Q. How secure is the data on your BBOS BlackBerry? A. Very (if settings are configured properly).
There seems to be some confusion in the forums about the security of data stored on a BBOS BlackBerry and its media card. Is it possible to "bypass" or "get around" a locked BlackBerry's password by plugging specialized equipment into the handheld's micro usb port? If not, is there any other way a malicious user could get at the data stored on a BBOS Blackberry if he doesn't know the password, and the phone is locked? This topic aims to clear up that confusion.
Obviously, it's possible to circumvent a locked BlackBerry's password and gain access to device data. That's the very reason for encryption. Why otherwise encrypt device data if you're already using a password on a BlackBerry? Why would RIM/BlackBerry even include encryption as an option if a password is all that is needed to effectively secure a mobile phone's contents? RIM/BlackBerry has the following to say about it in the BIS Security Feature Overview 4.0:
"When you set up encryption of your BlackBerry� device data using the content protection feature, your BlackBerry device is designed to be protected against users with malicious intent who could attempt to steal your data directly from the internal hardware. No one can read your encrypted data without your device password." [emphasis mine]
Now that we see that RIM/BlackBerry anticipates that a malicious user could attempt to steal data directly from a BlackBerry's hardware, we can also see that RIM/BlackBerry has provided an additional safeguard to protect the data on a locked BlackBerry: content protection (i.e. encryption). Let's look at how a malicious user might try to circumvent a locked BlackBerry's password.
Certain equipment made by Cellebrite and other manufacturers is designed to be plugged into mobile phones' micro usb ports, and it purportedly can be used to get around supported phones' passwords and gain access to their data. How well these devices work with other manufacturers' phones is not relevant to this analysis, but how well the devices will work with a BlackBerry is evident from the manufacturers own admission:
"Password locked devices are supported when the password is known (the UFED requests the password during the extraction process)." [emphasis mine]
--Cellebrite web site (click on BlackBerry Decoding FAQ)
"Encrypted devices can be extracted if the password is known, or if there is no password lock set on the device." [emphasis mine]
--Cellebrite web site (click on BlackBerry Decoding FAQ)
From these statements, it can be gleaned that Cellebrite UFED equipment is only effective against a password locked BlackBerry if the password is known! Otherwise, if the Blackberry password is not known, a malicious user has to resort to a different, more painstaking method available in electronics forensic labs. The methods employed by those labs involve physically removing the handheld's memory chip and accessing the data stored on the memory chip using specialized skills and equipment. Here's where we get to our questions.
Q. Should I password lock my Blackberry?
A. Yes, if you want to prevent an opportunistic acquaintance, colleague, finder, or thief from gaining access to your device/data and/or if you want to prevent a more skilled person who has access to Cellebrite UFED equipment from gaining access to your data.
Q. Should I encrypt my data?
A. Yes, if you don't want to leave it to chance that Cellebrite or another manufacturer will find a way to get around a BlackBerry's password and /or if you want to prevent a highly skilled and determined forensic technician from gaining meaningful access to your data. A highly skilled, determined forensic technician might still gain access to your device data if he successfully physically removes the memory chip from your BlackBerry as mentioned above, but he will still be faced with the daunting task of trying to brute-force your password to understand your encrypted data; he will have merely overcome the ten tries limit. And that is why you should use a strong, complex password.
Q. I've heard that a Russian company has figure out how to extrapolate a locked BlackBerry's password using only the data stored on the BlackBerry's removable micro SD media card. Should I encrypt my media card?
A. Yes, if you want to protect the data stored on your media card from being meaningfully accessed by an unauthorized user. Elcomsoft has stated that its password cracking method is only effective against a media card that has been encrypted using the "Device Password" mode. This means, of course, that you should use one of the other two available modes to encrypt your media card, either "Device Key" or "Device Password & Device Key."
Here's what Elcomsoft has to say about its own Password Recovery Software:
"Before you get too excited, there is a catch. The new feature requires Media Card encryption to be switched on and set to either 'Security Password' or 'Device Password' mode. If this condition is met, EPPB will be able to run password recovery against device security password ... Actually, we only need one specific file from that media card, so yes, the recovery can be off-loaded and the password can be recovered offline."
--re Elcomsoft Password Recovery Software
Any questions?
/s/ dunshine
(composed with the help of a friend)