1. qbnkelt's Avatar
    Oh, that doesn't matter. Nobody cares about security.
    09-30-11 04:56 PM
  2. Tre Lawrence's Avatar
    Classic response.

    "It's a non-issue, but even if it is an issue, it could be worse. It could be Android."

    LOL.

    You guys need to start a non-profit to save the poor, misguided "sheep" from the perils of Android.

    I think the BBOS vulnerability is not that much of an issue, IMHO.
    09-30-11 04:57 PM
  3. rdkempt's Avatar
    It's an interesting hack - it seems the more we learn about the actual security of BBs, the more we have to facepalm. I wouldn't argue that BBs are easiest to manage in a corporate environment, but from a real security point... they're kinda fail.

    Someone already referenced the pwn2own competition where the person who successfully "pwned" the BB had stated that RIM is years and years away from iOS or Android security - security through obscurity is not real security.
    09-30-11 09:30 PM
  4. i7guy's Avatar
    Actually from a real security standpoint they are virtually unhackable and very easy to manage in a corporate environment, not needing additional software to make them more secure. Even with these revelations you still can't hack the device.

    You are correct however about bb security being years away from iOS and android, in a positive direction that is.
    hornlovah likes this.
    09-30-11 09:52 PM
  5. i7guy's Avatar
    Classic response.

    "It's a non-issue, but even if it is an issue, it could be worse. It could be Android."

    LOL.

    You guys need to start a non-profit to save the poor, misguided "sheep" from the perils of Android.

    I think the BBOS vulnerability is not that much of an issue, IMHO.
    It is a virtual red herring non issue. You don't even have to update device software to plug the trails left by the files:

    1. encrypt your dm manager backup.
    2. unencrypted if encrypted your sd card or throw your pics on internal memory.
    3. Use a decent password.
    09-30-11 09:59 PM
  6. EveryApp Mobile's Avatar
    RIM could easily fix this by using a different encryption method which takes longer to brute force. If they use a stronger encryption method it could take months to years to brute force.
    09-30-11 10:12 PM
  7. T
    Pwn2own isn't getting into a properly configured BlackBerry any time soon. By properly configured, I mean protected with a strong password, encryption turned on (mode set to other than Device Password), and browser javascript turned off.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-30-11 10:19 PM
  8. hornlovah's Avatar
    RIM could easily fix this by using a different encryption method which takes longer to brute force. If they use a stronger encryption method it could take months to years to brute force.
    No, read This_is_a_username's response to my leading question above. If you choose to share encrypted data with other devices, your security/privacy is dependent on the strength of your password. Otherwise, the various device vendors would have to agree on a cross platform protocol to protect your password and implement it on a huge scale.
    09-30-11 11:22 PM
  9. T
    This has nothing to do with sharing encrypted data with other devices. This has to do with using a certain cracking program to extrapolate a BlackBerry's password using the information stored on a BlackBerry's encrypted media card. Everyone, read ... If you don't want someone to use the Elcomsoft password cracker to obtain your BlackBerry's password, do one of the following:

    1. Do not encrypt your media card, OR

    2. Encrypt your media card using a mode other than "Device Password." Use "Device Key" or "Device Password & Device Key."

    Then freely hand your phone to someone who has the Elcomsoft cracking program and watch him not be able to crack into your BlackBerry.

    Posted from my CrackBerry at wapforums.crackberry.com
    Last edited by Tnis; 10-01-11 at 08:35 AM.
    i7guy likes this.
    10-01-11 08:31 AM
  10. EveryApp Mobile's Avatar
    No, read This_is_a_username's response to my leading question above. If you choose to share encrypted data with other devices, your security/privacy is dependent on the strength of your password. Otherwise, the various device vendors would have to agree on a cross platform protocol to protect your password and implement it on a huge scale.
    No, that is not correct at all. It is dependant on the encryption method and length of the password. I read his post and it's exactly what I'm saying....
    Last edited by EveryApp Mobile; 10-01-11 at 08:40 AM.
    10-01-11 08:34 AM
  11. EveryApp Mobile's Avatar
    This has nothing to do with sharing encrypted data with other devices. This has to do with using a certain cracking program to extrapolate a BlackBerry's password using the information stored on a BlackBerry's encrypted media card. Everyone, read ... If you don't want someone to use the Elcomsoft password cracker to obtain your BlackBerry's password, do one of the following:

    1. Do not encrypt your media card, OR

    2. Encrypt your media card using a mode other than "Device Password." Use "Device Key" or "Device Password & Device Key."

    Then freely hand your phone to someone who has the Elcomsoft cracking program and watch him not be able to crack into your BlackBerry.

    Posted from my CrackBerry at wapforums.crackberry.com

    This has to do with the files that use "media encryption" using the device password with a weak encryption method to encrypt the files. The password cracker brute forces the files and obtains the device password becuase the "media encryption" is weak.
    10-01-11 08:37 AM
  12. Rickroller's Avatar
    Oh, that doesn't matter. Nobody cares about security.
    That's right..most people don't. Save for the diehards on this site..the reason 90% of the population "lock" their devices is to keep snooping parents,spouses,friends etc out of their text/message histories. Helll..most of the time I don't even lock my phone. I do however keep anything I want safe in an encrypted program..so no matter who gets my phone..they won't get into that file. Contact lists..text message histories..meh..doesn't bother me if some Joe Schmo gets ahold of them. If they want my Aunt Flo's number have at it..she's lonely anyways
    10-01-11 08:49 AM
  13. T
    This has to do with the files that use "media encryption" using the device password with a weak encryption method to encrypt the files. The password cracker brute forces the files and obtains the device password becuase the "media encryption" is weak.
    You are wrong. BlackBerries are encrypted using the AES. Even a not-so-strong password would take forever to crack. (I don't mean 0000 or ASDF.) When a BlackBerry user selects the "device password" mode of encryption, more information is stored on the media card, and the Elcomsoft cracking program analyzes that information and THEN brute forces the password. It would not be able to brute force the password so fast (even with a weaker password) without analyzing the media card information that is stored there when a user selects the Device Password mode of encryption.

    Posted from my CrackBerry at wapforums.crackberry.com
    Last edited by Tnis; 10-01-11 at 09:02 AM.
    10-01-11 08:57 AM
  14. hornlovah's Avatar
    You are wrong. BlackBerries are encrypted using the AES. Even a not-so-strong password would take forever to crack. (I don't mean 0000 or ASDF.) When a BlackBerry user selects the "device password" mode of encryption, more information is stored on the media card, and the Elcomsoft cracking program analyzes that information and THEN brute forces the password. It would not be able to brute force the password so fast (even with a weaker password) without analyzing the media card information that is stored there when a user selects the Device Password mode of encryption.

    Posted from my CrackBerry at wapforums.crackberry.com
    If you select device password only to encrypt your media card, you are making a choice to share your removable media, whether your realize it or not. It’s that simple. Currently, there is no widely established method to strengthen your password while making it available to a wide range of other devices. No one considers 256-bit AES encryption weak, but if you are relying on a 4-character password to decode it, your external data is vulnerable. BlackBerry users cannot take advantage of the awesome key generation methods used for internal memory when they select the password only option for their media card. We can all agree on this, right?
    Last edited by hornlovah; 10-01-11 at 10:15 AM.
    10-01-11 10:02 AM
  15. rdkempt's Avatar
    Actually from a real security standpoint they are virtually unhackable and very easy to manage in a corporate environment, not needing additional software to make them more secure. Even with these revelations you still can't hack the device.

    You are correct however about bb security being years away from iOS and android, in a positive direction that is.
    Are you blinded by your ignorance or are you a fool for what RIM spoon feeds you?

    URL:
    zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401

    QUOTE:
    Stone confirmed that the BlackBerry does not contain ASLR or DEP but said the company is looking at adding these security enhancements to future BlackBerry versions.

    While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device way behind the iPhone from a security perspective.

    The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you dont have documentation and information, Iozzo said.



    The quote is from people who have successfully defeated BB security - regardless of who else tells you whatever they tell you, this is a great insight and a very reliable source of information about BB security.
    10-01-11 10:16 AM
  16. T
    @hornlovah --

    I use a 21 character password, so I'm all for strong passwords. I was using "Device Password" as the encryption mode on my BlackBerry. Why? Not because I wanted to share my media but because I didn't want my encrypted media files rendered useless if my device died or was wiped. I wanted the option of being able to transfer my card to another BlackBerry and have meaningful access to my encrypted files upon entering the card's password. When I learned that software was developed which is able to exploit a vulnerability in this method, I switched to an encryption mode which employs a device key in addition to my device password. The Elcomsoft product can't access the device key, therefore it does not have the "hints" it would have if my media card was only encrypted using the Device Password mode. I think of it like this (and of course I could be wrong): if I encrypt my media card using the Device Password mode, and you analyze the information on my media card and detect a repeating pattern of djfhfhfdjdjddhbfbjrytttrehi, you might conclude that these characters are a key of some sort. If it is a jumbled key, you would have a huge head start when you go to brute force the password that you wouldn't have if this information was stored on my device and not the card you have analyzed. Hence, the Device Key.

    Posted from my CrackBerry at wapforums.crackberry.com
    Last edited by Tnis; 10-01-11 at 11:17 AM.
    10-01-11 10:35 AM
  17. renownedanonymous's Avatar
    Isn't the article missing one important fact, that someone would need to gain physical access to your Blackberry? Or am I reading this wrong?

    Couldn't you just remotely wipe the BB if lost? I guess another question would be how long their hack takes to complete? Having re-skimmed the quotes I couldn't find anything.

    Or am I missing the whole story here in that Blackberry Security is supposedly impenetrable. I always thought that someone with enough time and resources could crack anything static? But they're probably not going want my pictures of the dog or drunken text messages..
    10-01-11 10:43 AM
  18. T
    The quote is from people who have successfully defeated BB security - regardless of who else tells you whatever they tell you, this is a great insight and a very reliable source of information about BB security.
    Those people exploited a vulnerability in the webkit browser. There's no way those people can physically break in to a BlackBerry that is encrypted using a Device Key, not even with the Elcomsoft password cracking software -- the device will wipe after ten tries even if it's connected to a computer using Desktop Manager -- and there's no way they can break in over the air (via the browser exploit) if javascript is turned off.

    Posted from my CrackBerry at wapforums.crackberry.com
    Last edited by Tnis; 10-01-11 at 11:12 AM.
    10-01-11 10:55 AM
  19. T
    Or am I missing the whole story here in that Blackberry Security is supposedly impenetrable. I always thought that someone with enough time and resources could crack anything static? But they're probably not going want my pictures of the dog or drunken text messages..
    The BlackBerry is impenetrable because it employs the AES which till now hasn't been cracked. Why? Not because no one knows how but because it would take too long. The Elcomsoft people found a way to exploit a limitation of the "Device Password" mode of encryption via the media card and speed up the process. It's easy to prevent this. Just choose "Device Key" or "Device Key & Device Password" as the encryption mode OR don't encrypt your media card. They can't brute force anything then, as the BlackBerry will wipe after a user-set maximum of ten tries and the media card itself won't contain enough information to assist in speeding up the brute force attempt to obtain the password.

    Posted from my CrackBerry at wapforums.crackberry.com
    Last edited by Tnis; 10-01-11 at 11:42 AM.
    10-01-11 11:02 AM
  20. Pete6#WP's Avatar
    Those people exploited a vulnerability in the webkit browser. There's no way those people can physically break in to a BlackBerry that is encrypted using a Device Key, not even with the Elcomsoft password cracking software -- the device will wipe after ten tries even if it's connected to a computer using Desktop Manager -- and there's no way they can break in over the air (via the browser exploit) if javascript is turned off.

    Posted from my CrackBerry at wapforums.crackberry.com
    This is absolutely correct. It is also instructive to learn that the WebKit browser originated from yes, you guessed it, Apple http://en.wikipedia.org/wiki/Safari_(web_browser).
    10-01-11 11:37 AM
  21. hornlovah's Avatar
    Those people exploited a vulnerability in the webkit browser. There's no way those people can physically break in to a BlackBerry that is encrypted using a Device Key, not even with the Elcomsoft password cracking software -- the device will wipe after ten tries even if it's connected to a computer using Desktop Manager -- and there's no way they can break in over the air (via the browser exploit) if javascript is turned off.

    Posted from my CrackBerry at wapforums.crackberry.com
    Thats why I chose BlackBerry. There has been no public acknowledgement of a way to bypass the password API on the device itself. The same cannot be said for Android or iPhones.
    10-01-11 11:38 AM
  22. hornlovah's Avatar
    @hornlovah --

    I use a 21 character password, so I'm all for strong passwords. I was using "Device Password" as the encryption mode on my BlackBerry. Why? Not because I wanted to share my media but because I didn't want my encrypted media files rendered useless if my device died or was wiped. I wanted the option of being able to transfer my card to another BlackBerry and have meaningful access to my encrypted files upon entering the card's password. When I learned that software was developed which is able to exploit a vulnerability in this method, I switched to an encryption mode which employs a device key in addition to my device password.
    LOL, I did the exact same thing even though I am confident that my passcode is not vulnerable to a dictionary or brute force attack.
    The Elcomsoft product can't access the device key, therefore it does not have the "hints" it would have if my media card was only encrypted using the Device Password mode. I think of it like this (and of course I could be wrong): if I encrypt my media card using the Device Password mode, and you analyze the information on my media card and detect a repeating pattern of djfhfhfdjdjddhbfbjrytttrehi, you might conclude that these characters are a key of some sort. If it is a jumbled key, you would have a huge head start when you go to brute force the password that you wouldn't have if this information was stored on my device and not the card you have analyzed. Hence, the Device Key.
    Just remember that no one will attack the encryption itself, and brute force is always a last resort. What they will do is attempt to isolate the encryption keys and exploit them. They will first try a dictionary attack. Word lists that contain millions of words and phrases in multiple languages, mangled words (s@1t), and common passcodes are freely available. These dictionary attacks are always more productive against weak passcodes, but probably not an issue with your 21 character password.
    10-01-11 12:32 PM
  23. katiepea's Avatar
    UPDATE 2:
    Okay, we did some more digging, and just to be clear here, there is no security risk. Here's the deal:
    When you set your Galaxy S II to require a password, the default time before you're required to enter it is five minutes. You can make that longer or shorter, as you like. The bug is that the unlock screen appears before it's required. So, you can dismiss that screen without doing inputting your pattern if it's within the five minute window you set that doesn't require a password. After the five minutes is up it will require you to enter the password correctly, just like it should.

    So, it looks like there's a dangerous security flaw, but actually it's a bug where a screen pops up before it's supposed to. In other words, you shouldn't worry about this, and you may enjoy your Galaxy S II in peace. Samsung is working on correcting the bug, though, just so it's not confusing. And if you want, you can set it to require a password immediately, and then you'll never see this issue at all (though you will be punching in your password a lot).
    10-01-11 06:32 PM
  24. SCrid2000's Avatar
    This may have already been said, and I might be making a mistake, but if millions of passwords are tried every second, and the BlackBerry wipes after 10 failed password attempts...

    Sent from my NookColor using Tapatalk
    10-01-11 11:16 PM
  25. i7guy's Avatar
    Are you blinded by your ignorance or are you a fool for what RIM spoon feeds you?

    URL:
    zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401

    QUOTE:
    Stone confirmed that the BlackBerry does not contain ASLR or DEP but said the company is looking at adding these security enhancements to future BlackBerry versions.

    While the research team acknowledged that the BlackBerry benefits from obscurity, Iozzo said the absence of ASLR, DEP and code signing has put the device “way behind the iPhone” from a security perspective.

    “The advantage for BlackBerry is the obscurity. It makes it a bit harder to attack a system if you don’t have documentation and information,” Iozzo said.



    The quote is from people who have successfully defeated BB security - regardless of who else tells you whatever they tell you, this is a great insight and a very reliable source of information about BB security.
    That is old news and just one of ummm a few odd numbered of security violations uncovered in the last few years.

    If iphone security is so advanced why can a cellbrite hack through it in 5 seconds? Why can you go to a website to jailbreak and root the iphone in a matter of minutes and then change the password. Yes you can do stuff to the blackberry do, but the device itself has never really been the target of drive-by vulnerabilities on a scale seen by android or ios.

    You might want to post some credible links so we at crackberry know the blackberry is a ticking time bomb security risk and show how easy it is to hack it given proper security precautions. I don't know what baloney you believe on the internet but it sounds like you add rye bread and mustard to it.
    Last edited by i7guy; 10-02-11 at 09:12 AM.
    Jake Storm likes this.
    10-02-11 09:08 AM
107 12345
LINK TO POST COPIED TO CLIPBOARD