Elcomsoft found backdoor in Blackberry Password Keeper?
-
We are talking about a key that has nothing to do with the app key.
IMHO this news could be worth further investigation by tech journalists.
If this turns out to be what I think it is, I will have left the whole platform next year (work and private).
Posted via CB1008-15-15 02:34 AMLike 0 -
Posted to CB via my Passport | Lloyd Summers | FileArchiveHaven08-15-15 02:10 PMLike 0 - "the key that is derived from your password does also not store your password"
I don't know what you're saying. Keys don't store passwords. They are keys only and do not have storage.
"but if you can decipher the key and you could decode the password keeper app password that would be the only way it could work."
If you have the escrow key, you don't need the "app password". The escrow key is only encrypted by the BBID and password. So you decrypt the backup using BBID/password. This gives you the escrow key, and the Password keeper container in another encrypted form. The container is decrypted further using BBID and password. Using escrow key and decrypted container, all stored Password Keeper passwords are pwned.
"decode the password keeper app password that would be the only way it could work.."
No, that is the whole point of this thread. No need to know the "password keeper app password" as long as you have BBID, password, and a backup. You do not need to reverse or figure out the original master password set by the user.
But since it uses the escrow algorithm to encrypt using the password as the key, than if you could decrypt the escrow algorithm in theory you could derive the password from the decrypted escrow key since the app password was used to generate it
Where did the thought come from that you only need a backup, BBID and password to gain access to all of the passwords in the password keeper app? even after you restore a phone from a backup, you would still need to know the password for the password keeper app as that data is still encrypted using that same unique escrow key... if you dont know the app password, you cant get the passwords contained in it without brute forcing the password or cracking the escrow key used to encrypt them
Posted via CB1008-16-15 06:34 AMLike 0 -
Your screenshot is about a well-kown key, which is used to encrypt the data before they are uploaded to BlackBerry Cloud.
The escrow key we are talking about here has NOTHING to do with BlackBerry Cloud, it is not related to the app password.
More simple: Both keys exists, but they are not related.
Everything you said is true for key 1, but we are talking about key 2.
This second key shouldn't exists.
It's like as if my landlord would give me the keys to my appartment, but keeps a copy without telling me (and when I'm gone for vacation he plunders my mini-bar).08-16-15 11:16 AMLike 0 - The unique escrow key is generated by the password keeper app using the user input password for the app, at least that is what it says in the screen shot I posted from the app
But since it uses the escrow algorithm to encrypt using the password as the key, than if you could decrypt the escrow algorithm in theory you could derive the password from the decrypted escrow key since the app password was used to generate it
Where did the thought come from that you only need a backup, BBID and password to gain access to all of the passwords in the password keeper app? even after you restore a phone from a backup, you would still need to know the password for the password keeper app as that data is still encrypted using that same unique escrow key... if you dont know the app password, you cant get the passwords contained in it without brute forcing the password or cracking the escrow key used to encrypt them
Posted via CB10
Essentially, we’ve discovered a backdoor hidden in recent versions of BlackBerry Password Keeper allowing us to decrypt the content of that app instantly without brute-forcing the master password.
...
That escrow key is stored in BlackBerry 10 backups alongside the data. Notably, BlackBerry 10 backups are encrypted, and must be decrypted with Elcomsoft Phone Breaker (using the correct BlackBerry ID and password) in order to gain access to Password Keeper data.
...
Note that BlackBerry 10 backups containing BlackBerry Password Keeper containers are also encrypted, and must be decrypted with ElcomSoft Phone Breaker using the original BlackBerry ID and password prior to accessing BlackBerry Password Keeper data.08-16-15 09:31 PMLike 0 - You did read the OP, right? If not, read it again. I don't think you're on the same page as us. This is offline hacking. Get access to someone's backup, and brute force decryption by guessing BBID password using a fast computer. Once that is done, the tool can use the escrow key to decrypt the Password Keeper container. Voila, pants down around ankles.
I hope that helps better understand the issue.
Posted via CB10BCITMike likes this.08-17-15 04:02 PMLike 1 - "Key escrow is proactive, anticipating the need for access to keys; a retroactive alternative is key disclosure law, where users are required to surrender keys upon demand by law enforcement, or else face legal penalties. Key disclosure law avoids some of the technical issues and risks of key escrow systems, but also introduces new risks like loss of keys and legal issues such as involuntary self incrimination. The ambiguous term key recovery is applied to both types of systems."
sounds like it could be completely innocent in which they could help you recover a lost backup and you forgot your password lets say.. but it also enables a back door like was mentioned if they ever wanted access without you knowing...
that seems to be the big debate surrounding escrow keys because no key held in an escrow system can be fully trusted based on past abuses.. to be honest, lets say its an honest system and they were trying to help me to recover keys if I forgot my password, id rather have that data lost for ever, unable to be decrypted by myself or blackberry than have a backdoor introduced for recovery and convenience
Posted via CB1008-17-15 04:08 PMLike 0 - Okay, the set-up you described would certainly never require the password to be sent.
There is only one problem:
The escrow key is not described in any kb article or other public documentation I am aware of.
Hence it wasn't planted for the customers.
For whom was it planted?
I can very clearly remember that John Chen said that there are no backdoors in BlackBerry products a couple of times (also when he spoke against US proposals to plant "frontdoors" in IT products).
Posted via CB10
Posted via CB1008-17-15 05:24 PMLike 0 - Prem WatsAppCrackBerry Jester of JestersGuys, isn't it obvious that this is a simple backdoor for certain chrime cases?
The police have seized the computer of the suspect and finds a device backup (because you always should make a backup).
Then they ask BlackBerry to disclose BB ID and BB ID Password.
Finally they use this information to open up Password Keeper with the escrow key.
I am a BB 10 fan and always defend them when people argue about backdoors, but this looks like a backdoor on purpose.
Ahoy, Privateers, ... get ready for some data piracy...! ;-) 10-17-15 03:15 AMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Elcomsoft found backdoor in Blackberry Password Keeper?
« How can I restore my backup if I no longer use the same email address I used to do the back up with?
|
Public Transit App with GPS Tracking »
Similar Threads
-
BlackBerry (Classic) will return to Japan on a small scale through MVNO.
By yhamaie in forum BlackBerry ClassicReplies: 32Last Post: 11-25-15, 07:17 AM -
Suspicious of Call Supposedly from BlackBerry
By HelloNuman in forum General BlackBerry News, Discussion & RumorsReplies: 10Last Post: 08-11-15, 10:50 AM -
A question about android BlackBerry software
By EnginDOGN in forum BlackBerry 10 OSReplies: 2Last Post: 08-11-15, 07:03 AM -
Is there any way to make Facebook work better on BlackBerry 10?
By mellowgreenusa in forum Ask a QuestionReplies: 4Last Post: 08-11-15, 03:15 AM -
I have a Blackberry Classic. Is there a way to delete all the properties on my photos?
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 08-10-15, 10:27 PM
LINK TO POST COPIED TO CLIPBOARD