View Single Post
Old 10-04-2011, 04:11 PM   #33 (permalink)
BlackBerry God
aiharkness's Avatar
Join Date: Jul 2005
Location: Florida Panhandle
Model: BBPP
OS: 10.3.3
Carrier: T-Mobile USA
Posts: 14,009
Post Thanks: 28
Thanked 535 Times in 519 Posts

Originally Posted by jmwking View Post
I don't encrypt my card (there's nothing sensitive on it) and I have no idea whether his test is accurately reported. However, if the OS encrypts files one by one rather than encrypting the entire card, it seems plausible the software would only need a single file to decrypt and deduce the password.

Regardless of who may read this board, RIM does need to address it, and soon. It's a major vulnerability.

If I were responsible for a BES installation and keeping corporate data safe, I'd be quite worried.

Posted via Mobile
It is the file(s) that is encrypted and not the card. If you have had encryption disabled and then it is enabled, only files that are written after are encrypted. And when encryption is then disabled, those encrypted files remain encrypted, and files written after encryption is disabled are not encrypted.

From what I read of the software, all you need is a file from the card, which of course means you do need the card to get the file.

What I think I understand is that if you want to be able to move the card to another BlackBerry and read the encrypted files on that other BlackBerry, then there isn't anything else RIM could have done. All other solutions require information on the handset, such as using the device key setting, or a so-called "salt," which would mean the user could only read the the encrypted files on the original BlackBerry.

The real true practical solution to protect the BlackBerry handset password from discovery in this instance is to either not enable encryption using only the device password, or to use a very strong password if you do.

I personally don't see a problem with a strong password for me and the way I use a BlackBerry. If I had a 5 minute time out forced on me it might be a different story. But setting a reasonable time out and manually locking my BlackBerry when I think I need to works for me.

I hesitate to think it's a big deal for RIM because from what I understand I don't know what else they could have done for users who want to encrypt but still want to swap cards between BlackBerrys. It is a big deal for those users, however, but they've created the problem if they are using weak passwords.
Posted via Mobile

Last edited by aiharkness : 10-04-2011 at 04:14 PM.
Offline   Reply With Quote
The Following User Says Thank You to aiharkness For This Useful Post:
daphne  (10-04-2011)