[AlexXF]

BlackBerry Password Keeper Escrow Key: Have We Just Found a Hidden Backdoor? � Advanced Password Cracking ? Insight

Essentially, we�ve discovered a backdoor hidden in recent versions of BlackBerry Password Keeper allowing us to decrypt the content of that app instantly without brute-forcing the master password. For our customers, this means instant access to passwords and other sensitive information maintained by BlackBerry Password Keeper. No lengthy waits and no fruitless attacks, just pure convenience. But is this convenience intentional? Did BlackBerry leave a backdoor for government access, or is this an unintentional vulnerability left by the company renowned for its exemplary security model? Let�s try to find out.

Old versions of BlackBerry Password Keeper were relying upon a user-selectable master password to protect access to the user�s sensitive information. Old versions of Elcomsoft Phone Breaker had to attack that password with all the brute force (and a bit of brain force) we had at our disposal. Whether or not we�d be able to break in would depend on how much we knew about the password and on how long and complex that password was.

This was about to change. And it did. Recent versions of the Keeper app continue using the master password. But that�s on the surface. In addition to the master password, BlackBerry Password Keeper now makes use of an escrow key. That escrow key is stored in BlackBerry 10 backups alongside the data. Notably, BlackBerry 10 backups are encrypted, and must be decrypted with Elcomsoft Phone Breaker (using the correct BlackBerry ID and password) in order to gain access to Password Keeper data.

Elcomsoft Phone Breaker 4.10 adds support for the latest version of BlackBerry Password Keeper, enabling the extraction of escrow keys and instant decryption of the protected container. Note that BlackBerry 10 backups containing BlackBerry Password Keeper containers are also encrypted, and must be decrypted with ElcomSoft Phone Breaker using the original BlackBerry ID and password prior to accessing BlackBerry Password Keeper data.

BlackBerry Password Keeper makes use of AES 256 to encrypt information. However, the choice of the algorithm itself does not mean much in terms of how secure the product is going to be. In order for the product to be secure, every stage must be properly implemented, and there must be no backdoors that could render the entire protection scheme pointless.

Now let�s pause for a moment and look at the following screenshot of a BlackBerry phone.

Password Keeper has Cloud Synchronization? BlackBerry claims that one can restore the full Password Keeper contents onto a new BlackBerry device provided that the same BlackBerry ID and the same Master Password are used. Now, we know for sure there is an escrow key to that (you can verify that easily by downloading Elcomsoft Phone Breaker 4.10 and processing a BlackBerry 10 backup with a Password Keeper container). Is this escrow key exported to the cloud alongside the data? We don�t know. All we do know that there is an escrow key, and that that key is stored alongside Password Keeper data in BlackBerry 10 backups. We are not suggesting that BlackBerry has intentionally left this backdoor for the convenience of the government. We don�t know if that escrow key ever leaves the device (other than being stored in offline backups) or gets synced to the cloud. However, *if* the escrow key is synced to the cloud, then BlackBerry Inc. would have no technical problem accessing all passwords and other data stored in the Password Keeper. Neither would the government.

[AnimalPak200]

Sounds like they are theorizing, but... wouldn't decrypting Password Keeper still require this "escrow key" + "user set Password Keeper password"?



Posted via CB10

[Superdupont 2_0]

Sounds like they are theorizing, but... wouldn't decrypting Password Keeper still require this "escrow key" + "user set Password Keeper password"?

I have read it three times and it seems the answer is: No, the password for Password Keeper is not needed.

It also wouldn't make much sense, because if you have my BB ID + BB ID Password + Password Keeper Password, then you won't need Elcomsoft for anything.

However, very interesting findings, but still a lots of hurdles to take (brute force for the device password, get the BB ID password...)

[AlexXF]

New version of Elcomsoft Phone Breaker decrypts Password Keeper instantly.

[eddy_berry]

Okay. This is interesting. Can anyone tell me what kind of security issue is? What would it take for this vulnerability to be exploited? Is it accessible remotely or would someone have to take my physical phone from me? In other words how can someone protect themselves? That's most important here. If someone can use this to access my passwords in the cloud then that's an issue. From what I read, they would need to have access to my physical phone to get these keys, unless BlackBerry stores the escrow keys on the cloud as well, which I wouldn't understand why they would need to do that.

Z30STA100-5/10.3.2.2339

[Superdupont 2_0]

Okay. This is interesting. Can anyone tell me what kind of security issue is? What would it take for this vulnerability to be exploited? Is it accessible remotely or would someone have to take my physical phone from me? In other words how can someone protect themselves? That's most important here. If someone can use this to access my passwords in the cloud then that's an issue. From what I read, they would need to have access to my physical phone to get these keys, unless BlackBerry stores the escrow keys on the cloud as well, which I wouldn't understand why they would need to do that.

Z30STA100-5/10.3.2.2339

Prerequisite (as far as I understood):

1) You have made a backup of Password Keeper in a computer

2) I have any access to this computer

3) I know your BB ID and your BB ID password


First I thought, that if I know 3) already I could set-up another BB 10 device with your ID and try download your passwords from BB Cloud, but I think for this I would need to know the Password Keeper password.

[Nick Spagnolo]

BlackBerry FIX!

Z10

[peter0328]

BlackBerry needs to fix this right away!

Posted via CB10

[AnimalPak200]

I have read it three times and it seems the answer is: No, the password for Password Keeper is not needed.

It also wouldn't make much sense, because if you have my BB ID + BB ID Password + Password Keeper Password, then you won't need Elcomsoft for anything.

However, very interesting findings, but still a lots of hurdles to take (brute force for the device password, get the BB ID password...)

Where does it say the use Password for password keeper is not needed? I must have missed it.

EDIT: I guess it's implied by the result (that they were able to decrypt and access the password keeper data).

Posted via CB10

[AnimalPak200]

Okay. This is interesting. Can anyone tell me what kind of security issue is? What would it take for this vulnerability to be exploited? Is it accessible remotely or would someone have to take my physical phone from me? In other words how can someone protect themselves? That's most important here. If someone can use this to access my passwords in the cloud then that's an issue. From what I read, they would need to have access to my physical phone to get these keys, unless BlackBerry stores the escrow keys on the cloud as well, which I wouldn't understand why they would need to do that.

Z30STA100-5/10.3.2.2339

I guess the concern is that 'they could'.

I'm still confused as to what purpose of an escrow key serves in this authentication scheme. For password recovery? Is this something added at the request of BES/work admins (who should escrow your keys) and inadvertently 'left on' for individuals?

Posted via CB10

[Superdupont 2_0]

Where does it say the use Password for password keeper is not needed? I must have missed it.

EDIT: I guess it's implied by the result (that they were able to decrypt and access the password keeper data).

Yes, it is implied by the result (I wasn't quoting).

[mad_mdx]

You still need the BlackBerry ID and it's password to access it though. I'm not sure how anyone could possibly get that save from attempting to brute force it

[Superdupont 2_0]

You still need the BlackBerry ID and it's password to access it though. I'm not sure how anyone could possibly get that save from attempting to brute force it

Yes, and in addition either access to your computer with the back-ups (game over) or the device itself unlocked and BlackBerry Protect disabled etc etc. ...

If someone really desperately wants my password list, good old spanking might be the more efficient way, but still interesting news for certain people who can ask BlackBerry to cooperate in certain cases.

[teostar]

Prerequisite (as far as I understood):

1) You have made a backup of Password Keeper in a computer

2) I have any access to this computer

3) I know your BB ID and your BB ID password


First I thought, that if I know 3) already I could set-up another BB 10 device with your ID and try download your passwords from BB Cloud, but I think for this I would need to know the Password Keeper password.

Not exactly... you have to set up password keeper with the same master password to dload front the cloud.

And for someone like me and sets up all the blackberries in my household, I know everyone's bbid bbid password. But I don't know their password keeper password. Supposedly someone in my position wanted to snoop on their passwords... maybe this would be a solution.


Posted via CB10

[-Puck-]

This is nearly useless.

You also need the users BBID, device password, AND access to a backup file of the device for this to work. If you let someone have access to all of that then security is probably the least of your worries and you would probably have half your passwords unencrypted in the Remember/Notepad App anyway (which I see happen ALL the time lol). Plus, the phone must not have BB Protect enabled so the owner cant just disable/wipe the phone remotely. At that point, the hacker would already have access to your phone, all its files, app data through your backups, cookies and login information for anything the user has accessed through the phone and checked "Remember me", and even access through BB Protect website.

They would be better off robbing you and just saying "Give me your passwords, or else!".

[AnimalPak200]

This is nearly useless.

You also need the users BBID, device password, AND access to a backup file of the device for this to work. If you let someone have access to all of that then security is probably the least of your worries and you would probably have half your passwords unencrypted in the Remember/Notepad App anyway (which I see happen ALL the time lol). Plus, the phone must not have BB Protect enabled so the owner cant just disable/wipe the phone remotely. At that point, the hacker would already have access to your phone, all its files, app data through your backups, cookies and login information for anything the user has accessed through the phone and checked "Remember me", and even access through BB Protect website.

They would be better off robbing you and just saying "Give me your passwords, or else!".

I think the point of the article is that: IF BlackBerry stores the escrow key along with (not necessarily next to it, but... if they maintain a copy of it at all) the 'cloud' backup of Password Keeper data, then they can, when persuaded by a third party (Law Enforcement, Intelligence, hackers) actually grant access to your passwords/login info.

[lnichols]

They are already acting like an Android OEM? Can someone tell them they are not allowed to slack until the device says powered by Android at boot.

Posted via Z30

[BCITMike]

Anyone read through terms of service for any language that might apply here?



Posted via CB10

[Bla1ze]

Elcom says a lot of things, the devil is always in the details, though. There's always a caveat with their stuff. In this case, the BBID and Password are needed lol.

[peter0328]

Elcom says a lot of things, the devil is always in the details, though. There's always a caveat with their stuff. In this case, the BBID and Password are needed lol.

So they can't brute force a BlackBerry ID password of a backup?

Posted via CB10

[Bla1ze]

So they can't brute force a BlackBerry ID password of a backup?

Posted via CB10

Who knows.. what I do know is they been claiming crap for years. Just look at their Press Release page - https://www.elcomsoft.com/press-releases.html They claimed to have access to Password Keeper back in 2011, there's not really anything new here, they do the same PR crap every few months.

It's pretty much the equivalent of SEO spam lol. No doubt some of it works but like I said, there's always very specific caveats in place.. eg: You already have to know certain passwords, you have to have full access to the device, etc etc.

Even 1Password doesn't seem overly concerned with their findings, and fact is, most people haven't been overly concerned with Elcomsoft since 2010-ish. They grab some scary headlines here and there and then they fade off again until a new version pops up. Go ahead, do some due diligence and research reviews on some of their previous versions and products. Most come up 50/50 on whether or not it even works most of the time.

https://twitter.com/kentindell/statu...87024284942336

If you're overly concerned about it, keep an eye on the BlackBerry SIRT page and see if they issue any advisories. Heck, for that matter, submit it yourself if you feel it may help. Though I'm sure if it's a real issue, they already know and will issue a release or fix, assuming its even needed.

http://us.blackberry.com/enterprise/...onse-team.html

[Cozz4ever]

I can hack everyone's phones as well...just give me your phones and all your passwords.

[GoJaysGo]

Let pretend this is a major problem. How long would it take for Blackberry to fix, and even worse how long would it take to get it to their customers? Carriers still aren't even pushing the latest version for BB10... That's a huge exposure for Blackberry. You can't rely on their carriers to send out the fixes in a reasonable amount of time.

[powereds]

Elcom says a lot of things, the devil is always in the details, though. There's always a caveat with their stuff. In this case, the BBID and Password are needed lol.

What I see here is that this is just a marketing ploy from Elcomsoft and trying to damage BlackBerry's reputation.

Cracking Password Keeper using their software and that the cracker must have the BBID and it's password. I thought Elcomsoft's discovered backdoor wouldn't need anything. Having knowledge of the BBID and it's corresponding password is the same as giving the key of the door to the thief and the thief would just have to insert the key and open the door.

Correct me if I'm wrong.

Edit: I don't cloud-sync my Password Keeper.

"But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44

[BCITMike]

Let pretend this is a major problem. How long would it take for Blackberry to fix, and even worse how long would it take to get it to their customers? Carriers still aren't even pushing the latest version for BB10... That's a huge exposure for Blackberry. You can't rely on their carriers to send out the fixes in a reasonable amount of time.

Password keeper is a standalone app, it would be in BBW, not OS update. I'm assuming the backup is controlled by the OS, not by the version of Link and so it wouldn't require a change to Link and what it backs up.