PDA

View Full Version : How competent is BB security options?


r0adster
06-05-2006, 10:04 AM
I would like to protect my BB from the thieves and unruly people who expect to take out my BB without me noticing and reading my messages (thanks, wife, boss, IT guy.) And I've turned on content protection and have passwords set up.

But how competent is the security?

Let's say...

Would this PW still be active after a handheld wipe (even JavaLoader wipe)?

-------------------------------------------------------------------------

I know I can't deter ALL of those people. But I would like to gain the satisfaction of knowing that my device is protected.

chrisl
06-05-2006, 10:11 AM
No it wouldn't....but if the device had been wiped there will be no emails on your device anyway and it will not be receiving or sending any emails anyway as it would've been wiped.

With the passwords...there are no hints or clues so the person has literally got to guess your password. And if you make it a strong password they aren't likely to get it in 10 attempts at which point the device wipes itself to protect the information

cooperpwc
06-05-2006, 10:22 AM
Well I don't agree at all. The password is still active after a wipe. It is embedded much deeper. If the password was activated when they get the unit (or activates itself on a time-out) they cannot use the Blackberry. Period.
EDIT: Not. See my retraction at #13 below.

Zipper
06-05-2006, 10:35 AM
Well I don't agree at all. The password is still active after a wipe. It is embedded much deeper. If the password was activated when they get the unit (or activates itself on a time-out) they cannot use the Blackberry. Period.
Good,(y)

jsuen
06-05-2006, 06:14 PM
Blackberry content protection is seriously secure. One of their documents somewhere details the entire process, but basically the data is encrypted by a 256-bit AES key derived from your password, so the security of the thing is based on how good your password is.

In a wipe, RAM is overwritten 7 times, and the flash is overwritten 8.

prolepsis
06-08-2006, 12:55 AM
Well I don't agree at all. The password is still active after a wipe. It is embedded much deeper. If the password was activated when they get the unit (or activates itself on a time-out) they cannot use the Blackberry. Period.

Is this for all wipes? I just tried on my 8700 BBerry (I am not on a BES).

1) Enabled and set a password.
2) Purposely entered the wrong password 10x.
3) BlackBerry gets wiped.

Upon reboot, my password is no longer stored (when I check in Security it says "Disabled" for the Password field.

Data is gone, but Google Maps (and I would assume other apps) are still there :smile:

This means that if a BBerry was stolen, someone theoretically could use the BBerry, though not recover the data. Since the password also seems to get wiped, unless the PIN or IMEI is blocked, it looks like anyone can use it(?). I was hoping that after the wipe the BBerry would still ask me for my password.

wibbly
06-08-2006, 02:10 AM
For BIS users, after a wipe, won't/can't a BB get its service books back OTA and start receiving NEW (and presumably private) mail? And the user can reply to it!? So you have to spot your BB's missing and kill off email forwarding to the BB and/or POP3 polling...

EricaJ1074
06-08-2006, 02:17 AM
Sometimes it does automatically re-register itself on the wireless network. For BIS users, if that does not happen, to get the service books back, go to Options>Advanced Options>Host Routing Table>Register Now to send the service books (along with the enterprise activation, web browser, download fun, and setup internet email icons). To start sending/receiving mail, log into your account, go to Set Up Internet Email and click on Send Service Book.

wibbly
06-08-2006, 02:58 AM
That's my point, EricaJ, I think a person who steals/gets your BB can start receiving YOUR new mail, even after the device has been wiped, if you're not careful...

cooperpwc
06-08-2006, 08:00 AM
Am I wrong about this? I have wiped and reinstalled the OS many times and the password was always active. I have not however ever entered the wrong password 10 times. I'm truly surprised if that will disable the password function. Anyone else have feedback?

prolepsis
06-08-2006, 11:12 AM
Am I wrong about this? I have wiped and reinstalled the OS many times and the password was always active. I have not however ever entered the wrong password 10 times. I'm truly surprised if that will disable the password function. Anyone else have feedback?

I haven't tried a wipe + reinstall of the OS so I don't know. I'm hoping someone else will try to and report back.

Late last night, I also tried the "Wipe Handheld" option from the Password field. Upon wipe, my apps were present (data gone) and the Password field showed up as being "Disabled."

Perhaps when someone gets a new BBerry they can try entering some data and then wiping it.

I wish that for BIS users we had a "kill" BBerry option as well, like the BES folks. Or something where you could call the carrier, verify your identity, and then get them to send a "kill pill." (Since if users have this option I can imagine some users accidently activating it!)

jcjwireless
06-08-2006, 01:49 PM
Am I wrong about this? I have wiped and reinstalled the OS many times and the password was always active. I have not however ever entered the wrong password 10 times. I'm truly surprised if that will disable the password function. Anyone else have feedback?

On the 8700c if you try the password over 10times it will wipe the entire BB and the password feature will be disabled. Know form experience. :oops:

cooperpwc
06-08-2006, 02:33 PM
On the 8700c if you try the password over 10times it will wipe the entire BB and the password feature will be disabled. Know form experience. :oops:
Okay, so with apologies to chrisl, I stand corrected. Password protection apparently only protects your data. It won't stop a thief from using your Blackberry as a phone or PIM.

richardsbd
06-08-2006, 02:42 PM
I can only speak from my experience with BB7290s - when you type the password wrong 10 times, the device is wiped, and when it comes back up, you are prompted to create a new password (which is a bit different from statements of "the password feature will be disabled").

On top of that, the IT Policy is still in place, so if device password protection was enabled before the wipe, it is still enabled (and cannot be disabled) afterwards. We are on BES...

wibbly
06-08-2006, 02:50 PM
> won't stop a thief from using your Blackberry as a phone or PIM.

Or seeing any new mails sent to the device, or impersonating you in mails they send from the device, unless you kill off the BIS config for that device, right?

> the IT Policy is still in place

Only if you run via a BES. BIS users have no IT policy.

prolepsis
06-08-2006, 03:03 PM
> won't stop a thief from using your Blackberry as a phone or PIM.

Or seeing any new mails sent to the device, or impersonating you in mails they send from the device, unless you kill off the BIS config for that device, right?

> the IT Policy is still in place

Only if you run via a BES. BIS users have no IT policy.

Looks like it. :oops: So for BIS users, if you lose your BBerry, you need to:

1) Call your provider to get them to block the SIM
2) Get then to disassociate your PIN with your BIS/blackberry email account (once this step is done the BBerry user won't be able to impersonate you)
3) Get them to block your IMEI/PIN (if they offer this feature)

The thing is, from what I was told, IMEI blocks/blacklists aren't necessarily shared between providers. So for GSM BBerries, someone could easily pop in a different SIM and use your device, especially if it's unlocked, at least as a phone. Not sure about PIN blocking, however, since that's BB-specific.

The good news out of all this is that at least your data will be wiped! (y) That's my main concern and probably a number of others', too.