[rdyoung]

Not sure if this belongs here, but since it does relate to blackberry and it is news, here we go.

You can no longer rely on encryption to protect a BlackBerry | Mobile device management - InfoWorld

The encryption used to protect backup files made by DM, apparently has been cracked, with a 7char password being cracked in 3days or so.

This doesn't mean that blackberries aren't the most secure consumer device out there, just that if your backups get into the wrong hands, your info belongs to them.

[JRSCCivic98]

Nothing new in terms of the backup file. A lot of people don't even password protect the backup files. Honestly, I'm surprised no one tried to do this any earlier since it's just a standalone file. There are already programs out there that can read the backup file and extract data out of it if needed. Amber Software makes such a program, but not a lot of people know about it.

[grahamf]

I'm more worried of other people being able to acces the backup files, let alone crack them.

[Rootbrian]

As long as you keep your computer locked, they won't be able to access it.

Unless they break into your house or organization and use a windows password-cracking CD... Your out of luck. Mac and Linux users are safe use a VM with windows installed on it and your data is locked away with the linux system locked.

Posted from my CrackBerry at wapforums.crackberry.com

[rdyoung]

As long as you keep your computer locked, they won't be able to access it.

Unless they break into your house or organization and use a windows password-cracking CD... Your out of luck. Mac and Linux users are safe use a VM with windows installed on it and your data is locked away with the linux system locked.

Posted from my CrackBerry at wapforums.crackberry.com

Not so much. There is a bootcd/usb software that when booted from bypasses linux and windows passwords both 32 and 64bit.
And there are ways to reset osx passwords from an osx install disc.

If you are concerned about the privacy of the data that is in your backup files, we must go the extra step and bitlocker or truecrypt a partition for storage of the files. This way someone has to get past that encryption first, and as far as I know TC nor bitlocker has any publicly known exploitable bugs to speed up bruteforce cracking.

Posted from my CrackBerry at wapforums.crackberry.com

[rdyoung]

Nothing new in terms of the backup file. A lot of people don't even password protect the backup files. Honestly, I'm surprised no one tried to do this any earlier since it's just a standalone file.

I am surprised by this as well. But I am also disappointed by the ease in which this encryption was cracked, and the fact this algorithm was easier to crack than the one used by APPLE for the iphone. Considering RIMs reputation for security, this is one big oopsie, one that hopefully will be fixed in upcoming versions of DM.

[belfastdispatcher]

Maybe I'm wrong but wouldn't they have to access the BES server before they even try to crack the encryption which is pretty much impossible?
As for consumers, they would have to crack the pc password first too.

Posted from my CrackBerry at wapforums.crackberry.com

[CanuckBB]

Maybe I'm wrong but wouldn't they have to access the BES server before they even try to crack the encryption which is pretty much impossible?
As for consumers, they would have to crack the pc password first too.

Posted from my CrackBerry at wapforums.crackberry.com

We're talking about the backup file, nothing to do with the BES. They'd need access to the file on your PC.

3 days to crack the password. Using what kind of computing power? Nothing is hacker proof given enough time and resources. I'm thinking, if your data is valuable enough that somebody is wiling to spend 3 days cracking it open, maybe you just need other levels of security as well.

[belfastdispatcher]

We're talking about the backup file, nothing to do with the BES. They'd need access to the file on your PC.

3 days to crack the password. Using what kind of computing power? Nothing is hacker proof given enough time and resources. I'm thinking, if your data is valuable enough that somebody is wiling to spend 3 days cracking it open, maybe you just need other levels of security as well.

But in a BES environment I thought the backup is not done on the user's computer, but on the company's servers so they can restore everything to a new device if broken or lost. I thought that was part of the BES beauty, wipe and re-install remotely. Anybody more info on this?

Posted from my CrackBerry at wapforums.crackberry.com

[JRSCCivic98]

But in a BES environment I thought the backup is not done on the user's computer, but on the company's servers so they can restore everything to a new device if broken or lost. I thought that was part of the BES beauty, wipe and re-install remotely. Anybody more info on this?

Posted from my CrackBerry at wapforums.crackberry.com

It can be done either way. Just because you're on BES doesn't mean you cannot do a local backup of the device. Considering that DM by default is setup to do a backup every 7 days automatically unless you turn off auto backups, if DM is installed on a system, it'll do a backup.

The point here is that the encryption is "weak" and that it's done "after" the backup is performed on the phone. It's more a weakness of DM then anything else really. Heck, for that matter, someone could write a COM sniffer to piggyback the transfer of data that DM does WHILE talking to the BB. For that matter, they could even turn that sniffer into a handset password sniffer because if the handset is password protected, that password must be passed by DM to the BB before it'll talk to it once hooked up to DM. Who's taking bets that the password is clear text as well?

With that password, people could do more. For instance, load a program that does this on a person's PC without their knowledge similar to a keylogger. Then wait for it to email you the password when the user attached to DM. Then snag that user's BB and use the password you just sniffed and bingo... access granted! lol

[belfastdispatcher]

It can be done either way. Just because you're on BES doesn't mean you cannot do a local backup of the device. Considering that DM by default is setup to do a backup every 7 days automatically unless you turn off auto backups, if DM is installed on a system, it'll do a backup.

The point here is that the encryption is "weak" and that it's done "after" the backup is performed on the phone. It's more a weakness of DM then anything else really. Heck, for that matter, someone could write a COM sniffer to piggyback the transfer of data that DM does WHILE talking to the BB. For that matter, they could even turn that sniffer into a handset password sniffer because if the handset is password protected, that password must be passed by DM to the BB before it'll talk to it once hooked up to DM. Who's taking bets that the password is clear text as well?

With that password, people could do more. For instance, load a program that does this on a person's PC without their knowledge similar to a keylogger. Then wait for it to email you the password when the user attached to DM. Then snag that user's BB and use the password you just sniffed and bingo... access granted! lol

Aha but can the bes it people stop you from backing up on an unapproved pc or anywhere else except the company's servers?

Posted from my CrackBerry at wapforums.crackberry.com

[SaintThomasAquinas]

The Encryption Algorithm was not broken. Rather a "piece of software" was written which uses a brute force attack to decrypt your manual backup that you have to create intentionally of your device using desktop manager. The encryption algorithm was not attacked. The software uses "guessing" to get your password.

In the IT world physical security is always the most important. If you have weak physical security on your workstation as well as poor passwords (less than 7 characters, no mixed case, no special characters, based on a dictionary word) then you will be at risk. The weak link in this attack is the user who has a poor password and poor physical security on his workstation/laptop.

[stuaw11]

The Encryption Algorithm was not broken. Rather a "piece of software" was written which uses a brute force attack to decrypt your manual backup that you have to create intentionally of your device using desktop manager. The encryption algorithm was not attacked. The software uses "guessing" to get your password.

In the IT world physical security is always the most important. If you have weak physical security on your workstation as well as poor passwords (less than 7 characters, no mixed case, no special characters, based on a dictionary word) then you will be at risk. The weak link in this attack is the user who has a poor password and poor physical security on his workstation/laptop.

You mean like the iphone where people here jumped all over it when you had to be jailbroken, have SSH installed, leave it on, AND not change the stock password?

Just like this, a lot of steps and lack of common sense to let someone in. Interested how its defended when its one's own platform, but conveniently attacked without common sense when its something some people dont like.



All these security stories are really a joke. Look, if someone wants to get your data bad enough they will eventually, period. They will find a way be it spyware unknowingly installed in BBs like in the Middle East, this backup thing, getting into the mobile data stream, etc.

People here think theyre more important than they are like theyre Obama and have everything to lose if someone got in your device. But likely youre just NOT that important for anyone to want to hack you to begin with, because what you have is nothing valuable to anyone!

Further, you shouldnt be storing THAT precious of data (bank account #'s, SS#, passwords, etc) on your phone to begin with!

[grahamf]

The Encryption Algorithm was not broken. Rather a "piece of software" was written which uses a brute force attack to decrypt your manual backup that you have to create intentionally of your device using desktop manager. The encryption algorithm was not attacked. The software uses "guessing" to get your password.

In the IT world physical security is always the most important. If you have weak physical security on your workstation as well as poor passwords (less than 7 characters, no mixed case, no special characters, based on a dictionary word) then you will be at risk. The weak link in this attack is the user who has a poor password and poor physical security on his workstation/laptop.

Exactly. And so a password such as 7aA76q6∑ would be harder to crack than say "Llama" (you better get the reference)


and yes, that's a sigma.

[phonejunky]

This isn't even shocking news people have been reading everything going through your blackberry for years especially in the US. it's just these naive fanboys didn't won't to believe it. So now some public company showed they can do it too. Well there goes all that rah rah rah look how secure my Blackberry is thank goodness.

[belfastdispatcher]

This isn't even shocking news people have been reading everything going through your blackberry for years especially in the US. it's just these naive fanboys didn't won't to believe it. So now some public company showed they can do it too. Well there goes all that rah rah rah look how secure my Blackberry is thank goodness.

And your statement is based on what?

Posted from my CrackBerry at wapforums.crackberry.com

[i7guy]

And your statement is based on what?

Posted from my CrackBerry at wapforums.crackberry.com

Doesn't seem like he comprehended this thread.

Posted from my CrackBerry at wapforums.crackberry.com

[qbnkelt]

Not all Blackberry devices on BES allow for DM to be locally installed. Our agency does not provide and does not allow for DM to run locally on users' PCs.
All our BBerry activities run through BES - even AppWorld is locked. I managed to sneak Poynt on my work issued 9650 but that was wiped after a BES wipe shortly afterwards. So - our backups run through BES.
Oh yeah, I'm not Obama.

Posted from my CrackBerry at wapforums.crackberry.com

[belfastdispatcher]

Not all Blackberry devices on BES allow for DM to be locally installed. Our agency does not provide and does not allow for DM to run locally on users' PCs.
All our BBerry activities run through BES - even AppWorld is locked. I managed to sneak Poynt on my work issued 9650 but that was wiped after a BES wipe shortly afterwards. So - our backups run through BES.
Oh yeah, I'm not Obama.

Posted from my CrackBerry at wapforums.crackberry.com

Just what I was waiting on to be confirmed. It makes sense, why allow people to back up work data on their personal computers?

Posted from my CrackBerry at wapforums.crackberry.com

[qbnkelt]

Depending on the security level of tHe BES client. At certain agencies, nothing is backed up through DM because at those levels, it simply is not available. Everything is through BES and not DM - upgrades, back ups, wipes....everything.
On your personal PC, the security is not the same.

Posted from my CrackBerry at wapforums.crackberry.com

[belfastdispatcher]

Depending on the security level of tHe BES client. At certain agencies, nothing is backed up through DM because at those levels, it simply is not available. Everything is through BES and not DM - upgrades, back ups, wipes....everything.
On your personal PC, the security is not the same.

Posted from my CrackBerry at wapforums.crackberry.com

Just what I thought and it makes me wonder if there's an anti blackberry propaganda going around as many blogs seem to find any excuse to put blackberry down for untrue reasons. I'm not saying they're perfect but what's theirs it's theirs.

Posted from my CrackBerry at wapforums.crackberry.com

[i7guy]

Just what I thought and it makes me wonder if there's an anti blackberry propaganda going around as many blogs seem to find any excuse to put blackberry down for untrue reasons. I'm not saying they're perfect but what's theirs it's theirs.

Posted from my CrackBerry at wapforums.crackberry.com

People who want to see RIM fail will point to any flaw, even if the flaw has nothing to do with RIM.

No Passwords or simple passwords are allowed on BBery's, so blame RIM if your phone is compromised becaused you used the password "password" or "abc".

[qbnkelt]

Not only that....people fail to realise that security breaches don't always happen at the Cabinet level. One disgruntled analyst sitting along in a cubicle with certain connections can cause almost as much damage as an improperly thought out presidential decision....

One name....Robert Hanssen....

[stuaw11]

OK but thats still getting off-topic, since as admitted not nearly all BES setups block DM. You cant use one specific scenario to negate an issue. It depends on the setup and not all are set up equally.

There are likely WAY more people who can backup to DM (BIS users and BES users not locked down) than cannot overall by many many times over. Its still an issue never the less.






And CrackberryBrandon has a perfectly valid point. One little security hole opened on the iphone and how many BB fanboys jumped all over it, when it really had little to do with Apple in reality? It took how many steps to utilize? Jailbreaking, installing SSH, leaving SSH on, and not changing the default SSH password; a heck of a lot of steps and coincidences to make it vulnerable. At least there the user had to really create quite a few holes/vulnerabilities all by themselves to open themselves up to any potential attack.

Sounds pretty hypocritical if you cant realize a hole, equally obscure as it is, here too. Here its even worse as DM backup is pretty common with BB users (especially BIS users who have no wireless backup). Here it also only requires one level of security breach, the PC which lots of people barely password protect alone, to get your info.

[belfastdispatcher]

OK but thats still getting off-topic, since as admitted not nearly all BES setups block DM. You cant use one specific scenario to negate an issue. It depends on the setup and not all are set up equally.

There are likely WAY more people who can backup to DM (BIS users and BES users not locked down) than cannot overall by many many times over. Its still an issue never the less.






And CrackberryBrandon has a perfectly valid point. One little security hole opened on the iphone and how many BB fanboys jumped all over it, when it really had little to do with Apple in reality? It took how many steps to utilize? Jailbreaking, installing SSH, leaving SSH on, and not changing the default SSH password; a heck of a lot of steps and coincidences to make it vulnerable. At least there the user had to really create quite a few holes/vulnerabilities all by themselves to open themselves up to any potential attack.

Sounds pretty hypocritical if you cant realize a hole, equally obscure as it is, here too. Here its even worse as DM backup is pretty common with BB users (especially BIS users who have no wireless backup). Here it also only requires one level of security breach, the PC which lots of people barely password protect alone, to get your info.

First of all jailbreaking is a security breach on it's own, second of all, Rim provides the tools to be safe and stay safe, if users don't use them that's their problem, can't blame Rim.

Posted from my CrackBerry at wapforums.crackberry.com