ElcomSoft breaks Blackberry Device Password
- Tre LawrenceBetween RealitiesClassic response.
"It's a non-issue, but even if it is an issue, it could be worse. It could be Android."
LOL.
You guys need to start a non-profit to save the poor, misguided "sheep" from the perils of Android.
I think the BBOS vulnerability is not that much of an issue, IMHO.09-30-11 04:57 PMLike 0 - It's an interesting hack - it seems the more we learn about the actual security of BBs, the more we have to facepalm. I wouldn't argue that BBs are easiest to manage in a corporate environment, but from a real security point... they're kinda fail.
Someone already referenced the pwn2own competition where the person who successfully "pwned" the BB had stated that RIM is years and years away from iOS or Android security - security through obscurity is not real security.09-30-11 09:30 PMLike 0 - Actually from a real security standpoint they are virtually unhackable and very easy to manage in a corporate environment, not needing additional software to make them more secure. Even with these revelations you still can't hack the device.
You are correct however about bb security being years away from iOS and android, in a positive direction that is.hornlovah likes this.09-30-11 09:52 PMLike 1 - Classic response.
"It's a non-issue, but even if it is an issue, it could be worse. It could be Android."
LOL.
You guys need to start a non-profit to save the poor, misguided "sheep" from the perils of Android.
I think the BBOS vulnerability is not that much of an issue, IMHO.
1. encrypt your dm manager backup.
2. unencrypted if encrypted your sd card or throw your pics on internal memory.
3. Use a decent password.09-30-11 09:59 PMLike 0 - RIM could easily fix this by using a different encryption method which takes longer to brute force. If they use a stronger encryption method it could take months to years to brute force.09-30-11 10:12 PMLike 0
- Pwn2own isn't getting into a properly configured BlackBerry any time soon. By properly configured, I mean protected with a strong password, encryption turned on (mode set to other than Device Password), and browser javascript turned off.
Posted from my CrackBerry at wapforums.crackberry.com09-30-11 10:19 PMLike 0 - No, read This_is_a_username's response to my leading question above. If you choose to share encrypted data with other devices, your security/privacy is dependent on the strength of your password. Otherwise, the various device vendors would have to agree on a cross platform protocol to protect your password and implement it on a huge scale.09-30-11 11:22 PMLike 0
- This has nothing to do with sharing encrypted data with other devices. This has to do with using a certain cracking program to extrapolate a BlackBerry's password using the information stored on a BlackBerry's encrypted media card. Everyone, read ... If you don't want someone to use the Elcomsoft password cracker to obtain your BlackBerry's password, do one of the following:
1. Do not encrypt your media card, OR
2. Encrypt your media card using a mode other than "Device Password." Use "Device Key" or "Device Password & Device Key."
Then freely hand your phone to someone who has the Elcomsoft cracking program and watch him not be able to crack into your BlackBerry.
Posted from my CrackBerry at wapforums.crackberry.comLast edited by T�nis; 10-01-11 at 08:35 AM.
i7guy likes this.10-01-11 08:31 AMLike 1 - No, read This_is_a_username's response to my leading question above. If you choose to share encrypted data with other devices, your security/privacy is dependent on the strength of your password. Otherwise, the various device vendors would have to agree on a cross platform protocol to protect your password and implement it on a huge scale.
Last edited by EveryApp Mobile; 10-01-11 at 08:40 AM.
10-01-11 08:34 AMLike 0 - This has nothing to do with sharing encrypted data with other devices. This has to do with using a certain cracking program to extrapolate a BlackBerry's password using the information stored on a BlackBerry's encrypted media card. Everyone, read ... If you don't want someone to use the Elcomsoft password cracker to obtain your BlackBerry's password, do one of the following:
1. Do not encrypt your media card, OR
2. Encrypt your media card using a mode other than "Device Password." Use "Device Key" or "Device Password & Device Key."
Then freely hand your phone to someone who has the Elcomsoft cracking program and watch him not be able to crack into your BlackBerry.
Posted from my CrackBerry at wapforums.crackberry.com
This has to do with the files that use "media encryption" using the device password with a weak encryption method to encrypt the files. The password cracker brute forces the files and obtains the device password becuase the "media encryption" is weak.10-01-11 08:37 AMLike 0 - Could be worse this could be your phones security
Major security flaw found in AT&T's upcoming Samsung Galaxy S II device | Android Central10-01-11 08:49 AMLike 0 -
Posted from my CrackBerry at wapforums.crackberry.comLast edited by T�nis; 10-01-11 at 09:02 AM.
10-01-11 08:57 AMLike 0 - You are wrong. BlackBerries are encrypted using the AES. Even a not-so-strong password would take forever to crack. (I don't mean 0000 or ASDF.) When a BlackBerry user selects the "device password" mode of encryption, more information is stored on the media card, and the Elcomsoft cracking program analyzes that information and THEN brute forces the password. It would not be able to brute force the password so fast (even with a weaker password) without analyzing the media card information that is stored there when a user selects the Device Password mode of encryption.
Posted from my CrackBerry at wapforums.crackberry.comLast edited by hornlovah; 10-01-11 at 10:15 AM.
10-01-11 10:02 AMLike 0 - Actually from a real security standpoint they are virtually unhackable and very easy to manage in a corporate environment, not needing additional software to make them more secure. Even with these revelations you still can't hack the device.
You are correct however about bb security being years away from iOS and android, in a positive direction that is.
URL:
zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401
QUOTE:
Stone confirmed that the BlackBerry does not contain ASLR or DEP but said the company is looking at adding these security enhancements to future BlackBerry versions.
While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device �way behind the iPhone� from a security perspective.
�The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don�t have documentation and information,� Iozzo said.
The quote is from people who have successfully defeated BB security - regardless of who else tells you whatever they tell you, this is a great insight and a very reliable source of information about BB security.10-01-11 10:16 AMLike 0 - @hornlovah --
I use a 21 character password, so I'm all for strong passwords. I was using "Device Password" as the encryption mode on my BlackBerry. Why? Not because I wanted to share my media but because I didn't want my encrypted media files rendered useless if my device died or was wiped. I wanted the option of being able to transfer my card to another BlackBerry and have meaningful access to my encrypted files upon entering the card's password. When I learned that software was developed which is able to exploit a vulnerability in this method, I switched to an encryption mode which employs a device key in addition to my device password. The Elcomsoft product can't access the device key, therefore it does not have the "hints" it would have if my media card was only encrypted using the Device Password mode. I think of it like this (and of course I could be wrong): if I encrypt my media card using the Device Password mode, and you analyze the information on my media card and detect a repeating pattern of djfhfhfdjdjddhbfbjrytttrehi, you might conclude that these characters are a key of some sort. If it is a jumbled key, you would have a huge head start when you go to brute force the password that you wouldn't have if this information was stored on my device and not the card you have analyzed. Hence, the Device Key.
Posted from my CrackBerry at wapforums.crackberry.comLast edited by T�nis; 10-01-11 at 11:17 AM.
10-01-11 10:35 AMLike 0 - Isn't the article missing one important fact, that someone would need to gain physical access to your Blackberry? Or am I reading this wrong?
Couldn't you just remotely wipe the BB if lost? I guess another question would be how long their hack takes to complete? Having re-skimmed the quotes I couldn't find anything.
Or am I missing the whole story here in that Blackberry Security is supposedly impenetrable. I always thought that someone with enough time and resources could crack anything static? But they're probably not going want my pictures of the dog or drunken text messages..10-01-11 10:43 AMLike 0 -
Posted from my CrackBerry at wapforums.crackberry.comLast edited by T�nis; 10-01-11 at 11:12 AM.
10-01-11 10:55 AMLike 0 - Or am I missing the whole story here in that Blackberry Security is supposedly impenetrable. I always thought that someone with enough time and resources could crack anything static? But they're probably not going want my pictures of the dog or drunken text messages..
Posted from my CrackBerry at wapforums.crackberry.comLast edited by T�nis; 10-01-11 at 11:42 AM.
10-01-11 11:02 AMLike 0 - Those people exploited a vulnerability in the webkit browser. There's no way those people can physically break in to a BlackBerry that is encrypted using a Device Key, not even with the Elcomsoft password cracking software -- the device will wipe after ten tries even if it's connected to a computer using Desktop Manager -- and there's no way they can break in over the air (via the browser exploit) if javascript is turned off.
Posted from my CrackBerry at wapforums.crackberry.com10-01-11 11:37 AMLike 0 - Those people exploited a vulnerability in the webkit browser. There's no way those people can physically break in to a BlackBerry that is encrypted using a Device Key, not even with the Elcomsoft password cracking software -- the device will wipe after ten tries even if it's connected to a computer using Desktop Manager -- and there's no way they can break in over the air (via the browser exploit) if javascript is turned off.
Posted from my CrackBerry at wapforums.crackberry.com10-01-11 11:38 AMLike 0 - @hornlovah --
I use a 21 character password, so I'm all for strong passwords. I was using "Device Password" as the encryption mode on my BlackBerry. Why? Not because I wanted to share my media but because I didn't want my encrypted media files rendered useless if my device died or was wiped. I wanted the option of being able to transfer my card to another BlackBerry and have meaningful access to my encrypted files upon entering the card's password. When I learned that software was developed which is able to exploit a vulnerability in this method, I switched to an encryption mode which employs a device key in addition to my device password.
The Elcomsoft product can't access the device key, therefore it does not have the "hints" it would have if my media card was only encrypted using the Device Password mode. I think of it like this (and of course I could be wrong): if I encrypt my media card using the Device Password mode, and you analyze the information on my media card and detect a repeating pattern of djfhfhfdjdjddhbfbjrytttrehi, you might conclude that these characters are a key of some sort. If it is a jumbled key, you would have a huge head start when you go to brute force the password that you wouldn't have if this information was stored on my device and not the card you have analyzed. Hence, the Device Key.10-01-11 12:32 PMLike 0 - Could be worse this could be your phones security
Major security flaw found in AT&T's upcoming Samsung Galaxy S II device | Android Central
Okay, we did some more digging, and just to be clear here, there is no security risk. Here's the deal:
When you set your Galaxy S II to require a password, the default time before you're required to enter it is five minutes. You can make that longer or shorter, as you like. The bug is that the unlock screen appears before it's required. So, you can dismiss that screen without doing inputting your pattern if it's within the five minute window you set that doesn't require a password. After the five minutes is up it will require you to enter the password correctly, just like it should.
So, it looks like there's a dangerous security flaw, but actually it's a bug where a screen pops up before it's supposed to. In other words, you shouldn't worry about this, and you may enjoy your Galaxy S II in peace. Samsung is working on correcting the bug, though, just so it's not confusing. And if you want, you can set it to require a password immediately, and then you'll never see this issue at all (though you will be punching in your password a lot).10-01-11 06:32 PMLike 0 - This may have already been said, and I might be making a mistake, but if millions of passwords are tried every second, and the BlackBerry wipes after 10 failed password attempts...
Sent from my NookColor using Tapatalk10-01-11 11:16 PMLike 0 - Are you blinded by your ignorance or are you a fool for what RIM spoon feeds you?
URL:
zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401
QUOTE:
Stone confirmed that the BlackBerry does not contain ASLR or DEP but said the company is looking at adding these security enhancements to future BlackBerry versions.
While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device “way behind the iPhone” from a security perspective.
“The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don’t have documentation and information,” Iozzo said.
The quote is from people who have successfully defeated BB security - regardless of who else tells you whatever they tell you, this is a great insight and a very reliable source of information about BB security.
If iphone security is so advanced why can a cellbrite hack through it in 5 seconds? Why can you go to a website to jailbreak and root the iphone in a matter of minutes and then change the password. Yes you can do stuff to the blackberry do, but the device itself has never really been the target of drive-by vulnerabilities on a scale seen by android or ios.
You might want to post some credible links so we at crackberry know the blackberry is a ticking time bomb security risk and show how easy it is to hack it given proper security precautions. I don't know what baloney you believe on the internet but it sounds like you add rye bread and mustard to it.Last edited by i7guy; 10-02-11 at 09:12 AM.
Jake Storm likes this.10-02-11 09:08 AMLike 1
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
ElcomSoft breaks Blackberry Device Password
LINK TO POST COPIED TO CLIPBOARD