×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

BlackBerry's Encryption Hacked; Backups Now a Risk

Soulskill posted more than 3 years ago | from the good-news-for-india dept.

Encryption 120

GMGruman writes "InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

120 comments

Painful (0)

Anonymous Coward | more than 3 years ago | (#33761120)

"Told ya' so" moment occurring within RIM right now.

But... the playlists! (4, Funny)

Kenja (541830) | more than 3 years ago | (#33761170)

Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

Whole thing smacks of desperation.

Re:But... the playlists! (3, Funny)

MyLongNickName (822545) | more than 3 years ago | (#33761368)

Notice how the blackberry adds

Adding is easier than factoring primes. This might have something to do with the security problem.

Re:But... the playlists! (3, Funny)

MyLongNickName (822545) | more than 3 years ago | (#33761414)

Damn. I hit submit. I cannot believe I said "factoring primes". I considered playing it off like it was pat of the joke, but that would just be dishonest.

Please revoke my nerd card and send me to business school.

(here is hoping my x minutes since last post allows me to correct myself before I get ripped by 350 nerds)

Re:But... the playlists! (4, Funny)

BobNET (119675) | more than 3 years ago | (#33761622)

I cannot believe I said "factoring primes".

Hi, Bill!

"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers."
-- Bill Gates, 'The Road Ahead'

Re:But... the playlists! (0, Informative)

Anonymous Coward | more than 3 years ago | (#33763546)

To be honest, Bill was right. That would be a breakthrough.

Re:But... the playlists! (1)

Steve Max (1235710) | more than 3 years ago | (#33766574)

I can factor any prime number very easily, if I know it's prime before starting. And it's fast. It takes only the time needed to write "1" and the number itself.

Re:But... the playlists! (4, Funny)

treeves (963993) | more than 3 years ago | (#33761832)

Well, it's true: adding IS easier than factoring primes. It's also easier than dividing by zero, trisecting an angle with a compass and straightedge, and calculating the last digit of pi.

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33762328)

Um, factoring primes is trival. Factoring prime X yields factors of 1 and X. That is much easier than adding.

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33762964)

The last digit of pi is 4. I'm 10% sure of this.

Re:But... the playlists! (0, Troll)

Rogerborg (306625) | more than 3 years ago | (#33763014)

The last digit of pi is "7". You can take my word for it, or prove me wrong.

Re:But... the playlists! (1)

Gunnut1124 (961311) | more than 3 years ago | (#33763484)

I believe in symmetry, so the last digit MUST be 3.

And THAT's how you do theoretical physics folks... (at least the easy first bit)

Re:But... the playlists! (5, Funny)

AliasMarlowe (1042386) | more than 3 years ago | (#33763888)

The last digit of pi is "7". You can take my word for it, or prove me wrong.

Nope, you're wrong. The last digit of pi is zero.
This is because pi is exactly 10 (base pi).

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33764852)

There are pi types of people in this world...

Re:But... the playlists! (-1, Flamebait)

inviolet (797804) | more than 3 years ago | (#33765026)

Nope, you're wrong. The last digit of pi is zero. This is because pi is exactly 10 (base pi).

Wow, lots of nerd cards getting turned in today. "10" in base-pi, converted to decimal, is 3.14159... squared.

The correct way to express pi in base-pi is "1".

Re:But... the playlists! (1, Informative)

Anonymous Coward | more than 3 years ago | (#33765290)

You fail.

10 in base 10 is 10.
2 in base 2 is 10.

Get the pattern?

Re:But... the playlists! (2, Informative)

Anonymous Coward | more than 3 years ago | (#33765458)

10 in base 10 -> 10
2 in base 2 -> 10
16 in base 16 -> 10

pi in base pi .... -> 10 ....

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33766194)

can you please explain this..

thanks

Jesus, people. (0)

Anonymous Coward | more than 3 years ago | (#33764566)

The last digit of pi is "i".

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33763048)

Factoring primes is easy: 1 and itself

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33763590)

Considering primes factor to themselves and 1..... That's even easier than a lookup table!

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33763870)

I find factoring prime numbers easier than adding. I have an O(1) algorithm that will list all the factors of a prime number X. It goes:

PRINT(1);
PRINT(X);

where k is the number of digits constituting X.

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33764146)

>I considered playing it off like it was pat of the joke

You also mistyped "part" in your response. Today is not your day.

Re:But... the playlists! (1)

Knackered (311164) | more than 3 years ago | (#33765134)

Hey, you expect us to read the follow-up before replying with a flame?

This is slashdot, we don't even RTFA!

Re:But... the playlists! (5, Insightful)

jimicus (737525) | more than 3 years ago | (#33761446)

Probably because it was only a few years ago that there was no other serious business phone that did a half-decent job of email and had management features built right in (such as encforcing endpoint encryption and remote wiping).

Now more-or-less every smartphone offers such features, and non-smart phones are rapidly starting to look like an endangered species. Blackberry no longer offer anything particularly special.

Re:But... the playlists! (1, Informative)

Anonymous Coward | more than 3 years ago | (#33762080)

Ahhhhh I wouldn't say that necessarily. Flash? Remote Desktop to a Linux tower or server? Enterprise server?

Yes, that may not entice the "average" user, whatever that happens to be, may not see the need for such things, but that is why there are options.

I love my Blackberry. I put my professors' powerpoints and my notes on it to study wherever I'm at. I have it set up to run my tower at home. I use it as a USB mass storage device as well, so I don't have to worry about forgetting my USB drive at home. This may be accomplished using another phone, but setting up my personal, free enterprise server at home can not be. With the exception of Android, where else can you create your own hybrid operating systems for your phone? Or update it with any operating system created by any phone manufacturer, not just my own? Plus the business uses, might as well get used to using this phone now, instead of when I get a job where their required? (Although rare, could happen. Happened to my boyfriend, but he already had one as well and did not have to buy one)

I am admitting I am a blackberry fangirl, but hey, I found the perfect phone for me. I also admit I'm not a fan of "pretty" but a fan of functionality. Also, operating systems are my favorite aspect of CS, so naturally I'm drawn to this. (I've tried android a few times by mounting it on my netbook, and so far, not so impressed to be honest). Perhaps blackberry is more for the poweruser, Android in between, and iPhone for the "average". Whatever floats your boat.

Re:But... the playlists! (0)

Anonymous Coward | more than 3 years ago | (#33762440)

personal, free enterprise server ?

I didn't think that existed. Doesn't BES only run on Windows? I'd very much like to hear about what you have put together.

Re:But... the playlists! (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33762490)

I am admitting I am a blackberry fangirl, but hey, I found the perfect phone for me. I also admit I'm not a fan of "pretty" but a fan of functionality.

You must be one of them shemales. Chicks with dicks. Or maybe you're fat. Gotta be something like that going on here because you sound too much like the ideal women any real man dreams of. I.e. grown up enough not to get caught up wasting tons of energy on frivolous trivialities that don't matter.

Most women continue to age physically but stopped developing their character and emotional maturity sometime during their teens. Why should they have to do all the hard work of character growth and introspection and learning life's hard lessons once they figure out that showing a little cleavage means they always get their way? Why would they have to grow up when some man will put up with their shit and be with them just the way they are? The woman who rises above that before her beauty fades is a rare creature indeed.

Re:But... the playlists! (1)

Bert64 (520050) | more than 3 years ago | (#33766318)

The iphone has remote desktop, vnc and ssh clients, as do android phones, they also have voip clients which blackberry handsets seem to be severely lacking and which are great for business use, if your physically in the office and within wireless range calls are routed over that, otherwise they are routed over your cell service.

BES runs on windows (which is not free) and requires a corporate groupware setup such as exchange, notes or groupwise, none of which are free.

Other phones now offer many of the same features, but by integrating directly with the mail server and not requiring a third party server or service.

I don't like the idea of having to use RIMs service or run their server, i want something open and which i can use with any mobile service and any backend server. Activesync may not be that open, but there are specs available and third party implementations which is more than can be said for RIMs protocols.

Re:But... the playlists! (1)

Bert64 (520050) | more than 3 years ago | (#33766342)

I don't understand how you can claim blackberry is for power users, you have a closed proprietary platform tied to a closed proprietary service and requires you to run another closed proprietary server... You get far more flexibility from android, and even from iOS once you jailbreak it.

Blackberry is aimed at business users who have very limited requirements, quite the opposite of a power user.

Re:But... the playlists! (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33762212)

How the hell is this "insightful?"

Wake me up when Apple provides end-to-end encryption for e-mails. Oh that's right: they don't. That's why you don't see India or any other 3rd world country threatening to "shut off" iPhones. BBM isn't simply a stupid e-mail application accessing a POP3 server someplace.

The iPhone is great for people who are distracted by shiny things. But don't fool yourself into thinking what RIM is doing is "nothing special."

In addition, the summary is bogus. RIM's encryption has NOT been hacked, just some backup application. Were it that easy I don't think the Saudis would be kicking up the stink they are.

Re:But... the playlists! (1)

Bert64 (520050) | more than 3 years ago | (#33766366)

The iphone supports SSL for IMAP, POP3 and SMTP... It also supports SSL for Activesync.
There is also support for establishing a VPN connection.

Sure, Apple don't mandate the use of a proprietary service and give you the option to use plain unencrypted imap/pop3 if you want to.

What RIM are doing is locking users in to their proprietary service and proprietary server, android and ios based phones will talk to any number of standards compliant servers from a multitude of different sources with or without encryption.

Apple/Google give the customers choices, RIM don't.

Re:But... the playlists! (2, Interesting)

gstoddart (321705) | more than 3 years ago | (#33761668)

Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

Whole thing smacks of desperation.

Well, initially the Black Berry was a corporate device. Then a lot of consumers decided they want one so they could do messaging and email.

However, Apple and other manufacturers have been making smart phones which have way more consumer features than business and have been correspondingly taking a lot of market share away from RIM. In fact, I heard analysts saying the other week that while sales of BlackBerries are growing, they're not growing as fast as Apple and Android phones are. So, their corresponding market share is decreasing even while their sales are increasing -- they're just not increasing as fast as the rest of the market.

I'd say that they're getting very desperate. Like 'em or hate 'em, the iPhone and its ilk have become hugely popular for non business users -- arguably, a much larger market.

Of course, if you want to schedule a meeting or use powerpoint, get a Black Berry (or a PC ;-).

Re:But... the playlists! (1)

grub (11606) | more than 3 years ago | (#33761828)


I'd say that they're getting very desperate. Like 'em or hate 'em, the iPhone and its ilk have become hugely popular for non business users -- arguably, a much larger market.

Even for business users.

I've heard of many places opening up their email/calendar/directory (or Exchange) servers to iPhones and the like. Many users don't want to carry around two devices which perform the same functions.

At our place we have a How To for iPhone users but don't support beyond that. Company-supplied Blackberries are still fully supported.

Re:But... the playlists! (1)

cjb658 (1235986) | more than 3 years ago | (#33762294)

One of the companies I work for recently switched all employees over to iPhones because it was cheaper (and easier) to buy new phones than to buy a BES server.

"Business" users identify with luxury goods (1)

swb (14022) | more than 3 years ago | (#33764440)

Business users identify with luxury goods. There's a crossover point between cool, high tech, trendy and luxury goods that attracts business people. The iPhone is seen as high end, and this naturally draws in business people.

Re:But... the playlists! (1)

nullifi (1085947) | more than 3 years ago | (#33762140)

My Android phone displays PowerPoint just fine thanks to Documents to Go. I'm fairly positive that they iPhone version as well..

Re:But... the playlists! (1)

gstoddart (321705) | more than 3 years ago | (#33762992)

My Android phone displays PowerPoint just fine thanks to Documents to Go. I'm fairly positive that they iPhone version as well..

I didn't mean to imply you couldn't do that, hence the smiley face ... I was more sniping a little at the whole "PC vs Mac" joke and how people use the devices.

Many of the people buying smartphones specifically didn't want to do "business" activities. It is Facebook and Twitter and YouTube, not spreadsheets and concalls. The things like editing playlists was more important to them.

So, now everybody is finally realizing that most people use a computer differently than the traditional "word processing/spreadsheet/powerpoint" corporate model of computers over the last bunch of years. This is how Apple has tried to differentiate themselves by giving a software experience that was geared to media and people.

Portable devices and touch screens almost bring in a new paradigm of doing different things on "computery devices" -- a modern smartphone does things that were literally science fiction 20 years ago, possibly not even imagined.

If RIM didn't shift from being about business apps to media and consumer apps, they would fast become irrelevant.

Re:But... the playlists! (1)

afidel (530433) | more than 3 years ago | (#33762266)

RIM's sales are growing faster than Apple's (+4.5M vs +3.4M year over year growth for the second quarter). They're just growing slower in percentage terms since RIM had such a large number of units shipped all along. Android is growing mostly at the cost of Symbian.

Re:But... the playlists! (2, Funny)

noidentity (188756) | more than 3 years ago | (#33762528)

Notice how the blackberry adds have shifted from being about business apps and security to how cool it is that you can edit a MP3 playlist.

pYou know you're a geek when you read the above sentence and first think it's describing the encryption algorithm that was hacked (add, shift).

Simple solution (4, Interesting)

Prune (557140) | more than 3 years ago | (#33761174)

Back up to a non-encrypted IPD file and put it into a TrueCrypt volume--or better yet, don't back up to an insecure machine! This story would have been much more newsworthy if they had broken the actual phone's encryption, AES and elliptic curve D-H.

Re:Simple solution (0)

Anonymous Coward | more than 3 years ago | (#33761412)

Or better yet don't get a blackberry!

Re:Simple solution (4, Informative)

mbourgon (186257) | more than 3 years ago | (#33761608)

Um, no. My last two jobs mandated them. They work exceptionally well in a business environment, and while I love the iPhone it's not yet as good for the enterprise. So for personal use, "don't get one hurr" may work, for the majority of bberry users it's not an option. That being said, most users don't back it up - if you're tied to exchange, all the important stuff is synched to it and all you need to do with a new bberry is to associate it to the same acct.

Re:Simple solution (-1)

Anonymous Coward | more than 3 years ago | (#33761934)

really?

How is a blackberry better than almost any smartphone at this point?

Exchange can be supported, application controls and/or installs, all of these are an option on android and ios.

Why Blackberry still works (4, Informative)

markdowling (448297) | more than 3 years ago | (#33762840)

Remote Application Deployment from BES
Application Policies
Applications can be installed from PCs or BES, not just The Apps Steve Likes
They sell an integrated keyboard, or a narrow-factor phone, not just The Touchscreen Steve Likes

Re:Simple solution (0)

Anonymous Coward | more than 3 years ago | (#33763028)

I'm not a BB user, but I was forced to install a BB enterprise server at my small company. It was a PITA since I'd never done it before. However, once installed, the thing is solid. Their mail just always arrives, usually before Outlook has had a chance to get it. There just don't seem to be the problems we'd get with previous smartphones. Maybe others are better now, I don't know, but I do know that if you care about email above all else, it seems to be the way to go. "Exchange can be supported" isn't the same thing at all - if you're using the BB server, email just works, end of story.

Re:Simple solution (1)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#33764352)

Before outlook has a chance to get it

Outlook doesn't get e-mail, outlook displays e-mail. The Mail Transport server "get"s e-mail, and stores it in a database. all outlook does is present users an interface for that database.

I think what you were trying to say was that the phones provide notification of e-mail before outlook does.

Re:Simple solution (1)

acoustix (123925) | more than 3 years ago | (#33765326)

Outlook doesn't get e-mail, outlook displays e-mail. The Mail Transport server "get"s e-mail, and stores it in a database. all outlook does is present users an interface for that database.

I think what you were trying to say was that the phones provide notification of e-mail before outlook does.

Since Outlook version 2003 the default setting is to locally cache the content. So Outlook does indeed get email. It stores the information in a .ost file so Outlook can be used in an offline status.

Re:Simple solution (1)

drcheap (1897540) | more than 3 years ago | (#33765782)

Outlook doesn't get e-mail, outlook displays e-mail.

Configured to access a mailbox via POP3, it gets email.

Well, okay, it RETRs email, but that's just an implementation detail.

Re:Simple solution (4, Interesting)

mlts (1038732) | more than 3 years ago | (#33761632)

It is still a hole though, and one that is completely preventable. Most serious crypto products around uses key strengthening, be it KeePass with its variable number of rounds that are user selectable, TrueCrypt with its 1000 rounds, or iOS 4's 10,000 rounds. Heck, even the venerable crypt(3) mechanism had a number of rounds to slow down people running Crack over 20 years ago back before passwords were stored in /etc/shadow.

How can this be fixed? Use a reasonable amount of rounds (enough so it slows down brute forcing, but not too many that it kills day to day normal operation.) Also, use a salt, so rainbow table pre-computation of keys is impossible.

In the meantime, the parent poster probably has the best solution. For maximum security, add a cryptographic token and store a TC keyfile on that. This way, if someone tries to brute force the token's passphrase, they have 3-20 tries before the token permanently fries itself.

Re:Simple solution (2, Informative)

blueg3 (192743) | more than 3 years ago | (#33761836)

PBKDF2, which the BlackBerry backups use, always uses a salt. One round is a joke, though. The 4096 rounds of WPA aren't really sufficient, and the 1000 rounds of FileVault are really a mistake.

Re:Simple solution (1)

mlts (1038732) | more than 3 years ago | (#33762274)

What would be ideal is functionality that KeePass has. It has the option to scale the amount of rounds to one second of your hardware's CPU time with the ability to edit the rounds up and down to preference. For BB users who don't want this detail, this can be a semi-hidden option and the device can compute how many rounds it does to suck up a second or two of CPU times automatically.

It is understandable why TrueCrypt doesn't do this (because it has to guess a number of times with various combinations of hashes, algorithm combinations, and header variations before it can mount a volume), but for something that it doesn't matter if it is obviously encrypted (where it can have an obvious header), this should be an option available.

Really? (0)

Anonymous Coward | more than 3 years ago | (#33761206)

What was the code? 1, 2, 3, 4, 5?

Re:Really? (-1)

Anonymous Coward | more than 3 years ago | (#33761290)

1-2-3-4-5?That'sthestupidestcombinationI'veeverheardofinmylife!That'sthekindathinganidiotwouldhaveonhisluggage!1,2,3,4,5?That'samazing!I'vegotthesamecombinationonmyluggage!

haha! (-1)

Anonymous Coward | more than 3 years ago | (#33761220)

haha! /nelson

why was it easier? (2, Insightful)

Mike Davi Kristopeit (1913240) | more than 3 years ago | (#33761252)

was the encryption scheme weaker, or were disgruntled RIM employees more willing to hand over the keys than disgruntled apple employees?

Re:why was it easier? (0)

Anonymous Coward | more than 3 years ago | (#33761490)

Good question. If only there was some sort of thing in the summary you could click on that would give more information.

Re:why was it easier? (-1, Offtopic)

Fantastic Lad (198284) | more than 3 years ago | (#33761498)

was the encryption scheme weaker, or were disgruntled RIM employees more willing to hand over the keys than disgruntled apple employees?

I was going to say something about some secret service handing them over in the interests of further locking down the public in fear-mode in order to justify the sale of more human rights at fire-sale prices. After all, we've been primed with several bits of knowledge, (Obama uses a Blackberry! Russians Under The Bed are back in vogue!).

I mean, doesn't the CIA (or whoever) require a backdoor key? Don't they have the technology to break any public encryption at will? Of course they do!

This is all about population culling. That's what this phony war on terror is all about. Ramming this awful police state into place asap. Do you think they're not going to USE that police state? Of course they are. Those empty camps aren't going to be empty much longer.

Jeez. When Jon Stewart has obviously been cowed into submission, you know the end is near.

-FL

Re:why was it easier? (0)

Anonymous Coward | more than 3 years ago | (#33761528)

RIM used no key strengthening [wikipedia.org] which makes cracking the password used for backups very efficient. Usually, you're supposed to do tons of stuff to a password before it becomes a cryptographic key (e.g. hash it thousands of times), such that generating the key for one password takes a split second, but testing passwords en masse becomes impractical. They used the right algorithm, but set the number of iterations at 1, i.e., no strengthening.

They're apparently using a well-known algorithm (PBKDF2 [wikipedia.org]), which is specified to require a large number of iterations, and yet they're doing only one. I'm not a fan of conspiracy theories, but I would consider the possibility that this is a deliberate weakness/backdoor. Either that or someone at RIM is seriously incompetent.

If only the article supplied more information (3, Funny)

apparently (756613) | more than 3 years ago | (#33761612)

Backup encryption uses AES with a 256-bit key. So far, so good. An AES key is derived from the user-supplied password, and this is where the problem arises. In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one.

If only the article had the above information on page 2, you'd have the answer to your question. If only.

Re:why was it easier? (0)

Anonymous Coward | more than 3 years ago | (#33762054)

RIM employees are required to leap from tall buildings after leaking info.

Solution (1)

mark72005 (1233572) | more than 3 years ago | (#33761334)

Solution - no more backups!

Re:Solution (0)

Anonymous Coward | more than 3 years ago | (#33761724)

Solution - no more backups!

Everything on the blackberry gets backed up to the blackberry enterprise server anyway.

You really don't need a local backup for very much...

Re:Solution (1)

simpz (978228) | more than 3 years ago | (#33762124)

Mod this up. This is a huge non story. Everything you should really care about should be backed up by the BES into your mail account. I have never backed up my corporate BB and on changing device it preserves pretty much everything I care about, even Browser bookmarks.

Need access to the backup machine too (1)

markdowling (448297) | more than 3 years ago | (#33762998)

But then access to a Wintel box is trivial these days, especially with Adobe helping out.

I administer 130 blackberrys and there isn't an IPD file in the entire outfit - that's what BES and its backups are for.

"backups a risk" (0)

Anonymous Coward | more than 3 years ago | (#33761466)

Did you mean to say "backups at risk"?

Does this make them legal in the Middle East now? (2, Funny)

Suki I (1546431) | more than 3 years ago | (#33761512)

Does this solve that encryption complaint the UAE, Saudis and others had about Blackberry?

Re:Does this make them legal in the Middle East no (1)

JonySuede (1908576) | more than 3 years ago | (#33761686)

no since, only the backups encryption is broken, and it still takes 3 days to crack a 7 mixed case password

Not "encryption hacked" (5, Informative)

blueg3 (192743) | more than 3 years ago | (#33761692)

The encryption itself is just fine (at least, for now). While it's interesting that the data is transmitted in the clear and then encrypted by the backup software, they don't propose exploiting this (which would be an inconvenient attack).

This is simply a brute-force password cracker that's specific to BlackBerry backups. It's not particularly specific, either, as the backups are encrypted with AES and the key is derived from a password using the standard PBKDF2. There are tons of PBKDF2-crackers out there (like coWPAtty). The surprising thing is that they only use single-iteration PBKDF2, which is a joke.

This, incidentally, is what is meant by the statement in TFS that cracking BlackBerry backup passwords is easier than cracking iOS passwords. Difficulty in password cracking (amount of computational time per password) for PBKDF2 is roughly proportional to the number of iterations. IIRC, WPA uses 4096, Apple's FileVault uses 1000, and BlackBerry backups apparently use 1.

Okay... so it's not AES that got cracked... (1)

awinnenb (1907486) | more than 3 years ago | (#33761704)

So, if I read the article correctly, it hasn't been hacked so much as improperly implemented on blackberry's part. Honestly, the title made me think AES had been cracked which... yeah, that would be bad.

You're doing it the hard way. (4, Interesting)

McGregorMortis (536146) | more than 3 years ago | (#33761758)

This "weakness" seems a little silly.

You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.

Cracking a Blackberry backup file would be the hardest way to get access to that data.

Re:You're doing it the hard way. (2, Insightful)

TubeSteak (669689) | more than 3 years ago | (#33764034)

You typically make your backups on your office desktop PC, and leave them there. But all the sensitive data in the backup file was already there on that same PC, in your corporate mailbox, completely unencrypted.

Cracking a Blackberry backup file would be the hardest way to get access to that data.

It would create the least amount of loggable activity.
And it's much faster to copy 1 file than to dig around for XYZ # of files.

YAH BABY! SHORT SELL FREE MONEY! (0)

Anonymous Coward | more than 3 years ago | (#33761762)

I just finished entering my March 2011 Short on this stock. I'm not sure if I should buy a Ferrari or a Masserati with the profits.

Maybe you guys can help me decide?

Re:YAH BABY! SHORT SELL FREE MONEY! (0)

Anonymous Coward | more than 3 years ago | (#33763116)

I'm not sure if I should buy a Ferrari or a Masserati with the profits.

Sounds like penis enlargement pills would be a good choice for you.

In other news (4, Funny)

RegTooLate (1135209) | more than 3 years ago | (#33762032)

The NSA announced today that they are offering secured online backup for all Blackberry users. RIMM responded saying they were surprised how quickly the DNS poison spread but wish the NSA well in their user friendly backup service. Many Middle East governments are also now offering the easy secure backup service as well.

UAE and Saudi (1)

flyingfsck (986395) | more than 3 years ago | (#33762060)

Soooo, the spat between UAE, Saudi, India and Blackberry is now moot...

Re:UAE and Saudi (0)

Anonymous Coward | more than 3 years ago | (#33762202)

Only if every user hands over the manual desktop backup that he took...

No wonder it was easy to crack. (-1, Troll)

140Mandak262Jamuna (970587) | more than 3 years ago | (#33762066)

All you have to do is to bribe a Dubai official and you will get all the keys that RIM handed over to them ostensibly to protect "security of the state".

Down with blackberry (0, Interesting)

Anonymous Coward | more than 3 years ago | (#33762150)

I can't believe anyone uses crackberries. We used them for a year and everyone has hated them. We bought Droid Incredibles for our office and love them so far. The only thing keeping blackberries around I would guess is the ability to lock them down with the BES server I believe its called. But they still suck....

Down with Blackberry, Windows Mobile, etc hale to iOS and Android!!

Gives new meaning (0)

Anonymous Coward | more than 3 years ago | (#33762214)

Gives new meaning to the term "Crackberry"

why do they implement proprietary encryption? (1)

bl8n8r (649187) | more than 3 years ago | (#33762242)

Why not just use the encryption based on gpg or some other existing open source encryption method? Anytime you give a bunch of programmers a chance to reinvent the wheel, you need to go through the exact same evolutionary process that the existing wheels went through. So why is it that companies keep doing so and ending up shooting themselves in the foot?

Re:why do they implement proprietary encryption? (1)

blueg3 (192743) | more than 3 years ago | (#33762684)

They don't. They use industry-standard algorithms, and the encryption itself wasn't compromised.

Re:why do they implement proprietary encryption? (1)

Bert64 (520050) | more than 3 years ago | (#33766440)

They implemented perfectly good encryption in a flawed way, you don't just need industry standard algorithms, you need to be able to verify that they are implemented correctly.

Re:why do they implement proprietary encryption? (1)

blueg3 (192743) | more than 3 years ago | (#33766578)

They're implemented fine. They chose a particularly poor value for one of the parameters. Your implementation of PBKDF2 is the same regardless of the number of rounds; number of rounds is simply a parameter.

Of course! (1)

hesaigo999ca (786966) | more than 3 years ago | (#33762608)

How long after the code was given to the Indian government that now it is in the wild with all sorts of hacks,
atleast we know who we can point the finger at, and hopefully learn from this, that in future when they ask for code,
just say "NO, dat is not vedy vedy nise!"

Not just secure for today (2, Insightful)

mpfife (655916) | more than 3 years ago | (#33762766)

This is one of the biggest things people forget about with data security and one my professors at school were constantly mindful of. Sure, 2048 bit keys and most modern cryptography is secure right now; but if you have really sensitive data - data about banking accounts, transaction records that your business depends on keeping secret for competitive reasons, voting records, etc - you need that to remain secure for the life-time of the person - or even longer. This is MUCH harder - especially if the advent of quantum computer decryption around the corner. What if all your bank transactions and records for this point up till now became as easily readable as a zip file? What if you live in a country that when the regime changes, those associated with the old regime get 'purged'? Your records are your life in such situations.

Remember, people can be storing up all those encrypted transactions you're sending around - and when the machines are fast enough - unencrypt them years or even decades later to reveal everything you said, did, bought/sold/voted on/etc during those times. This is a perfect example of why you need to take into the account the *lifetime* sensitivity of the data your encrypting, or you could easily face serious consequences.

Conspiracy Theory (1)

microbee (682094) | more than 3 years ago | (#33763260)

RIM has been under pressure to open up backdoors for its user data to governments. This is against its official policy and promise. If it does not comply, it risks losing business in foreign markets. Now it can do so more easily because it's already leak^^^^hacked.

Decryption Snake Oil, or Panic? (3, Informative)

ratboy666 (104074) | more than 3 years ago | (#33763392)

So, it takes 3 days to crack the 7 character password. Adding 8 characters to the set (say, !@#$%^&*) would then increase that 3 days to...
  2^21 more effort. Or, roughly 3 to 4 million days. Seems from the discussion that elcomsoft was able to brute force quickly (millions of passwords per second).

Add a few more characters and the effort to brute-force the thing goes up... exponentially. Unless, of course, elcomsoft has actually "cracked" the encryption, and not simply reduced the time to try a key.

What I would warn about is my "usual" advice for password generation (optional random character) word (optional random character) word (optional random character), because, as far as I can tell, that can be now be broken by elcomsoft in 2 to 3 days (assuming they know that this is the pattern used, which we have to).

Very curious to see a review of this (before panic sets in).

ratboy666

Apple Encryption vs BB Encryption (1)

jgtg32a (1173373) | more than 3 years ago | (#33764224)

>Apple devices act differently; the data is encrypted on the device and never leaves it in an unencrypted form. The Apple desktop software (iTunes) acts only as a storage and never encrypts/decrypts backup data.

The article says that but I was under the impression that the iPhone encryption was worthless because it never lets you access data in an encrypted format. What I mean is there was a race condition where you could have an iPhone plugged into a computer and turned off and when you turn the phone on it would allow you to mount the device before it activated the security and the phone would unencrypt the data as it was accessed. Also if you use a jailbreak attack you can dump the phone in its unencrypted format.

Was this patched, or is the article wrong?

Give us a break (2, Insightful)

thethibs (882667) | more than 3 years ago | (#33764562)

Both the headline and the article are overheated.

The "crack" requires that

  1. You have information that needs to be secured on your BB;
  2. In spite of that you've used a toy password; and
  3. The enemy has access to your backup files.

More than a bit of a stretch.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...