10-17-15 03:15 AM
59 123
tools
  1. BCITMike's Avatar
    What I see here is that this is just a marketing ploy from Elcomsoft and trying to damage BlackBerry's reputation.

    Cracking Password Keeper using their software and that the cracker must have the BBID and it's password. I thought Elcomsoft's discovered backdoor wouldn't need anything. Having knowledge of the BBID and it's corresponding password is the same as giving the key of the door to the thief and the thief would just have to insert the key and open the door.

    Correct me if I'm wrong.

    Edit: I don't cloud-sync my Password Keeper.

    "But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44
    My beef is the "master password". I would be under the impression that THAT would be the one and only password that can be used to access the stored usernames and passwords.

    The fact that you don't need the "master password", makes it NOT a master password. That's my beef.

    Its like configuring a really secure SSH password, and then finding out there is an SSH key stored that bypasses passwords.

    Welcome to Password Keeper!"
    This application allows you to store all of your passwords in one secure location. All of your data is encrypted and protected from unwanted access with a single Password Keeper password."
    Which is no longer true, if the escrow key is encrypted with BB ID and password, then this makes their quote above incorrect.

    Solution, the escrow key (if its really needed) should also be encrypted with master password.
    Superdupont 2_0 likes this.
    08-12-15 02:27 PM
  2. BCITMike's Avatar
    What I see here is that this is just a marketing ploy from Elcomsoft and trying to damage BlackBerry's reputation.

    Cracking Password Keeper using their software and that the cracker must have the BBID and it's password. I thought Elcomsoft's discovered backdoor wouldn't need anything. Having knowledge of the BBID and it's corresponding password is the same as giving the key of the door to the thief and the thief would just have to insert the key and open the door.

    Correct me if I'm wrong.

    Edit: I don't cloud-sync my Password Keeper.

    "But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44
    No.

    If I have a locked safe in my home with personal effects (passports, deeds, birth certificates, etc), I expect that to be additionally secured from the front door keys. The door can be bashed in, the windows broken and thieves enter. But the safe should provide addition protection from the house keys.

    This is like leaving the safe open and giving your keys to the thieves. The safe should be on a different security mechanism.
    08-12-15 02:31 PM
  3. AnimalPak200's Avatar
    No.

    If I have a locked safe in my home with personal effects (passports, deeds, birth certificates, etc), I expect that to be additionally secured from the front door keys. The door can be bashed in, the windows broken and thieves enter. But the safe should provide addition protection from the house keys.

    This is like leaving the safe open and giving your keys to the thieves. The safe should be on a different security mechanism.
    Yup... they even make it look like a 'safe'... lol

    Posted via CB10
    08-12-15 03:40 PM
  4. Prem WatsApp's Avatar
    Elcomsoft apparently claims (iirc) they can get your device password if you have your SD card encrypted and they can brute force a file or two, that way getting access to your device (password) and subsequently BB Link backups...

    So the encrypted SD card would be the most dangerous alley they could exploit. Anyone chime in?

    :-D

      BB10 -- Finger flickin' good... in any form factor!  
    08-12-15 04:58 PM
  5. peter0328's Avatar
    Elcomsoft apparently claims (iirc) they can get your device password if you have your SD card encrypted and they can brute force a file or two, that way getting access to your device (password) and subsequently BB Link backups...

    So the encrypted SD card would be the most dangerous alley they could exploit. Anyone chime in?

    :-D

      BB10 -- Finger flickin' good... in any form factor!  
    That was for BlackBerry OS devices that used the password encryption option for the SD card.

    That option was removed in BlackBerry 10 in part to stop that vulnerability.

    Posted via CB10
    08-12-15 07:14 PM
  6. powereds's Avatar
    My beef is the "master password". I would be under the impression that THAT would be the one and only password that can be used to access the stored usernames and passwords.

    The fact that you don't need the "master password", makes it NOT a master password. That's my beef.

    Its like configuring a really secure SSH password, and then finding out there is an SSH key stored that bypasses passwords.



    Which is no longer true, if the escrow key is encrypted with BB ID and password, then this makes their quote above incorrect.

    Solution, the escrow key (if its really needed) should also be encrypted with master password.
    I'm with you that having an escrow key is kind of departing from the one-key access.

    But even if there is an escrow key and a cracker software, you still have to know the BBID and it's corresponding password to be able to get the accounts inside the keeper without using the master password. If it's not encrypted then there is a problem.

    If Elcomsoft can tell us that the escrow key can be decrypted also using a private key held by BlackBerry then that's the end of the story.

    "But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44
    08-13-15 03:45 AM
  7. powereds's Avatar
    That was for BlackBerry OS devices that used the password encryption option for the SD card.

    That option was removed in BlackBerry 10 in part to stop that vulnerability.

    Posted via CB10
    How does the BlackBerry 10 media card encryption differ BBOS password encryption?

    "But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44
    08-13-15 03:58 AM
  8. Superdupont 2_0's Avatar
    Guys, isn't it obvious that this is a simple backdoor for certain chrime cases?

    The police have seized the computer of the suspect and finds a device backup (because you always should make a backup).
    Then they ask BlackBerry to disclose BB ID and BB ID Password.
    Finally they use this information to open up Password Keeper with the escrow key.

    I am a BB 10 fan and always defend them when people argue about backdoors, but this looks like a backdoor on purpose.
    peter0328 likes this.
    08-13-15 04:04 AM
  9. peter0328's Avatar
    How does the BlackBerry 10 media card encryption differ BBOS password encryption?

    "But I say this to you, love your enemies and pray for those who persecute you;" - Matthew 5:44
    BlackBerry 10 SD encryption uses device key based mode only, not password based option like in BlackBerry OS. So the key for the SD encryption is stored on the phone in a non-accessible portion of memory and is unrelated to any device passwords. This is why if you put the SD in another device or wipe your phone that encrypted the card you can't access it, since they key is lost.

    Posted via CB10
    08-13-15 05:53 AM
  10. LazyEvul's Avatar
    Guys, isn't it obvious that this is a simple backdoor for certain chrime cases?

    The police have seized the computer of the suspect and finds a device backup (because you always should make a backup).
    Then they ask BlackBerry to disclose BB ID and BB ID Password.
    Finally they use this information to open up Password Keeper with the escrow key.

    I am a BB 10 fan and always defend them when people argue about backdoors, but this looks like a backdoor on purpose.
    If BlackBerry can hand over your password, they are using some very poor password storage practices.

    Posted via CB10
    08-13-15 07:53 AM
  11. Glenn Biddle's Avatar
    So it's a back door, but you need a key to get in. Buy the way it's not mandatory that you use password keeper, I don't.

    Posted via CB10
    08-13-15 08:50 AM
  12. Superdupont 2_0's Avatar
    If BlackBerry can hand over your password, they are using some very poor password storage practices.

    Posted via CB10
    Well, their servers know my BB ID password and I assume they are in full control over their own servers.
    Of course they will encrypt the stored passwords, but normally that's a reversible process (if they not shoot the guy who did the encryption), so on request they should be able to decrypt it and hand it over.

    PS:
    If my understanding here was correct, BlackBerry should fire the person who is responsible for this (or probably they alread did).
    I can deal to certain degree with a "frontdoor", but backdoors are really eroding trust and reputation and less democratic regimes in China, Russia etc etc.... could use this backdoor against their citizens.

    So, better to encrypt your backups on the computer with Truecrypt (and store the password in Password Keeper).
    08-13-15 09:16 AM
  13. LazyEvul's Avatar
    Well, their servers know my BB ID password and I assume they are in full control over their own servers.
    Of course they will encrypt the stored passwords, but normally that's a reversible process (if they not shoot the guy who did the encryption), so on request they should be able to decrypt it and hand it over.
    A properly-stored password should be scrambled using a hashing algorithm. This algorithm is one-way and cannot be reversed.

    Posted via CB10
    Superdupont 2_0 likes this.
    08-13-15 10:41 AM
  14. randomroyalty's Avatar
    After losing my Password Keeper cloud backup after an OS reinstall (BlackBerry servers rejected my BBID and I had to reset) , I decided I needed a cross platform solution where I controlled the cloud backup. I went with KeePass and use KeePass2Android on my mobile devices and store the encrypted file on a cloud drive that I know is difficult to hack (2 step authentication).

    I've been wary of locally storing BB10 backups on my computer so I upload to the same cloud drive and secure erase.





    Posted via CB10
    08-13-15 12:04 PM
  15. keithhackneysmullet's Avatar
    It's a NSA/police backdoor purposely put in by BlackBerry. I wish BlackBerry had the cajones to stand up to these modern day brown shirts.


    Posted via CB10
    08-14-15 09:05 AM
  16. Superdupont 2_0's Avatar
    A properly-stored password should be scrambled using a hashing algorithm. This algorithm is one-way and cannot be reversed.
    Posted via CB10
    Okay, please try to explain it with different words to a pure-hobby-IT guy like me.

    Does that mean, each time my device submits the BB ID password, that it is sent in encrypted form + TLS (not only TLS), and only the server is able to decrypting + calculating the hash value and compare this with a hash value in their database, while no person can actually see the password itself, even if they want to?
    Note: If the device would send the password "only" via TLS, BlackBerry could mitmdle it out of the traffic.
    08-14-15 09:41 AM
  17. KermEd's Avatar
    If your talking about a BlackBerry made app having a backdoor to bypass security, then it doesn't surprise me. They are founded in Canada where upon arrest for anything - by law we have to grant access to our devices by authorities. If we refuse to do so, phone manufacturers must do so on our behalf, which requires a backdoor to unlock everything BlackBerry. They do this with a tool provided to law enforcement.

    The hard part is finding the door

    But then again Password Keepers are always by design a bad idea. You should not store passwords anywhere and you definitely should not store them in one place. It opens you to ransomware and gives attackers a single point of attack to have access to every critical password you have.

    Posted to CB via my Passport | Lloyd Summers | FileArchiveHaven
    08-14-15 09:59 AM
  18. jasonvan9's Avatar
    Elcomsoft found backdoor in Blackberry Password Keeper?-img_20150814_110857.png

    this says the key is generated from the password keeper password itself, so its not a single key to decrypt all data from everyones password keeper backup.

    everyone would have their own unique key based on their password for password keeper

    correct me if im wrong, but the article says they dont need your password keeper master password they can decrypt it without it.. but I dont see how if each keep is separately generated based on an unknown password

    Posted via CB10
    BCITMike likes this.
    08-14-15 10:11 AM
  19. LazyEvul's Avatar
    Okay, please try to explain it with different words to a pure-hobby-IT guy like me.

    Does that mean, each time my device submits the BB ID password, that it is sent in encrypted form + TLS (not only TLS), and only the server is able to decrypting + calculating the hash value and compare this with a hash value in their database, while no person can actually see the password itself, even if they want to?
    Note: If the device would send the password "only" via TLS, BlackBerry could mitmdle it out of the traffic.
    Ideally, what should happen is that the entered password is ran through the hash function on the client side, then combined with a salt value that is unique to the BBID - the salt is added so that identical passwords do not appear as identical hash values in the database. Then this hash value is sent to the server, maybe ran through additional hashing to slow down brute force attempts, and compared with the value in the database.

    If the value is identical, the server knows you've entered the correct password - but it has no idea what that password is, because the hash function is not reversible. All the server knows is the salt and hash, leaving brute force or client-side exploits as the only method of obtaining the password. A well-designed setup should never send your plaintext password to the server, even if it's via TLS.

    Posted via CB10
    Last edited by LazyEvul; 08-14-15 at 11:01 AM.
    08-14-15 10:38 AM
  20. DamianWarS's Avatar
    At the end of the article it pumps itself up and tries to upsell it's own password keeper app called 1Password. Then boasts how it's multi-platform and supports "Windows, Mac, Android and iOS devices"

    If your going to say blackberry password manager is broken then offer a third party app as the solution it seems to me it would sell better if they actually support BB10

    Posted via CB10
    08-14-15 12:05 PM
  21. LazyEvul's Avatar
    At the end of the article it pumps itself up and tries to upsell it's own password keeper app called 1Password. Then boasts how it's multi-platform and supports "Windows, Mac, Android and iOS devices"

    If your going to say blackberry password manager is broken then offer a third party app as the solution it seems to me it would sell better if they actually support BB10

    Posted via CB10
    1Password is developed by Agile Bits, not Elcomsoft. Elcomsoft just claims they have a way of recovering the 1Password master password.

    Posted via CB10
    08-14-15 12:26 PM
  22. Superdupont 2_0's Avatar
    Ideally, what should happen is that the entered password is ran through the hash function on the client side, then combined with a salt value that is unique to the BBID - the salt is added so that identical passwords do not appear as identical hash values in the database. Then this hash value is sent to the server, maybe ran through additional hashing to slow down brute force attempts, and compared with the value in the database.

    If the value is identical, the server knows you've entered the correct password - but it has no idea what that password is, because the hash function is not reversible. All the server knows is the salt and hash, leaving brute force or client-side exploits as the only method of obtaining the password. A well-designed setup should never send your plaintext password to the server, even if it's via TLS.

    Posted via CB10
    Okay, the set-up you described would certainly never require the password to be sent.


    There is only one problem:
    The escrow key is not described in any kb article or other public documentation I am aware of.
    Hence it wasn't planted for the customers.

    For whom was it planted?


    I can very clearly remember that John Chen said that there are no backdoors in BlackBerry products a couple of times (also when he spoke against US proposals to plant "frontdoors" in IT products).


    Posted via CB10
    08-14-15 01:28 PM
  23. BCITMike's Avatar
    Okay, the set-up you described would certainly never require the password to be sent.


    There is only one problem:
    The escrow key is not described in any kb article or other public documentation I am aware of.
    Hence it wasn't planted for the customers.

    For whom was it planted?


    I can very clearly remember that John Chen said that there are no backdoors in BlackBerry products a couple of times (also when he spoke against US proposals to plant "frontdoors" in IT products).


    Posted via CB10
    See screen shot in post 43 for the mention of a derived key.

    I wonder if this file exists in backup if cloud sync not enabled.

    Posted via CB10
    08-14-15 02:06 PM
  24. jasonvan9's Avatar
    See screen shot in post 43 for the mention of a derived key.

    I wonder if this file exists in backup if cloud sync not enabled.

    Posted via CB10
    it wouldnt store your password for password keeper app on your device or the backup, it is not a saved password

    the key that is derived from your password does also not store your password, but if you can decipher the key and you could decode the password keeper app password that would be the only way it could work.. but seeing how its AES 256bit decryption I think that would take forever to brute force it

    Posted via CB10
    08-14-15 02:56 PM
  25. BCITMike's Avatar
    it wouldnt store your password for password keeper app on your device or the backup, it is not a saved password

    the key that is derived from your password does also not store your password, but if you can decipher the key and you could decode the password keeper app password that would be the only way it could work.. but seeing how its AES 256bit decryption I think that would take forever to brute force it

    Posted via CB10
    "the key that is derived from your password does also not store your password"

    I don't know what you're saying. Keys don't store passwords. They are keys only and do not have storage.

    "but if you can decipher the key and you could decode the password keeper app password that would be the only way it could work."

    If you have the escrow key, you don't need the "app password". The escrow key is only encrypted by the BBID and password. So you decrypt the backup using BBID/password. This gives you the escrow key, and the Password keeper container in another encrypted form. The container is decrypted further using BBID and password. Using escrow key and decrypted container, all stored Password Keeper passwords are pwned.

    "decode the password keeper app password that would be the only way it could work.."

    No, that is the whole point of this thread. No need to know the "password keeper app password" as long as you have BBID, password, and a backup. You do not need to reverse or figure out the original master password set by the user.
    08-14-15 09:53 PM
59 123

Similar Threads

  1. Replies: 32
    Last Post: 11-25-15, 07:17 AM
  2. Suspicious of Call Supposedly from BlackBerry
    By HelloNuman in forum General BlackBerry Discussion
    Replies: 10
    Last Post: 08-11-15, 10:50 AM
  3. A question about android BlackBerry software
    By EnginDOGN in forum BB10 Leaked/Beta OS
    Replies: 2
    Last Post: 08-11-15, 07:03 AM
  4. Is there any way to make Facebook work better on BlackBerry 10?
    By mellowgreenusa in forum Ask a Question
    Replies: 4
    Last Post: 08-11-15, 03:15 AM
  5. Replies: 1
    Last Post: 08-10-15, 10:27 PM
LINK TO POST COPIED TO CLIPBOARD