BlackBerry's Encryption Hacked; Backups Now a Risk 120
GMGruman writes "InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."
Simple solution (Score:5, Interesting)
Re:Simple solution (Score:5, Interesting)
It is still a hole though, and one that is completely preventable. Most serious crypto products around uses key strengthening, be it KeePass with its variable number of rounds that are user selectable, TrueCrypt with its 1000 rounds, or iOS 4's 10,000 rounds. Heck, even the venerable crypt(3) mechanism had a number of rounds to slow down people running Crack over 20 years ago back before passwords were stored in /etc/shadow.
How can this be fixed? Use a reasonable amount of rounds (enough so it slows down brute forcing, but not too many that it kills day to day normal operation.) Also, use a salt, so rainbow table pre-computation of keys is impossible.
In the meantime, the parent poster probably has the best solution. For maximum security, add a cryptographic token and store a TC keyfile on that. This way, if someone tries to brute force the token's passphrase, they have 3-20 tries before the token permanently fries itself.
Re:But... the playlists! (Score:3, Interesting)
Well, initially the Black Berry was a corporate device. Then a lot of consumers decided they want one so they could do messaging and email.
However, Apple and other manufacturers have been making smart phones which have way more consumer features than business and have been correspondingly taking a lot of market share away from RIM. In fact, I heard analysts saying the other week that while sales of BlackBerries are growing, they're not growing as fast as Apple and Android phones are. So, their corresponding market share is decreasing even while their sales are increasing -- they're just not increasing as fast as the rest of the market.
I'd say that they're getting very desperate. Like 'em or hate 'em, the iPhone and its ilk have become hugely popular for non business users -- arguably, a much larger market.
Of course, if you want to schedule a meeting or use powerpoint, get a Black Berry (or a PC ;-).
You're doing it the hard way. (Score:5, Interesting)
This "weakness" seems a little silly.
You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.
Cracking a Blackberry backup file would be the hardest way to get access to that data.
Down with blackberry (Score:0, Interesting)
I can't believe anyone uses crackberries. We used them for a year and everyone has hated them. We bought Droid Incredibles for our office and love them so far. The only thing keeping blackberries around I would guess is the ability to lock them down with the BES server I believe its called. But they still suck....
Down with Blackberry, Windows Mobile, etc hale to iOS and Android!!
Re:But... the playlists! (Score:1, Interesting)
How the hell is this "insightful?"
Wake me up when Apple provides end-to-end encryption for e-mails. Oh that's right: they don't. That's why you don't see India or any other 3rd world country threatening to "shut off" iPhones. BBM isn't simply a stupid e-mail application accessing a POP3 server someplace.
The iPhone is great for people who are distracted by shiny things. But don't fool yourself into thinking what RIM is doing is "nothing special."
In addition, the summary is bogus. RIM's encryption has NOT been hacked, just some backup application. Were it that easy I don't think the Saudis would be kicking up the stink they are.