Read this very carefully...

ElcomSoft Recovers BlackBerry Device Passwords (http://www.elcomsoft.com/news/472.html)

It doesn't say they can hack your BB password directly from the device, but rather if your media card is encrypted using the device password. They are hacking the media card, NOT the device.

Simple answer - either don't encrypt your media card or encrypt it another way, such as device key + device password.

No need to panic. BB has not been hacked.

No need to panic. BB has not been hacked.

It hasn't?! Encryption on the card is an OS feature. Obviously flawed is being used as an attack vector to reveal the handset's password and everything it protects. The OS, the handset, the encryption, the filesystem on the card are all made by RIM. So who's been hacked then? :?

The card is being hacked, not the device. Without the card being encrypted in a certain way, the hacking they are doing would not gain access to the device.

The card is being hacked, not the device.

The card hasn't been hacked at all. The encryption on the card (a RIM product) has been attacked and that results in the handset being compromised.


Following your logic if i break into your house through a window, your premises' security is not compromised because i didn't structurally compromised the walls by breaking through the bricks of the building.

The card hasn't been hacked at all. The encryption on the card (a RIM product) has been attacked and that results in the handset being compromised.

True, this also means the DEVICE has not been 'hacked'. Without the encryption on the card (and a certain type of encryption), the card could not be attacked/hacked, either.

My question is which device, OS, etc was hacked? Was it OS 4.x, 5, 6, 7? If it was an earlier OS, has this issue been corrected in more recent OSes?

True, this also means the DEVICE has not been 'hacked'.

If certain criteria is met (extremely common for users to have device password protection enabled on the card) the DEVICE is compromised. Not only that but it extends to all information stored in the handset and in the case of Blackberry Wallet could potentially compromise banking accounts and/or whatever confidential info is protected under BB Wallet.

*sigh*

Let's go back to the house window analogy. If you used the open bedroom window to break into my house, but I have locked the bedroom door from the outside, you ceratinly have gained access to my bedroom-but no where else in my house.

Let's go back to the house window analogy. If you used the open bedroom window to break into my house, but I have locked the bedroom door from the outside, you ceratinly have gained access to my bedroom-but no where else in my house.

Bad analogy.
Recovering the device password off the media card does in fact give you access to the entire device. Once you know what the password is, the device is compromised. (Assuming you have physical possession of said device.)

Make no mistake about it... if this software does what it says it does, it's a security problem and headache that RIM is going to need to face.
The last thing they need is more bad press... so just the fact that this news is "out there", whether confirmed or not, is going to be a big deal for RIM.

There's no disputing that getting the password from the media card gives you access to the device.

However, the 'hack' happened on the card, NOT the device. That's the difference. Either way, it's not good, but the device itself was not hacked, per say.

It's as if I locked my house, but left a key under the flower pot on the front door. A 'hack' would mean someone picked the lock to get in. However, because they found the key under the flowerpot the key was not 'hacked'. Still bad they got in the house, but how they got there is different.

I agree with Penguin, no matter how you look at it, it is bad for RIM and their reputation for security.

We can use analogies to describe security models until we're blue in the face. Things are rather simple though.

1) The handset + the OS are RIM products.
2) The filesystem + the encryption are RIM products.
3) The feature that allows the user to protect the card using the device password is a RIM product.
4) Getting the device password via ANY possible attack vector compromises Blackberry security.


From the above combined we get that if certain conditions are met (rather common) an attack on files stored on SD compromises blackberry security to device level and exposes all confidential info stored.
It's a flaw, a RIM flaw, juwaack wants to blame the SD card. That's a dumb magnetic medium. Never promised you or offered any kind of security protection. RIM did both.

The vendor's website says the software works on all versions of the BlackBerry OS and all iOS devices up to 4.x. Price is reportedly $200.

Yup iPhones too.


And on the BlackBerry, it can only be an alpha password either all lower or uppercase, no password with a numeral or special character or mixed case can be hacked.

We can use analogies to describe security models until we're blue in the face. Things are rather simple though.

1) The handset + the OS are RIM products.
2) The filesystem + the encryption are RIM products.
3) The feature that allows the user to protect the card using the device password is a RIM product.
4) Getting the device password via ANY possible attack vector compromises Blackberry security.


From the above combined we get that if certain conditions are met (rather common) an attack on files stored on SD compromises blackberry security to device level and exposes all confidential info stored.
It's a flaw, a RIM flaw, juwaack wants to blame the SD card. That's a dumb magnetic medium. Never promised you or offered any kind of security protection. RIM did both.

@<hidden>, I look at this way:

We can use analogies to describe security models until we're blue in the face. Things are rather simple though.

1) The handset + the OS are Apple products.
2) The filesystem + the encryption are Apple products.
3) The feature that allows the user to protect the card using the device password is an Apple product.
4) Getting the device password via ANY possible attack vector compromises Apple security.


From the above combined we get that if certain conditions are met (rather common) an attack on files stored on SD compromises blackberry security to device level and exposes all confidential info stored.
It's a flaw, a Apple flaw, the-economist wants to ignore this and focus only on RIM. . That's a dumb apple fan boi. Never promised you or offered any kind of security protection. Apple did both.

Works?

By the way, the-economist, Raphael gave me a message to give you.

@<hidden>, I look at this way:

We can use analogies to describe security models until we're blue in the face. Things are rather simple though.

1) The handset + the OS are Apple products.
2) The filesystem + the encryption are Apple products.
3) The feature that allows the user to protect the card using the device password is an Apple product.
4) Getting the device password via ANY possible attack vector compromises Apple security.


From the above combined we get that if certain conditions are met (rather common) an attack on files stored on SD compromises blackberry security to device level and exposes all confidential info stored.
It's a flaw, a Apple flaw, the-economist wants to ignore this and focus only on RIM. . That's a dumb apple fan boi. Never promised you or offered any kind of security protection. Apple did both.

Works?

By the way, the-economist, Raphael gave me a message to give you.


i'm trying hard to find the word apple or any apple inc products mentioned anywhere in the thread until you started trolling... :?

It wasn't.
But the same software does the same does the same on the iPhone.

Don't tell me you didn't know that. You can't be that daft, can you?

So what have we learned

Use a complex password ie 8lack8eRry2081!!

and well now very difficult to obtain

i'm trying hard to find the word apple or any apple inc products mentioned anywhere in the thread until you started trolling... :?

Anyone who clicked the link and read the page that Juwaack posted would have seen that it works on iOS. So you didn't read the link?

Also I posted that it works on iOS before JSanders posted. Did you not read that either?

The last time I checked iOS was an operating system for Apple mobile devices.

Anyone who clicked the link and read the page that Juwaack posted would have seen that it works on iOS. So you didn't read the link?

Also I posted that it works on iOS before JSanders posted. Did you not read that either?

The last time I checked iOS was an operating system for Apple mobile devices.

I didn't read anything. Got the company name from the title, picked up my blackberry and called them. Then i got answers to my questions, then i bought their product.

Yourself and the other mod seem to be the only people in the whole thread more interested in Apple Inc products. I suggest you call elcomsoft and ask them about the platform you're using.
IOS for me is what runs in Cisco routers.

That kind of ignorance ("I didn't read anything --the-economist") can also be called pure stupidity.
Blind fanboism.
Trolling.

Trolling with a generous dose of BS at that. I wrote "iOS" not "IOS". The troll knows the difference unless he truly is stupid. And do say, he already had the phone number in his device? If not, he read something to get the number.

The statements some of these fanboi tolls use to argue their points are truly ridiculous.

That kind of ignorance ("I didn't read anything --the-economist") can also be called pure stupidity.
Blind fanboism.
Trolling.

I really can't see the reason behind the personal attacks against me from the moment you joined the thread, but yeah, whatever, have fun..

And do say, he already had the phone number in his device? If not, he read something to get the number.

Yea, at this point he's just 'lying'.

I really can't see the reason behind the personal attacks against me from the moment you joined the thread, but yeah, whatever, have fun..

I think you were the first to throw out the work 'troll', at me, when I was not the first to mention Apple.

Learn to read.

I'm not getting into calling people names or questioning where the fault lies. This sounds like a real problem.

Suppose someone chooses for their password a short, same case, letters-only password - which is fairly typical if you have to enter it every time you want to use your BB.

Anyone finding (or otherwise acquiring) the device can use this software to get into your blackberry, your personal info, and - by extension, I guess - your connection to whatever is available through your BES.

Again, this sounds like a real problem. First and foremost, everyone should either remove encryption from their media card, or change a password to one that's quite annoying - and strong.

The finger-pointing and name-calling can wait.

-jk

change a password to one that's quite annoying - and strong.


Exactly! Agreed.

And anyone who has used ANY computer in the past decade and not heard that ^^ message is deaf and dumb to begin with.

Again, this sounds like a real problem. First and foremost, everyone should either remove encryption from their media card, or change a password to one that's quite annoying - and strong.



It is a real problem. A mixed case annoying and strong password is near unusable if it needs to be entered every time the device needs unlocking. There is always a tradeoff between security and usability.

I bought the software from the company mentioned in the thread. My letters/numbers 4-digit unlock code was spit out in seconds. The SD card is not even needed, any encrypted single little file from the card does the job.
This needs to be addressed urgently.

Oddly enough the developer of the app doesn't even say it works in the way you describe. Perhaps you're not trooful with us again?

It is a real problem. A mixed case annoying and strong password is near unusable if it needs to be entered every time the device needs unlocking. There is always a tradeoff between security and usability.

I bought the software from the company mentioned in the thread. My letters/numbers 4-digit unlock code was spit out in seconds. The SD card is not even needed, any encrypted single little file from the card does the job.
This needs to be addressed urgently.

Please clarify your last sentence. First you say the SD card isn't needed, then you say "any encrypted single little file from the card does the job". That doesn't make sense the way it you've stated it.

Also, I hope you know that saying "it needs to be addressed urgently" here has no effect on what happens at RIM. RIM doesn't own this forum or read this forum. You should direct your concerns and suggestions to RIM in that respect.

I don't encrypt my card (there's nothing sensitive on it) and I have no idea whether his test is accurately reported. However, if the OS encrypts files one by one rather than encrypting the entire card, it seems plausible the software would only need a single file to decrypt and deduce the password.


Regardless of who may read this board, RIM does need to address it, and soon. It's a major vulnerability.

If I were responsible for a BES installation and keeping corporate data safe, I'd be quite worried.

-jk
Posted via BlackBerryForums.com Mobile

I don't encrypt my card (there's nothing sensitive on it) and I have no idea whether his test is accurately reported. However, if the OS encrypts files one by one rather than encrypting the entire card, it seems plausible the software would only need a single file to decrypt and deduce the password.


Regardless of who may read this board, RIM does need to address it, and soon. It's a major vulnerability.

If I were responsible for a BES installation and keeping corporate data safe, I'd be quite worried.

-jk
Posted via BlackBerryForums.com Mobile

It is the file(s) that is encrypted and not the card. If you have had encryption disabled and then it is enabled, only files that are written after are encrypted. And when encryption is then disabled, those encrypted files remain encrypted, and files written after encryption is disabled are not encrypted.

From what I read of the software, all you need is a file from the card, which of course means you do need the card to get the file.

What I think I understand is that if you want to be able to move the card to another BlackBerry and read the encrypted files on that other BlackBerry, then there isn't anything else RIM could have done. All other solutions require information on the handset, such as using the device key setting, or a so-called "salt," which would mean the user could only read the the encrypted files on the original BlackBerry.

The real true practical solution to protect the BlackBerry handset password from discovery in this instance is to either not enable encryption using only the device password, or to use a very strong password if you do.

I personally don't see a problem with a strong password for me and the way I use a BlackBerry. If I had a 5 minute time out forced on me it might be a different story. But setting a reasonable time out and manually locking my BlackBerry when I think I need to works for me.

I hesitate to think it's a big deal for RIM because from what I understand I don't know what else they could have done for users who want to encrypt but still want to swap cards between BlackBerrys. It is a big deal for those users, however, but they've created the problem if they are using weak passwords.
Posted via BlackBerryForums.com Mobile

Please clarify your last sentence. First you say the SD card isn't needed, then you say "any encrypted single little file from the card does the job". That doesn't make sense the way it you've stated it.


Doesn't need the card, needs an encrypted file from the card. Clear now?

No, that doesn't make sense. Do you mean it needs an encrypted file on the device or on the media card? If it needs an encrypted file on the media card, then it needs the card also.

See the post above yours:
From what I read of the software, all you need is a file from the card, which of course means you do need the card to get the file emphasis mine

Minor point, but that probably should have been, "all you need is an encrypted file from the card..."
Posted via BlackBerryForums.com Mobile

It doesn't really matter whether cloak-and-dagger types are hacks a single encrypted file so he can access your phone while your back is turned, or someone just goes after your BB with the card still inserted, hacks it, and gets while the gettin's good. It could be corporate espionage or law enforcement or your soon-to-be ex.

It all comes back to the same point: if someone simply acquires your blackberry - by whatever means - that has an encrypted data card or perhaps even just an encrypted file, then all your data, phone, and any BES access are all vulnerable to exploitation.

The only two safe options are to either not encrypt (and change your password if you leave any encrypted files behind) or use an annoyingly secure password (which lots of folks just won't).

The remarkably fool-proof BB protection of wiping of your phone after 10 failed tries (generally safe even with a short, easy password) no longer applies if you encrypt your data card. Regardless of semantics, this issue is a Big Deal and should get attention.

-jk

The only two safe options are to either not encrypt (and change your password if you leave any encrypted files behind) or use an annoyingly secure password (which lots of folks just won't).

The remarkably fool-proof BB protection of wiping of your phone after 10 failed tries (generally safe even with a short, easy password) no longer applies if you encrypt your data card.

Just a little clarification...
This is only true if you choose to encrypt your media card using the handheld password as the key.
It is possible to encrypt to the device itself, and not the password.
If the encryption keys are based on the device ID as opposed to the handheld password, then this vulnerability goes away.

.
If the encryption keys are based on the device ID as opposed to the handheld password, then this vulnerability goes away.


100% agree , no question about it. Problem is when a security feature is exploitable (which is rather common in the software world and nothing close to the drama some posts in the thread made it to be) the solution is vendor acknowledgement and patching of the vulnerability rather than the user running in circles trying to protect themselves from a poorly executed implementation.

You and i and some thousands of forum users may be some technically inclined. That doesn't extend to the whole of the platform's userbase.

The "vulnerability gone away" solution should only come down through the official vendor channels that manage the codebase of said software. In this case that means Research In Motion Ltd.

BlackBerry Security Incident Response Team Responds to Elcomsoft Brute Force Password Attack - BerryReview (http://www.berryreview.com/2011/10/12/blackberry-security-incident-response-team-responds-to-elcomsoft-brute-force-password-attack/)

That pretty much says what we already knew. The real question now is when are they going to patch this flaw?