Read this very carefully...

ElcomSoft Recovers BlackBerry Device Passwords

It doesn't say they can hack your BB password directly from the device, but rather if your media card is encrypted using the device password. They are hacking the media card, NOT the device.

Simple answer - either don't encrypt your media card or encrypt it another way, such as device key + device password.

No need to panic. BB has not been hacked.

It hasn't?! Encryption on the card is an OS feature. Obviously flawed is being used as an attack vector to reveal the handset's password and everything it protects. The OS, the handset, the encryption, the filesystem on the card are all made by RIM. So who's been hacked then?

The card is being hacked, not the device. Without the card being encrypted in a certain way, the hacking they are doing would not gain access to the device.

The card hasn't been hacked at all. The encryption on the card (a RIM product) has been attacked and that results in the handset being compromised.


Following your logic if i break into your house through a window, your premises' security is not compromised because i didn't structurally compromised the walls by breaking through the bricks of the building.

True, this also means the DEVICE has not been 'hacked'. Without the encryption on the card (and a certain type of encryption), the card could not be attacked/hacked, either.

My question is which device, OS, etc was hacked? Was it OS 4.x, 5, 6, 7? If it was an earlier OS, has this issue been corrected in more recent OSes?

If certain criteria is met (extremely common for users to have device password protection enabled on the card) the DEVICE is compromised. Not only that but it extends to all information stored in the handset and in the case of Blackberry Wallet could potentially compromise banking accounts and/or whatever confidential info is protected under BB Wallet.

*sigh*

Let's go back to the house window analogy. If you used the open bedroom window to break into my house, but I have locked the bedroom door from the outside, you ceratinly have gained access to my bedroom-but no where else in my house.

Bad analogy.
Recovering the device password off the media card does in fact give you access to the entire device. Once you know what the password is, the device is compromised. (Assuming you have physical possession of said device.)

Make no mistake about it... if this software does what it says it does, it's a security problem and headache that RIM is going to need to face.
The last thing they need is more bad press... so just the fact that this news is "out there", whether confirmed or not, is going to be a big deal for RIM.

There's no disputing that getting the password from the media card gives you access to the device.

However, the 'hack' happened on the card, NOT the device. That's the difference. Either way, it's not good, but the device itself was not hacked, per say.

It's as if I locked my house, but left a key under the flower pot on the front door. A 'hack' would mean someone picked the lock to get in. However, because they found the key under the flowerpot the key was not 'hacked'. Still bad they got in the house, but how they got there is different.

I agree with Penguin, no matter how you look at it, it is bad for RIM and their reputation for security.

We can use analogies to describe security models until we're blue in the face. Things are rather simple though.

1) The handset + the OS are RIM products.
2) The filesystem + the encryption are RIM products.
3) The feature that allows the user to protect the card using the device password is a RIM product.
4) Getting the device password via ANY possible attack vector compromises Blackberry security.


From the above combined we get that if certain conditions are met (rather common) an attack on files stored on SD compromises blackberry security to device level and exposes all confidential info stored.
It's a flaw, a RIM flaw, juwaack wants to blame the SD card. That's a dumb magnetic medium. Never promised you or offered any kind of security protection. RIM did both.

The vendor's website says the software works on all versions of the BlackBerry OS and all iOS devices up to 4.x. Price is reportedly $200.

Yup iPhones too.


And on the BlackBerry, it can only be an alpha password either all lower or uppercase, no password with a numeral or special character or mixed case can be hacked.

@the-economist, I look at this way:

We can use analogies to describe security models until we're blue in the face. Things are rather simple though.

1) The handset + the OS are Apple products.
2) The filesystem + the encryption are Apple products.
3) The feature that allows the user to protect the card using the device password is an Apple product.
4) Getting the device password via ANY possible attack vector compromises Apple security.


From the above combined we get that if certain conditions are met (rather common) an attack on files stored on SD compromises blackberry security to device level and exposes all confidential info stored.
It's a flaw, a Apple flaw, the-economist wants to ignore this and focus only on RIM. . That's a dumb apple fan boi. Never promised you or offered any kind of security protection. Apple did both.

Works?

By the way, the-economist, Raphael gave me a message to give you.

i'm trying hard to find the word apple or any apple inc products mentioned anywhere in the thread until you started trolling...

It wasn't.
But the same software does the same does the same on the iPhone.

Don't tell me you didn't know that. You can't be that daft, can you?

So what have we learned

Use a complex password ie 8lack8eRry2081!!

and well now very difficult to obtain

Anyone who clicked the link and read the page that Juwaack posted would have seen that it works on iOS. So you didn't read the link?

Also I posted that it works on iOS before JSanders posted. Did you not read that either?

The last time I checked iOS was an operating system for Apple mobile devices.