Elcomsoft found backdoor in Blackberry Password Keeper?
- BlackBerry Password Keeper Escrow Key: Have We Just Found a Hidden Backdoor? � Advanced Password Cracking ? Insight
Essentially, we�ve discovered a backdoor hidden in recent versions of BlackBerry Password Keeper allowing us to decrypt the content of that app instantly without brute-forcing the master password. For our customers, this means instant access to passwords and other sensitive information maintained by BlackBerry Password Keeper. No lengthy waits and no fruitless attacks, just pure convenience. But is this convenience intentional? Did BlackBerry leave a backdoor for government access, or is this an unintentional vulnerability left by the company renowned for its exemplary security model? Let�s try to find out.
Old versions of BlackBerry Password Keeper were relying upon a user-selectable master password to protect access to the user�s sensitive information. Old versions of Elcomsoft Phone Breaker had to attack that password with all the brute force (and a bit of brain force) we had at our disposal. Whether or not we�d be able to break in would depend on how much we knew about the password and on how long and complex that password was.
This was about to change. And it did. Recent versions of the Keeper app continue using the master password. But that�s on the surface. In addition to the master password, BlackBerry Password Keeper now makes use of an escrow key. That escrow key is stored in BlackBerry 10 backups alongside the data. Notably, BlackBerry 10 backups are encrypted, and must be decrypted with Elcomsoft Phone Breaker (using the correct BlackBerry ID and password) in order to gain access to Password Keeper data.
Elcomsoft Phone Breaker 4.10 adds support for the latest version of BlackBerry Password Keeper, enabling the extraction of escrow keys and instant decryption of the protected container. Note that BlackBerry 10 backups containing BlackBerry Password Keeper containers are also encrypted, and must be decrypted with ElcomSoft Phone Breaker using the original BlackBerry ID and password prior to accessing BlackBerry Password Keeper data.
BlackBerry Password Keeper makes use of AES 256 to encrypt information. However, the choice of the algorithm itself does not mean much in terms of how secure the product is going to be. In order for the product to be secure, every stage must be properly implemented, and there must be no backdoors that could render the entire protection scheme pointless.
Now let�s pause for a moment and look at the following screenshot of a BlackBerry phone.
Password Keeper has Cloud Synchronization? BlackBerry claims that one can restore the full Password Keeper contents onto a new BlackBerry device provided that the same BlackBerry ID and the same Master Password are used. Now, we know for sure there is an escrow key to that (you can verify that easily by downloading Elcomsoft Phone Breaker 4.10 and processing a BlackBerry 10 backup with a Password Keeper container). Is this escrow key exported to the cloud alongside the data? We don�t know. All we do know that there is an escrow key, and that that key is stored alongside Password Keeper data in BlackBerry 10 backups. We are not suggesting that BlackBerry has intentionally left this backdoor for the convenience of the government. We don�t know if that escrow key ever leaves the device (other than being stored in offline backups) or gets synced to the cloud. However, *if* the escrow key is synced to the cloud, then BlackBerry Inc. would have no technical problem accessing all passwords and other data stored in the Password Keeper. Neither would the government.08-11-15 06:41 AMLike 4 - Sounds like they are theorizing, but... wouldn't decrypting Password Keeper still require this "escrow key" + "user set Password Keeper password"?
Posted via CB1008-11-15 06:52 AMLike 0 -
It also wouldn't make much sense, because if you have my BB ID + BB ID Password + Password Keeper Password, then you won't need Elcomsoft for anything.
However, very interesting findings, but still a lots of hurdles to take (brute force for the device password, get the BB ID password...)Last edited by Superdupont 2_0; 08-11-15 at 07:30 AM.
Crapshoot2010 likes this.08-11-15 07:16 AMLike 1 - Okay. This is interesting. Can anyone tell me what kind of security issue is? What would it take for this vulnerability to be exploited? Is it accessible remotely or would someone have to take my physical phone from me? In other words how can someone protect themselves? That's most important here. If someone can use this to access my passwords in the cloud then that's an issue. From what I read, they would need to have access to my physical phone to get these keys, unless BlackBerry stores the escrow keys on the cloud as well, which I wouldn't understand why they would need to do that.
Z30STA100-5/10.3.2.233908-11-15 07:23 AMLike 0 - Okay. This is interesting. Can anyone tell me what kind of security issue is? What would it take for this vulnerability to be exploited? Is it accessible remotely or would someone have to take my physical phone from me? In other words how can someone protect themselves? That's most important here. If someone can use this to access my passwords in the cloud then that's an issue. From what I read, they would need to have access to my physical phone to get these keys, unless BlackBerry stores the escrow keys on the cloud as well, which I wouldn't understand why they would need to do that.
Z30STA100-5/10.3.2.2339
1) You have made a backup of Password Keeper in a computer
2) I have any access to this computer
3) I know your BB ID and your BB ID password
First I thought, that if I know 3) already I could set-up another BB 10 device with your ID and try download your passwords from BB Cloud, but I think for this I would need to know the Password Keeper password.eddy_berry likes this.08-11-15 07:34 AMLike 1 -
- I have read it three times and it seems the answer is: No, the password for Password Keeper is not needed.
It also wouldn't make much sense, because if you have my BB ID + BB ID Password + Password Keeper Password, then you won't need Elcomsoft for anything.
However, very interesting findings, but still a lots of hurdles to take (brute force for the device password, get the BB ID password...)
EDIT: I guess it's implied by the result (that they were able to decrypt and access the password keeper data).
Posted via CB1008-11-15 08:26 AMLike 0 - Okay. This is interesting. Can anyone tell me what kind of security issue is? What would it take for this vulnerability to be exploited? Is it accessible remotely or would someone have to take my physical phone from me? In other words how can someone protect themselves? That's most important here. If someone can use this to access my passwords in the cloud then that's an issue. From what I read, they would need to have access to my physical phone to get these keys, unless BlackBerry stores the escrow keys on the cloud as well, which I wouldn't understand why they would need to do that.
Z30STA100-5/10.3.2.2339
I'm still confused as to what purpose of an escrow key serves in this authentication scheme. For password recovery? Is this something added at the request of BES/work admins (who should escrow your keys) and inadvertently 'left on' for individuals?
Posted via CB1008-11-15 08:36 AMLike 0 -
-
If someone really desperately wants my password list, good old spanking might be the more efficient way, but still interesting news for certain people who can ask BlackBerry to cooperate in certain cases.08-11-15 10:21 AMLike 0 - Prerequisite (as far as I understood):
1) You have made a backup of Password Keeper in a computer
2) I have any access to this computer
3) I know your BB ID and your BB ID password
First I thought, that if I know 3) already I could set-up another BB 10 device with your ID and try download your passwords from BB Cloud, but I think for this I would need to know the Password Keeper password.
And for someone like me and sets up all the blackberries in my household, I know everyone's bbid bbid password. But I don't know their password keeper password. Supposedly someone in my position wanted to snoop on their passwords... maybe this would be a solution.
Posted via CB10anon(5990673) likes this.08-11-15 10:57 AMLike 1 - This is nearly useless.
You also need the users BBID, device password, AND access to a backup file of the device for this to work. If you let someone have access to all of that then security is probably the least of your worries and you would probably have half your passwords unencrypted in the Remember/Notepad App anyway (which I see happen ALL the time lol). Plus, the phone must not have BB Protect enabled so the owner cant just disable/wipe the phone remotely. At that point, the hacker would already have access to your phone, all its files, app data through your backups, cookies and login information for anything the user has accessed through the phone and checked "Remember me", and even access through BB Protect website.
They would be better off robbing you and just saying "Give me your passwords, or else!".08-11-15 12:03 PMLike 0 - This is nearly useless.
You also need the users BBID, device password, AND access to a backup file of the device for this to work. If you let someone have access to all of that then security is probably the least of your worries and you would probably have half your passwords unencrypted in the Remember/Notepad App anyway (which I see happen ALL the time lol). Plus, the phone must not have BB Protect enabled so the owner cant just disable/wipe the phone remotely. At that point, the hacker would already have access to your phone, all its files, app data through your backups, cookies and login information for anything the user has accessed through the phone and checked "Remember me", and even access through BB Protect website.
They would be better off robbing you and just saying "Give me your passwords, or else!".08-11-15 12:08 PMLike 0 -
- Bla1zeCB OG
It's pretty much the equivalent of SEO spam lol. No doubt some of it works but like I said, there's always very specific caveats in place.. eg: You already have to know certain passwords, you have to have full access to the device, etc etc.
Even 1Password doesn't seem overly concerned with their findings, and fact is, most people haven't been overly concerned with Elcomsoft since 2010-ish. They grab some scary headlines here and there and then they fade off again until a new version pops up. Go ahead, do some due diligence and research reviews on some of their previous versions and products. Most come up 50/50 on whether or not it even works most of the time.
https://twitter.com/kentindell/statu...87024284942336
If you're overly concerned about it, keep an eye on the BlackBerry SIRT page and see if they issue any advisories. Heck, for that matter, submit it yourself if you feel it may help. Though I'm sure if it's a real issue, they already know and will issue a release or fix, assuming its even needed.
http://us.blackberry.com/enterprise/...onse-team.html08-11-15 11:00 PMLike 7 - I can hack everyone's phones as well...just give me your phones and all your passwords.Denise in Los Angeles likes this.08-12-15 09:17 AMLike 1
- Let pretend this is a major problem. How long would it take for Blackberry to fix, and even worse how long would it take to get it to their customers? Carriers still aren't even pushing the latest version for BB10... That's a huge exposure for Blackberry. You can't rely on their carriers to send out the fixes in a reasonable amount of time.08-12-15 01:16 PMLike 0
-
Cracking Password Keeper using their software and that the cracker must have the BBID and it's password. I thought Elcomsoft's discovered backdoor wouldn't need anything. Having knowledge of the BBID and it's corresponding password is the same as giving the key of the door to the thief and the thief would just have to insert the key and open the door.
Correct me if I'm wrong.
Edit: I don't cloud-sync my Password Keeper.
"But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:4408-12-15 01:44 PMLike 0 - Let pretend this is a major problem. How long would it take for Blackberry to fix, and even worse how long would it take to get it to their customers? Carriers still aren't even pushing the latest version for BB10... That's a huge exposure for Blackberry. You can't rely on their carriers to send out the fixes in a reasonable amount of time.08-12-15 02:21 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Elcomsoft found backdoor in Blackberry Password Keeper?
« How can I restore my backup if I no longer use the same email address I used to do the back up with?
|
Public Transit App with GPS Tracking »
Similar Threads
-
BlackBerry (Classic) will return to Japan on a small scale through MVNO.
By yhamaie in forum BlackBerry ClassicReplies: 32Last Post: 11-25-15, 07:17 AM -
Suspicious of Call Supposedly from BlackBerry
By HelloNuman in forum General BlackBerry News, Discussion & RumorsReplies: 10Last Post: 08-11-15, 10:50 AM -
A question about android BlackBerry software
By EnginDOGN in forum BlackBerry 10 OSReplies: 2Last Post: 08-11-15, 07:03 AM -
Is there any way to make Facebook work better on BlackBerry 10?
By mellowgreenusa in forum Ask a QuestionReplies: 4Last Post: 08-11-15, 03:15 AM -
I have a Blackberry Classic. Is there a way to delete all the properties on my photos?
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 08-10-15, 10:27 PM
LINK TO POST COPIED TO CLIPBOARD