BlackBerry's Encryption Hacked; Backups Now a Risk

GMGruman writes "InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

But... the playlists!

[Kenja]

Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

Whole thing smacks of desperation.

Re:But... the playlists!

[MyLongNickName]

Notice how the blackberry adds

Adding is easier than factoring primes. This might have something to do with the security problem.

Re:

[MyLongNickName]

Damn. I hit submit. I cannot believe I said "factoring primes". I considered playing it off like it was pat of the joke, but that would just be dishonest.

Please revoke my nerd card and send me to business school.

(here is hoping my x minutes since last post allows me to correct myself before I get ripped by 350 nerds)

Re:But... the playlists!

[BobNET]

I cannot believe I said "factoring primes".

Hi, Bill!

"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers."
-- Bill Gates, 'The Road Ahead'

Re:

[Steve Max]

I can factor any prime number very easily, if I know it's prime before starting. And it's fast. It takes only the time needed to write "1" and the number itself.

Re:But... the playlists!

[treeves]

Well, it's true: adding IS easier than factoring primes. It's also easier than dividing by zero, trisecting an angle with a compass and straightedge, and calculating the last digit of pi.

Re:

[Rogerborg]

The last digit of pi is "7". You can take my word for it, or prove me wrong.

Re:

[Gunnut1124]

I believe in symmetry, so the last digit MUST be 3.

And THAT's how you do theoretical physics folks... (at least the easy first bit)

Re:But... the playlists!

[AliasMarlowe]

The last digit of pi is "7". You can take my word for it, or prove me wrong.

Nope, you're wrong. The last digit of pi is zero.
This is because pi is exactly 10 (base pi).

Re:

[Anonymous Coward]

You fail.

10 in base 10 is 10.
2 in base 2 is 10.

Get the pattern?

Re:

[Anonymous Coward]

10 in base 10 -> 10
2 in base 2 -> 10
16 in base 16 -> 10

pi in base pi .... -> 10 ....

Re:

[Nesman64]

0 in base x is 0
x-1 in base x is 1
x in base x is 10

Re:

[NoseyNick]

x-1 in base x is 1

Only for x=2 :-p
10-1 in base 10 is 9, for example.

Re:

[minister of funk]

But pi isn't imaginary.

Re:

[davester666]

Then where does it exist, except in people's brains?

Re:

[Knackered]

Hey, you expect us to read the follow-up before replying with a flame?

This is slashdot, we don't even RTFA!

Re:But... the playlists!

[jimicus]

Probably because it was only a few years ago that there was no other serious business phone that did a half-decent job of email and had management features built right in (such as encforcing endpoint encryption and remote wiping).

Now more-or-less every smartphone offers such features, and non-smart phones are rapidly starting to look like an endangered species. Blackberry no longer offer anything particularly special.

Re:

[Anonymous Coward]

Ahhhhh I wouldn't say that necessarily. Flash? Remote Desktop to a Linux tower or server? Enterprise server?

Yes, that may not entice the "average" user, whatever that happens to be, may not see the need for such things, but that is why there are options.

I love my Blackberry. I put my professors' powerpoints and my notes on it to study wherever I'm at. I have it set up to run my tower at home. I use it as a USB mass storage device as well, so I don't have to worry about forgetting my USB drive at home. T

Re:

[Bert64]

The iphone has remote desktop, vnc and ssh clients, as do android phones, they also have voip clients which blackberry handsets seem to be severely lacking and which are great for business use, if your physically in the office and within wireless range calls are routed over that, otherwise they are routed over your cell service.

BES runs on windows (which is not free) and requires a corporate groupware setup such as exchange, notes or groupwise, none of which are free.

Other phones now offer many of the same

Re:

[Bert64]

I don't understand how you can claim blackberry is for power users, you have a closed proprietary platform tied to a closed proprietary service and requires you to run another closed proprietary server... You get far more flexibility from android, and even from iOS once you jailbreak it.

Blackberry is aimed at business users who have very limited requirements, quite the opposite of a power user.

Re:

[Anonymous Coward]

How the hell is this "insightful?"

Wake me up when Apple provides end-to-end encryption for e-mails. Oh that's right: they don't. That's why you don't see India or any other 3rd world country threatening to "shut off" iPhones. BBM isn't simply a stupid e-mail application accessing a POP3 server someplace.

The iPhone is great for people who are distracted by shiny things. But don't fool yourself into thinking what RIM is doing is "nothing special."

In addition, the summary is bogus. RIM's encryption has

Re:

[h4rr4r]

I am pretty sure you could get that with imap over ssl on an iphone.

Re:

[Bert64]

The iphone supports SSL for IMAP, POP3 and SMTP... It also supports SSL for Activesync.
There is also support for establishing a VPN connection.

Sure, Apple don't mandate the use of a proprietary service and give you the option to use plain unencrypted imap/pop3 if you want to.

What RIM are doing is locking users in to their proprietary service and proprietary server, android and ios based phones will talk to any number of standards compliant servers from a multitude of different sources with or without encryp

Re:

[gstoddart]

Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

Whole thing smacks of desperation.

Well, initially the Black Berry was a corporate device. Then a lot of consumers decided they want one so they could do messaging and email.

However, Apple and other manufacturers have been making smart phones which have way more consumer features than business and have been correspondingly taking a lot of market share away from RIM. In

Re:

[grub]

I'd say that they're getting very desperate. Like 'em or hate 'em, the iPhone and its ilk have become hugely popular for non business users -- arguably, a much larger market.

Even for business users.

I've heard of many places opening up their email/calendar/directory (or Exchange) servers to iPhones and the like. Many users don't want to carry around two devices which perform the same functions.

At our place we have a How To for iPhone users but don't support beyond that. Company-supplied Blackberries

Re:

[cjb658]

One of the companies I work for recently switched all employees over to iPhones because it was cheaper (and easier) to buy new phones than to buy a BES server.

"Business" users identify with luxury goods

[swb]

Business users identify with luxury goods. There's a crossover point between cool, high tech, trendy and luxury goods that attracts business people. The iPhone is seen as high end, and this naturally draws in business people.

Re:

[nullifi]

My Android phone displays PowerPoint just fine thanks to Documents to Go. I'm fairly positive that they iPhone version as well..

Re:

[gstoddart]

My Android phone displays PowerPoint just fine thanks to Documents to Go. I'm fairly positive that they iPhone version as well..

I didn't mean to imply you couldn't do that, hence the smiley face ... I was more sniping a little at the whole "PC vs Mac" joke and how people use the devices.

Many of the people buying smartphones specifically didn't want to do "business" activities. It is Facebook and Twitter and YouTube, not spreadsheets and concalls. The things like editing playlists was more important to the

Re:

[k_187]

This won't last long. RIM bought Documents to go not too long ago. http://www.pcworld.com/businesscenter/article/205025/rim_buys_documents_to_go_but_microsoft_missed_out.html [pcworld.com]

Re:

[afidel]

RIM's sales are growing faster than Apple's (+4.5M vs +3.4M year over year growth for the second quarter). They're just growing slower in percentage terms since RIM had such a large number of units shipped all along. Android is growing mostly at the cost of Symbian.

Re:

[noidentity]

Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

pYou know you're a geek when you read the above sentence and first think it's describing the encryption algorithm that was hacked (add, shift).

Re:

[johnbreganze]

This is a very informative write, wow. Great job man. Cell Phone Spy [cellphonespyreviews.net]

Simple solution

[Prune]

Back up to a non-encrypted IPD file and put it into a TrueCrypt volume--or better yet, don't back up to an insecure machine! This story would have been much more newsworthy if they had broken the actual phone's encryption, AES and elliptic curve D-H.

Re:Simple solution

[mbourgon]

Um, no. My last two jobs mandated them. They work exceptionally well in a business environment, and while I love the iPhone it's not yet as good for the enterprise. So for personal use, "don't get one hurr" may work, for the majority of bberry users it's not an option. That being said, most users don't back it up - if you're tied to exchange, all the important stuff is synched to it and all you need to do with a new bberry is to associate it to the same acct.

Re:

[Mista2]

Where iPhone wins for me is one device for work and play. I can set up Activesync with the exchange gateway for work, and with GMail for personal use. I aslo have my own iMAP server for archiving to when GMail gets large.
Blackberry, Android and WinMobile to date can still only synch with one source at a time as far as I know.
If the company is paying, then I guess it would be a blackberry, because it is their phone, not mine. They can block extra apps, and enforce device encryption, adn it is setup automatic

Re:

[faclonX]

BIS Can integrate up to 7 Email accounts and Keep them in sync with your device. A BES can do one either Exchange/Novell Groupwise/Domino. Combine a BIS and BES (Its called Enterprise-Prosumer Plus), and you get both features.

Re:

[t0rkm3]

Remote administration by the Enterprise owner.

Why Blackberry still works

[markdowling]

Remote Application Deployment from BES
Application Policies
Applications can be installed from PCs or BES, not just The Apps Steve Likes
They sell an integrated keyboard, or a narrow-factor phone, not just The Touchscreen Steve Likes

Re:

[IICV]

You can get an iPhone keyboard if you really want one. ThinkGeek will be selling a special case that adds a flip out keyboard [thinkgeek.com] later this year, in fact.

Unfortunately it just flips out, it doesn't kill people.

Re:

[phyrexianshaw.ca]

Before outlook has a chance to get it

Outlook doesn't get e-mail, outlook displays e-mail. The Mail Transport server "get"s e-mail, and stores it in a database. all outlook does is present users an interface for that database.

I think what you were trying to say was that the phones provide notification of e-mail before outlook does.

Re:

[acoustix]

Outlook doesn't get e-mail, outlook displays e-mail. The Mail Transport server "get"s e-mail, and stores it in a database. all outlook does is present users an interface for that database.

I think what you were trying to say was that the phones provide notification of e-mail before outlook does.

Since Outlook version 2003 the default setting is to locally cache the content. So Outlook does indeed get email. It stores the information in a .ost file so Outlook can be used in an offline status.

Re:

[drcheap]

Outlook doesn't get e-mail, outlook displays e-mail.

Configured to access a mailbox via POP3, it gets email.

Well, okay, it RETRs email, but that's just an implementation detail.

Re:Simple solution

[mlts]

It is still a hole though, and one that is completely preventable. Most serious crypto products around uses key strengthening, be it KeePass with its variable number of rounds that are user selectable, TrueCrypt with its 1000 rounds, or iOS 4's 10,000 rounds. Heck, even the venerable crypt(3) mechanism had a number of rounds to slow down people running Crack over 20 years ago back before passwords were stored in /etc/shadow.

How can this be fixed? Use a reasonable amount of rounds (enough so it slows down brute forcing, but not too many that it kills day to day normal operation.) Also, use a salt, so rainbow table pre-computation of keys is impossible.

In the meantime, the parent poster probably has the best solution. For maximum security, add a cryptographic token and store a TC keyfile on that. This way, if someone tries to brute force the token's passphrase, they have 3-20 tries before the token permanently fries itself.

Re:

[blueg3]

PBKDF2, which the BlackBerry backups use, always uses a salt. One round is a joke, though. The 4096 rounds of WPA aren't really sufficient, and the 1000 rounds of FileVault are really a mistake.

Re:

[mlts]

What would be ideal is functionality that KeePass has. It has the option to scale the amount of rounds to one second of your hardware's CPU time with the ability to edit the rounds up and down to preference. For BB users who don't want this detail, this can be a semi-hidden option and the device can compute how many rounds it does to suck up a second or two of CPU times automatically.

It is understandable why TrueCrypt doesn't do this (because it has to guess a number of times with various combinations of

Re:

[bigrockpeltr]

Up, Up, Down, Down, Left, Right, Left, Right, B, A, send

why was it easier?

[Mike Davi Kristopeit]

was the encryption scheme weaker, or were disgruntled RIM employees more willing to hand over the keys than disgruntled apple employees?

If only the article supplied more information

[apparently]

Backup encryption uses AES with a 256-bit key. So far, so good. An AES key is derived from the user-supplied password, and this is where the problem arises. In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one.

If only the article had the above information on page 2, you'd have the answer to your question. If only.

Re:

[AHuxley]

NSA, GCHQ like to read too? Old cryto in the worlds marketplace was 'open' why would this generation be any different?
What makes this generation so 'smart' and 'unique' when faced with a few simple solution when getting into telco work.
Open to a select few gov's or you are not a telco...
Or good crypto is expensive and made the device seem laggy during testing ..

Solution

[mark72005]

Solution - no more backups!

Re:

[simpz]

Mod this up. This is a huge non story. Everything you should really care about should be backed up by the BES into your mail account. I have never backed up my corporate BB and on changing device it preserves pretty much everything I care about, even Browser bookmarks.

Need access to the backup machine too

[markdowling]

But then access to a Wintel box is trivial these days, especially with Adobe helping out.

I administer 130 blackberrys and there isn't an IPD file in the entire outfit - that's what BES and its backups are for.

Does this make them legal in the Middle East now?

[Suki I]

Does this solve that encryption complaint the UAE, Saudis and others had about Blackberry?

Re:

[JonySuede]

no since, only the backups encryption is broken, and it still takes 3 days to crack a 7 mixed case password

Not "encryption hacked"

[blueg3]

The encryption itself is just fine (at least, for now). While it's interesting that the data is transmitted in the clear and then encrypted by the backup software, they don't propose exploiting this (which would be an inconvenient attack).

This is simply a brute-force password cracker that's specific to BlackBerry backups. It's not particularly specific, either, as the backups are encrypted with AES and the key is derived from a password using the standard PBKDF2. There are tons of PBKDF2-crackers out there (like coWPAtty). The surprising thing is that they only use single-iteration PBKDF2, which is a joke.

This, incidentally, is what is meant by the statement in TFS that cracking BlackBerry backup passwords is easier than cracking iOS passwords. Difficulty in password cracking (amount of computational time per password) for PBKDF2 is roughly proportional to the number of iterations. IIRC, WPA uses 4096, Apple's FileVault uses 1000, and BlackBerry backups apparently use 1.

Re:

[Nevo]

Came here to say this. Actually read TFA.

Okay... so it's not AES that got cracked...

[awinnenb]

So, if I read the article correctly, it hasn't been hacked so much as improperly implemented on blackberry's part. Honestly, the title made me think AES had been cracked which... yeah, that would be bad.

Look out for flying hockey pucks at

[BoRegardless]

RIM headquarters.

You're doing it the hard way.

[McGregorMortis]

This "weakness" seems a little silly.

You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.

Cracking a Blackberry backup file would be the hardest way to get access to that data.

Re:

[TubeSteak]

You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.

Cracking a Blackberry backup file would be the hardest way to get access to that data.

It would create the least amount of loggable activity.
And it's much faster to copy 1 file than to dig around for XYZ # of files.

In other news

[RegTooLate]

The NSA announced today that they are offering secured online backup for all Blackberry users. RIMM responded saying they were surprised how quickly the DNS poison spread but wish the NSA well in their user friendly backup service. Many Middle East governments are also now offering the easy secure backup service as well.

UAE and Saudi

[flyingfsck]

Soooo, the spat between UAE, Saudi, India and Blackberry is now moot...

Don't hack my blackberry...

[MoldySpore]

...it's just full of 200 fart apps anyway. [slashdot.org]

why do they implement proprietary encryption?

[bl8n8r]

Why not just use the encryption based on gpg or some other existing open source encryption method? Anytime you give a bunch of programmers a chance to reinvent the wheel, you need to go through the exact same evolutionary process that the existing wheels went through. So why is it that companies keep doing so and ending up shooting themselves in the foot?

Re:

[blueg3]

They don't. They use industry-standard algorithms, and the encryption itself wasn't compromised.

Re:

[Bert64]

They implemented perfectly good encryption in a flawed way, you don't just need industry standard algorithms, you need to be able to verify that they are implemented correctly.

Re:

[blueg3]

They're implemented fine. They chose a particularly poor value for one of the parameters. Your implementation of PBKDF2 is the same regardless of the number of rounds; number of rounds is simply a parameter.

Re:

[Bert64]

Choosing defaults values for parameters are done at the implementation stage, especially if those parameters are not modifiable by the user later.

since it is blackberry

[acedotcom]

instead of calling them backups shouldnt they be called BLACKUPS?

Of course!

[hesaigo999ca]

How long after the code was given to the Indian government that now it is in the wild with all sorts of hacks,
atleast we know who we can point the finger at, and hopefully learn from this, that in future when they ask for code,
just say "NO, dat is not vedy vedy nise!"

I must break you...

[jkiller]

In Soviet Russia, passcodes break YOU.

Not just secure for today

[mpfife]

This is one of the biggest things people forget about with data security and one my professors at school were constantly mindful of. Sure, 2048 bit keys and most modern cryptography is secure right now; but if you have really sensitive data - data about banking accounts, transaction records that your business depends on keeping secret for competitive reasons, voting records, etc - you need that to remain secure for the life-time of the person - or even longer. This is MUCH harder - especially if the adven

Conspiracy Theory

[microbee]

RIM has been under pressure to open up backdoors for its user data to governments. This is against its official policy and promise. If it does not comply, it risks losing business in foreign markets. Now it can do so more easily because it's already leak^^^^hacked.

Decryption Snake Oil, or Panic?

[ratboy666]

So, it takes 3 days to crack the 7 character password. Adding 8 characters to the set (say, !@#$%^&*) would then increase that 3 days to...
  2^21 more effort. Or, roughly 3 to 4 million days. Seems from the discussion that elcomsoft was able to brute force quickly (millions of passwords per second).

Add a few more characters and the effort to brute-force the thing goes up... exponentially. Unless, of course, elcomsoft has actually "cracked" the encryption, and not simply reduced the time to try a key.

What I would warn about is my "usual" advice for password generation (optional random character) word (optional random character) word (optional random character), because, as far as I can tell, that can be now be broken by elcomsoft in 2 to 3 days (assuming they know that this is the pattern used, which we have to).

Very curious to see a review of this (before panic sets in).

ratboy666

Re:

[MtHuurne]

If you would add 7 random characters from the set !@#$%^&* to the existing 7-letter password, it would take 8^7 = 2^21 times the effort to crack it. However, if you switch from a 52-character set (mixed case letters) to a 60-character set, it only takes (60/52)^7 times as long, which is about 2.7 times.

Re:

[ratboy666]

Why? Isn't the entropy increase the same? Should that not be (60-52)^7?

Re:

[MtHuurne]

If that were the case, increasing the alphabet by 1 would have no effect since (53-52)^7 = 1.

The number of different 7-character passwords using a 52-character alphabet is 52^7, while using a 60-character alphabet it is 60^7: an increase by a factor of 60^7/52^7 = (60/52)^7.

Apple Encryption vs BB Encryption

[jgtg32a]

>Apple devices act differently; the data is encrypted on the device and never leaves it in an unencrypted form. The Apple desktop software (iTunes) acts only as a storage and never encrypts/decrypts backup data.

The article says that but I was under the impression that the iPhone encryption was worthless because it never lets you access data in an encrypted format. What I mean is there was a race condition where you could have an iPhone plugged into a computer and turned off and when you turn the pho

Give us a break

[thethibs]

Both the headline and the article are overheated.

The "crack" requires that

1. You have information that needs to be secured on your BB;
2. In spite of that you've used a toy password; and
3. The enemy has access to your backup files.

More than a bit of a stretch.