrypted data. If the "Contacts" application is unencrypted, it's likely the "Recent Activities" (emails, etc.) displayed therein are also unencrypted.
    2. When I don't allow outgoing calls while the device is locked, I add a pause and password into my voicemail number for convenience. No one will be able to reach the dial out screen and "Call Voicemail" option without first entering my password.
    3. When Contacts are not encrypted, I take full advantage of custom Contact Alerts; they'll work even when the Blackberry is locked. If Contacts are encrypted, any custom Contact Alerts will only work when the BlackBerry is unlocked.

    Important Media Card Encryption Note

    If it's imperative that you're able to view your encrypted media card files in a different BlackBerry, you must use "Device Password" as the media card encryption mode. If you use either of the other two encryption modes, you will not be able to view your encrypted media card files in any other BlackBerry ... ever! I have a mix of encrypted and unecrypted files on my media card. I transfer the encrypted files back and forth between BlackBerry and pc using BlackBerry Desktop Software 6. I transfer the unencrypted files between BlackBerry and pc using the USB (mass storage) mode.
    Last edited by Tnis; 12-30-11 at 08:18 AM. Reason: edited for typos and clarity
    12-30-11 12:51 AM
  2. SRR500's Avatar
    Interesting read. I have one comment.

    I read a while back a Russian company has found out how to hack into and break the encryption on a locked down BB. They have made this software available to the public. I assume for purchase. I read about it here on CB but can't remember if it was a blog or forum post.

    If I remember right, their hack only works if the media card is encrypted.

    For the best security it would seem best to leave the media card unencrypted and to store any files that HAVE to be secured in the device memory.

    If I misunderstood what I was reading, I would appreciate if someone would correct me. Most of the stuff concerning encryption and keys etc. is over my head.
    12-30-11 07:41 AM
  3. T
    Interesting read. I have one comment.

    I read a while back a Russian company has found out how to hack into and break the encryption on a locked down BB. They have made this software available to the public. I assume for purchase. I read about it here on CB but can't remember if it was a blog or forum post.

    If I remember right, their hack only works if the media card is encrypted.

    For the best security it would seem best to leave the media card unencrypted and to store any files that HAVE to be secured in the device memory.

    If I misunderstood what I was reading, I would appreciate if someone would correct me. Most of the stuff concerning encryption and keys etc. is over my head.
    The software the Russian company Elcomsoft put out purportedly is able to extrapolate a BlackBerry's password if the BlackBerry's media card is encrypted using the "Device Password" encryption mode. That's why I use "Device Password & Device Key." When a device key is introduced, the software can't crack the password. Some have suggested that RIM eliminate the "Device Password" mode, but I don't agree. The "Device Password" mode is useful if you want to view your encrypted media card files on a BlackBerry other than the one that was used to encrypt the files. A beginner can use it to take advantage of encryption without the risk of losing his encrypted media card files should his device fail or get wiped, and a more advanced user can temporarily apply the mode if he wants to move his card to a different device. (He can then re-apply a mode that uses a device key for additional security.)
    Last edited by Tnis; 12-30-11 at 08:30 AM.
    12-30-11 08:08 AM
  4. kilted thrower's Avatar
    I'm really curious because you talk a lot about security. And, yes, I realize it's better to be safe than sorry. And I'll preface this by saying I keep my videos and pictures on gesture lock because if I put down my phone, I don't want my students picking it up and going through my pics or videos.

    And I don't want a bicker back and forth like in the last thread.

    But I'm genuinely curious as to what the benefit of the average person password protecting their phone that strongly? And is it a common activity that I haven't heard of that strangers asking to you use your phone are installing something while you're watching them use your phone?

    Don't get me wrong, I appreciate security. But I think other than the gesture lock on media, all I have is an app to GPS find/locate and remote wipe should my phone get stolen.
    12-30-11 10:50 AM
  5. Moonbase0ne's Avatar
    That's a lot of security concern for the average person to worry about.

    And, If you go through so much trouble to secure your phone, why even bother to let a stranger use it? At all? Ever? To be nice? Sure, that's fine and dandy, but you seem(no offense) overly paranoid about phone security and someone possible stealing your info be it by you losing your phone or letting a stranger use it for a 2 or 3 minute phone call.

    I doubt the average person deciding on what phone they want, going by the resent smartphone trends(in the US atleast), care that much about security on their phones.


    War Is All We Know
    12-30-11 11:19 AM
  6. avt123's Avatar
    My security? Don't let other people touch my phone. Password lock comes on every time I lock my device and after 10 failed attempts it wipes. All my "highly sensitive" data is AES 256 bit encrypted. I also have find my iPhone which allows for remote wiping.

    I feel pretty safe this way. Although, I haven't really felt threatened on any smartphone.
    12-30-11 11:31 AM
  7. 13echo4's Avatar
    That's a lot of security concern for the average person to worry about.

    And, If you go through so much trouble to secure your phone, why even bother to let a stranger use it? At all? Ever? To be nice? Sure, that's fine and dandy, but you seem(no offense) overly paranoid about phone security and someone possible stealing your info be it by you losing your phone or letting a stranger use it for a 2 or 3 minute phone call.

    I doubt the average person deciding on what phone they want, going by the resent smartphone trends(in the US atleast), care that much about security on their phones.


    War Is All We Know
    I agree I don't think security is much of a average persons concern when buying a phone.
    That being said I don't like the OPs approach to security. I lock my phone so if I drop it or someone snags it they don't have access to my contacts. I have mine seg to lock on holister and 2 minutes. I use a thirteen # password. It just so happens my password is that long. Anything over 7 chars. Is a strong password when useing mixed #s and letters plus symbols. Lowering the attempts to 5 or below for a short password is really going to help against a brute attack. There's no reason for you to input your pw in wrong that many times in a row.
    As far as media card goes you really shouldn't have anything on it that important. If your using your card for a usb drive thenencrypt it w/ software on the machine you'll use to view the files.

    Posted from my CrackBerry at wapforums.crackberry.com
    12-30-11 11:42 AM
  8. Sith_Apprentice's Avatar
    It entirely defeats the purpose of a password (IMO) to have a timeout of 1 hour. I use a 15 digit password (complex) on my device and have the timeout set to 2 minutes. I also lock the device in my holster. This is my work device, but I am the admin so I can change it how I like lol. I allow my users a MAX of 15 min timeout with a minimum of 8 digit passcode. I also use encryption on the media card, contacts, and the file system.
    12-30-11 12:25 PM
  9. barnyr's Avatar
    My concern is that employees will install an app that gathers unauthorized data from the phone and sends it to someone without the owner's knowledge. That is why BES policy does not allow app install by users in addition to requiring encryption, strong passwords, and short timeouts. This is also the reason why corporate policy is to only allow BB to access corporate email, because we cannot control app install on other types of devices.
    12-30-11 12:38 PM
  10. T
    I'm really curious because you talk a lot about security. And, yes, I realize it's better to be safe than sorry. And I'll preface this by saying I keep my videos and pictures on gesture lock because if I put down my phone, I don't want my students picking it up and going through my pics or videos ...
    Yes, I wouldn't want the students in there either, lol. But I also don't want any unauthorized person in my phone. This includes strangers, people I know, and police with CelleBrite/UFED equipment:

    Michigan State Police are now using an advanced extraction device to download cell phone data from citizens at routine traffic stops.

    Some people may be perfectly fine with the friendly revenue agent downloading and looking at all their personal data during a traffic stop, but I am not.

    But I'm genuinely curious as to what the benefit of the average person password protecting their phone that strongly? And is it a common activity that I haven't heard of that strangers asking to you use your phone are installing something while you're watching them use your phone?.
    I don't know what the benefit(s) to the average person would be. Maybe nothing. I'm simply enthusiastic about BlackBerry's handheld device security. On the other hand, I'm not excited about anything the average person is likely doing on his phone. For example, I don't care for Angry Birds or any other games, and I don't use facebook. And no, I don't hand my phone to any strangers. But you're no stranger. I would allow you to make a call from my locked BlackBerry.

    Don't get me wrong, I appreciate security. But I think other than the gesture lock on media, all I have is an app to GPS find/locate and remote wipe should my phone get stolen.
    I've heard people like BlackBerry Protect, but I don't generally like programs like that. They depend on an active data connection to work. Also, it would seem that a hacker on a pc would have access to your BlackBerry and be able to modify its configuration, wipe it, whatever if he hacks your BlackBerry Protect account. My goal with Blackerry handheld device security is to protect my personal data (contacts, calendar, tasks, passwords, emails, pictures, etc.) from anyone who might download all of it with Cellebrite/UFED equipment in a matter of a few minutes.
    Last edited by Tnis; 12-30-11 at 02:10 PM.
    12-30-11 12:57 PM
  11. T
    That's a lot of security concern for the average person to worry about.
    Yes, it might be more than they want bother with. (Maybe even more than they can handle.)

    And, If you go through so much trouble to secure your phone, why even bother to let a stranger use it? At all? Ever? To be nice? Sure, that's fine and dandy, but you seem(no offense) overly paranoid about phone security and someone possible stealing your info be it by you losing your phone or letting a stranger use it for a 2 or 3 minute phone call.
    Oh, no. I don't hand my phone to strangers. Please see the linked article in my reply immediately prior to this reply.

    I doubt the average person deciding on what phone they want, going by the resent smartphone trends(in the US atleast), care that much about security on their phones.
    I doubt it, too.
    12-30-11 01:06 PM
  12. T
    My security? Don't let other people touch my phone. Password lock comes on every time I lock my device and after 10 failed attempts it wipes. All my "highly sensitive" data is AES 256 bit encrypted. I also have find my iPhone which allows for remote wiping.

    I feel pretty safe this way. Although, I haven't really felt threatened on any smartphone.
    AES 256 is good. Wipe after 10 failed attempts is good. These are standard BlackBerry features.
    12-30-11 01:08 PM
  13. Sith_Apprentice's Avatar
    My security? Don't let other people touch my phone. Password lock comes on every time I lock my device and after 10 failed attempts it wipes. All my "highly sensitive" data is AES 256 bit encrypted. I also have find my iPhone which allows for remote wiping.

    I feel pretty safe this way. Although, I haven't really felt threatened on any smartphone.
    How do you protect against rooting/jailbreaking? A FULLY upgraded and patched iOS device can be hacked in MINUTES with commercially available tools. Its been shown by several security research institutes, along with the NSA doing it of course.
    12-30-11 01:12 PM
  14. T
    ... I use a thirteen # password. It just so happens my password is that long. Anything over 7 chars. Is a strong password when useing mixed #s and letters plus symbols ...
    On a BlackBerry, a longer password is better for the stronger device memory encryption strength settings. If I remember correctly with a thirteen character password you would benefit from the "Stronger" encryption strength setting (not "Strong" or "Strongest").

    ... As far as media card goes you really shouldn't have anything on it that important. If your using your card for a usb drive thenencrypt it w/ software on the machine you'll use to view the files.
    I use BlackBerry's encryption for ordinary stuff stored on my BlackBerry and its media card (contacts, calendar, passwords, pictures). I also use the media card to store certain files from my computer. I don't encrypt those computer files with the BlackBerry; I use another encryption program for that and just store them on the media card like on a usb.
    12-30-11 01:16 PM
  15. T
    It entirely defeats the purpose of a password (IMO) to have a timeout of 1 hour. I use a 15 digit password (complex) on my device and have the timeout set to 2 minutes. I also lock the device in my holster. This is my work device, but I am the admin so I can change it how I like lol. I allow my users a MAX of 15 min timeout with a minimum of 8 digit passcode. I also use encryption on the media card, contacts, and the file system.
    Yes, one hour is a long time. I tried one, two, five, and twenty minute timeouts. The one, two, and five minute settings gave the most peace of mind. The twenty minute setting worked well. I chose one hour, because the device is usually on me or in my holster. Also, I don't want to have to enter my twenty-one character password every few minutes while driving. If I want or need to lock my BlackBerry, I just press my left convenience key.
    12-30-11 01:21 PM
  16. Sith_Apprentice's Avatar
    On a BlackBerry, a longer password is better for the stronger device memory encryption strength settings. If I remember correctly with a thirteen character password you would benefit from the "Stronger" encryption strength setting (not "Strong" or "Strongest").


    I use BlackBerry's encryption for ordinary stuff stored on my BlackBerry and its media card (contacts, calendar, passwords, pictures). I also use the media card to store certain files from my computer. I don't encrypt those computer files with the BlackBerry; I use another encryption program for that and just store them on the media card like on a usb.
    When content protection is turned on, sensitive data on the BlackBerry smartphone is protected using the 256-bit Advanced Encryption Standard (AES) encryption algorithm. Content protection of BlackBerry smartphone user data is designed to perform the following actions:

    Use 256-bit AES encryption to encrypt stored data when the BlackBerry smartphone is locked
    Use an Elliptic Curve Cryptography (ECC) public key to encrypt data that the BlackBerry smartphone receives when it is locked
    The strength of the content protection can be adjusted on the BlackBerry smartphone. This will dictate the size of the key used for certain content protection operations. These keys are only used in the process to encrypt data while the BlackBerry smartphone is locked. While the BlackBerry smartphone is unlocked content protection operations use the 256-bit AES key. When the BlackBerry smartphone is locked the 256-bit AES key is removed from memory along with the ECC private key.

    The following list describes the content protection strength settings on the BlackBerry smartphone, and the encryption strength that each setting provides:

    Strong 80 Bit ECC Key size
    Stronger 128 Bit ECC Key size
    Strongest 256 Bit ECC Key size

    From BTSC


    The key is generated randomly when content protection is enabled. I dont believe it has anything to do with a password.
    12-30-11 01:22 PM
  17. T
    My concern is that employees will install an app that gathers unauthorized data from the phone and sends it to someone without the owner's knowledge. That is why BES policy does not allow app install by users in addition to requiring encryption, strong passwords, and short timeouts. This is also the reason why corporate policy is to only allow BB to access corporate email, because we cannot control app install on other types of devices.
    True. That's why BlackBerry is best for security.
    12-30-11 01:25 PM
  18. T
    When content protection is turned on, sensitive data on the BlackBerry smartphone is protected using the 256-bit Advanced Encryption Standard (AES) encryption algorithm. Content protection of BlackBerry smartphone user data is designed to perform the following actions:

    •Use 256-bit AES encryption to encrypt stored data when the BlackBerry smartphone is locked
    •Use an Elliptic Curve Cryptography (ECC) public key to encrypt data that the BlackBerry smartphone receives when it is locked
    The strength of the content protection can be adjusted on the BlackBerry smartphone. This will dictate the size of the key used for certain content protection operations. These keys are only used in the process to encrypt data while the BlackBerry smartphone is locked. While the BlackBerry smartphone is unlocked content protection operations use the 256-bit AES key. When the BlackBerry smartphone is locked the 256-bit AES key is removed from memory along with the ECC private key.

    The following list describes the content protection strength settings on the BlackBerry smartphone, and the encryption strength that each setting provides:

    •Strong – 80 Bit ECC Key size
    •Stronger – 128 Bit ECC Key size
    •Strongest – 256 Bit ECC Key size

    From BTSC


    The key is generated randomly when content protection is enabled. I dont believe it has anything to do with a password.
    Good info, but I think the length of the password does affect the strength of the encryption setting. If you choose "Stronger," your password should be 12 characters; if you choose "Strongest," your password should be 21 characters, at least according to this:

    "Choose a content protection strength level that optimizes either the ECC encryption strength or the decryption time. If you set the content protection strength to Stronger (to use a 283-bit ECC key) or to Strongest (to use a 571-bit ECC key), consider setting the Minimum Password Length IT policy rule to enforce a minimum BlackBerry device password length of 12 characters or 21 characters, respectively. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide. The BlackBerry device uses the BlackBerry device password to generate the ephemeral 256-bit AES encryption key that the BlackBerry device uses to encrypt the content protection key and the ECC private key. A weak password produces a weak ephemeral key."

    (http://docs.blackberry.com/en/admin/...yption_STO.pdf -- Pages 4-5 of the document, page 8 of the PDF)

    But I'm not exactly sure about this. Perhaps I don't understand what I'm reading. Maybe it only applies when a BES is in use.

    Another thing to bear in mind is that older devices and OS's (like my 8330m on OS 4.5) only support passwords up to twelve or thirteen characters. My 9650 on OS 6 supports up to (I think) thirty characters.
    Last edited by Tnis; 12-30-11 at 01:43 PM.
    12-30-11 01:38 PM
  19. Sith_Apprentice's Avatar
    This seems to apply for the key that protects the content protection key. It does not apply directly to the content protection key lol. Its another layer on top. So you would have to decrypt a 256bit encrypted key to decrypt a 571 bit key in order to get past the content protection. Good luck haha



    I am also unsure why it lists a 571bit key whereas the BTSC lists a 256bit key unless this does indeed have to do with BES.
    12-30-11 01:42 PM
  20. avt123's Avatar
    How do you protect against rooting/jailbreaking? A FULLY upgraded and patched iOS device can be hacked in MINUTES with commercially available tools. Its been shown by several security research institutes, along with the NSA doing it of course.
    My device is jailbroken (haven't jailbroken my iPhone since the 3GS) so I don't protect it from it. If it wasn't, my protection would be not allowing anyone to touch my phone (which I already said) near a iPhone USB connection and a computer. I doubt the majority of people know how to jailbreak an iOS device wirelessly. That jailbreakme website doesn't work with iOS 5.01, and untethered was just released a few days ago.

    You can jailbreak a device without unlocking it (devices needs to be turned off to jailbreak connected to a computer and put in DFU mode), but once it starts up you need to unlock it to gain access. I also don't have SSH installed onto my iPhone so there is no root access to gain from there. If I had open SSH (with the stock alpine password) then it would be a little scary.

    If the NSA wants to get into my device, I am sure they would find a way anyways. By me not allowing anyone to touch my device, browsing in private mode while on public Wifi and keeping my personal info AES 256 encrypted, I am not really worried.

    And this is all hypothetically speaking. Most people don't even know what jailbreaking is. The odds of me lossing my device, and then it falling into the hands of a hacker is pretty slim. Also, the second I realize my phone is gone (which would literally be seconds because my phone goes off nonstop throughout the day), I would wipe the device immediately.
    Last edited by avt123; 12-30-11 at 01:47 PM.
    12-30-11 01:43 PM
  21. T
    This seems to apply for the key that protects the content protection key. It does not apply directly to the content protection key lol. Its another layer on top. So you would have to decrypt a 256bit encrypted key to decrypt a 571 bit key in order to get past the content protection. Good luck haha



    I am also unsure why it lists a 571bit key whereas the BTSC lists a 256bit key unless this does indeed have to do with BES.
    Yes. I think the important thing is to make sure the password length matches the strength setting. If you use a stronger encryption strength setting with a short password, you might not fully benefit from the stronger setting. (Again, still not sure if it applies to devices not on BES.)
    Last edited by Tnis; 12-30-11 at 01:52 PM.
    12-30-11 01:50 PM
  22. T
    My device is jailbroken (haven't jailbroken my iPhone since the 3GS) so I don't protect it from it. If it wasn't, my protection would be not allowing anyone to touch my phone (which I already said) near a iPhone USB connection and a computer. I doubt the majority of people know how to jailbreak an iOS device wirelessly. That jailbreakme website doesn't work with iOS 5.01, and untethered was just released a few days ago.

    You can jailbreak a device without unlocking it (devices needs to be turned off to jailbreak connected to a computer and put in DFU mode), but once it starts up you need to unlock it to gain access. I also don't have SSH installed onto my iPhone so there is no root access to gain from there. If I had open SSH (with the stock alpine password) then it would be a little scary.

    If the NSA wants to get into my device, I am sure they would find a way anyways. By me not allowing anyone to touch my device, browsing in private mode while on public Wifi and keeping my personal info AES 256 encrypted, I am not really worried.

    And this is all hypothetically speaking. Most people don't even know what jailbreaking is. The odds of me lossing my device, and then it falling into the hands of a hacker is pretty slim. Also, the second I realize my phone is gone (which would literally be seconds because my phone goes off nonstop throughout the day), I would wipe the device immediately.
    Not quite sure what all this about jailbreaking means. Can someone with Cellebrite/UFED equipment access your iPhone's data or not with these settings you have in effect?
    12-30-11 01:57 PM
  23. avt123's Avatar
    Not quite sure what all this about jailbreaking means. Can someone with Cellebrite/UFED equipment access your iPhone's data or not with these settings you have in effect?
    Jailbreaking allows you to mod your device. I can add things Apple doesn't allow and I have access to another app store called Cydia which is where you get these mods. As far as I know, a jailbroken iPhone is not more vulnerable than a stock iPhone. A jailbroken iPhone is only extremely vulnerable to hacks if you have an SSH client installed and haven't changed the root password. If you don't have it installed they cannot can SSH access AFAIK.

    Also, everything I have read about the iPhone and cellebrite talks about the 4 pin password. That is the "simple password" setup in the iPhone. I haven't seen it mention anything about advanced passwords.

    Here is a PDF

    http://www.cellebrite.com/images/sto...structions.pdf

    And I honestly do not know if my device is 100% secure. The best thing I can do if I knew I had something suspicious on my device or if I really didn't want them to touch my smartphone would be to quickly go into the settings while I'm being pulled over and to reset the device completely. I think NY law requires a warrant though if they even want to search my device. I will never willingly hand it over.

    I have had my car searched 3 times and they alway rip up the insides and throw things everywhere. I have also been searched multiple times throughout my life so far and not once have they tried to access my phone. However, one time a cop knew my phone number and my smartphone was still in my pocket. This is also when I had a BB, password locked, encrypted on strongest settings. My 9000 with BBOS 5.
    Last edited by avt123; 12-30-11 at 02:35 PM.
    12-30-11 02:31 PM
  24. T
    Jailbreaking allows you to mod your device. I can add things Apple doesn't allow and I have access to another app store called Cydia which is where you get these mods. As far as I know, a jailbroken iPhone is not more vulnerable than a stock iPhone. A jailbroken iPhone is only extremely vulnerable to hacks if you have an SSH client installed and haven't changed the root password. If you don't have it installed they cannot can SSH access AFAIK.

    Also, everything I have read about the iPhone and cellebrite talks about the 4 pin password. That is the "simple password" setup in the iPhone. I haven't seen it mention anything about advanced passwords.

    Here is a PDF

    http://www.cellebrite.com/images/sto...structions.pdf

    And I honestly do not know if my device is 100% secure. The best thing I can do if I knew I had something suspicious on my device or if I really didn't want them to touch my smartphone would be to quickly go into the settings while I'm being pulled over and to reset the device completely. I think NY law requires a warrant though if they even want to search my device. I will never willingly hand it over.
    Thanks for the link. I'll check it out. I was wondering if the jailbreaking helped or hurt iPhone security. This is from the link I provided in Post #10 above:

    "A US Department of Justice test of the CelleBrite UFED used by Michigan police grab the photos and video off of an iPhone within one-and-a-half minutes. 'The device works with 3000 different phone models and defeats all password protections. A complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags,' a CelleBrite brochure explains regarding the device's capabilities. 'The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps.'"

    Seems the Cellebrite/UFED equipment can recover deleted data. That's why resetting might be of minimal help (maybe if they don't have a Cellebrite.)

    And just to clarify, I don't have anything illegal. It seems police claim they're looking for texting-while-driving evidence, but it's clear that on the less secure devices they can see everything. I don't want them seeing anything. (Nor do I want to help them gather evidence against me.)
    Last edited by Tnis; 12-30-11 at 02:48 PM.
    12-30-11 02:39 PM
  25. avt123's Avatar
    And just to clarify, I don't have anything illegal. It seems police claim they're looking for texting-while-driving evidence, but it's clear that on the less secure devices they can see everything. I don't want them seeing anything. (Nor do I want to help them gather evidence against me.)
    I have been pulled over multiple times randomly for routine stops and have been searched almost every single time. I have bad allergies in the Spring/summer and my eyes are always red, glossy and somewhat tearing (if the pollen count is really high). Cops always think I am high so they search everything. They even called the dogs on me one time just to make sure I was telling the truth. Wasted over an hour of my life.

    I don't want they touching my things too. I just don't understand how this program can get deleted data. That means nothing really deletes. If a full reset doesn't delete data off of devices then something is wrong.

    I wonder if this can become a lawsuit. It specifically tells you all data will be removed when you reset. If this device has the ability to get that data, then these software companies are straight up lying.
    12-30-11 03:20 PM
50 12
LINK TO POST COPIED TO CLIPBOARD