Blackberry Encryption Has Been Broken – Stay Paranoid
Infoworld is reporting a Russian passcode-breaker firm has figured out a way to break RIM’s industrial grade security for Blackberry server backups.
According to the article, CEO Vladimir Katalov:
All data transmitted between a BlackBerry Enterprise Server and BlackBerry smartphones is encrypted with a highly secure AES or Triple DES algorithm. Unique private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Even more, to secure information stored on BlackBerry smartphones, password authentication can be made mandatory through the policies of a BlackBerry Enterprise Server (default, password authentication is limited to ten attempts, after which the smartphone’s wiped clean with all its contents erased). Local encryption of all data, including messages, address book and calendar entries, memos and tasks, is also provided, and can be enforced via the IT policy as well. With the supplied Password Keeper, Advanced Encryption Standard (AES) encryption allows password entries to be stored securely on the smartphone, enabling users to keep their online banking passwords, PIN codes, and financial information handy — and secure. If that’s not enough, system administrators can create and send wireless commands to remotely change BlackBerry device passwords, lock or delete information from lost or stolen BlackBerries.
Sounds pretty secure, does it? As always, there is the weakest link. With BlackBerry, the weakest link is its offline backup mechanism.”
The article goes on to say that while this is disturbing, it effects backups alone, and well, frankly they’re “just backups”. But Katalov also goes on to say that backups are are evil because they create a new instance of information that might be private or sensitive. Then he explains the hole in the BlackBerry backup scheme:
Backup encryption uses AES with a 256-bit key. So far, so good. An AES key is derived from the user-supplied password, and this is where the problem arises.
In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one. Another significant shortcoming is that it’s BlackBerry Desktop Software that encrypts data, not the BlackBerry device itself. This means that the data is passed from the device to the computer in a plain, unencrypted form. Apple devices act differently; the data is encrypted on the device and never leaves it in an unencrypted form. The Apple desktop software (iTunes) acts only as a storage and never encrypts/decrypts backup data. This is quite surprising since the BlackBerry platform is known for its unprecedented security, and we’ve been expecting BlackBerry backup protection to be at least as secure as Apple’s, which turned not to be the case.
What does that mean for us? We can run password recovery attacks on BlackBerry backups really fast — even without GPU acceleration, we can go over millions of passwords per second.
So, what does all this mean to you? Simply put, there is a great deal of potential for any company interested in finding the data you back up to be able to get it. This exploit means that now that it has been proven there is a method to crack this information, a rogue employee, competitor or even just some random hacker looking for a thrill can potentially get your data.
What would that data loss mean to your company?
Think this might be too much of a stretch for you to worry about? Espionage and data loss occurs only with Fortune 500, government entities or James Bond – right? I can show you how for about $500 or less, I can hire a motivated programmer to target your server and steal your data. Really.
This exploit will undoubtedly be fixed, but until its patched, there are plenty of opportunities for your data to be compromised. Talk to your experts and see what you can do to prevent this from happening today.
Leave a Reply 
Benny Carreon is the President and CEO of GrayBear Resources Group. GBR is a next-generation telecommunications consulting firm. We aren't a telephone company's vendor disguising itself as a consultant. We don't sell carrier products that would conflict with out mission - our goal is to work for our clients by reducing costs, streamlining services, eliminating waste and fraud while providing the least disruption to your business.
Honesty, Integrity and Quality Service - Our pledge to you. 
