Encryption Won't Protect Your BlackBerry Now
Did you think your BlackBerry data was safe because it's encrypted on the phone, over the airwaves, and in its backup form? Think again.
Russian software developer ElcomSoft, which, with its Russian competitor AccentSoft, has developed effective password-cracking programs for most common desktop encryption formats, is at it again. Now, it's targeted the BlackBerry with a Phone Password Breaker that was previously limited to Apple mobile devices.
Like all password-cracking programs, this is a double-edged sword. On one hand, it can save your bacon if you really need the data backed up from a phone that's been stolen and remotely wiped. On the other hand, cyber criminals who get their hands on your backup now have a way to read encrypted business data. In addition, government agencies that have a good reason to read your data can dig in.
According to ElcomSoft CEO Vladimir Katalov:
All data transmitted between a BlackBerry Enterprise Server and BlackBerry smartphones is encrypted with a highly secure AES or Triple DES algorithm. Unique private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Even more, to secure information stored on BlackBerry smartphones, password authentication can be made mandatory through the policies of a BlackBerry Enterprise Server (default, password authentication is limited to ten attempts, after which the smartphone's wiped clean with all its contents erased). Local encryption of all data, including messages, address book and calendar entries, memos and tasks, is also provided, and can be enforced via the IT policy as well. With the supplied Password Keeper, Advanced Encryption Standard (AES) encryption allows password entries to be stored securely on the smartphone, enabling users to keep their online banking passwords, PIN codes, and financial information handy -- and secure. If that's not enough, system administrators can create and send wireless commands to remotely change BlackBerry device passwords, lock or delete information from lost or stolen BlackBerries.
Sounds pretty secure, does it? As always, there is the weakest link. With BlackBerry, the weakest link is its offline backup mechanism.
Katalov goes on to explain that backups are good because, well, they are backups. But he also says they are evil because they create a new instance of information that might be private or sensitive. Then he explains the hole in the BlackBerry backup scheme:
That means that it only takes three days to break a seven-letter mixed-case password -- ouch. It takes a little more time if there are numbers and special characters in the password or the password is longer and much less time if the password is all one case, subject to a dictionary attack, or is partially known.
Bottom line: If you really need to recover your BlackBerry backup and can't remember your password, there's still hope. At the same time, if you let the backup file out of your control and into the hands of an attacker, you're in deep trouble.
This article, "You can no longer rely on encryption to protect a BlackBerry," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.