Research in Motion’s phones are considered the premiere maker of enterprise-grade mobile devices. But now a Russian firm says that a forensics tool it developed can reliably crack strong passwords used to secure the company’s BlackBerry phones.
Elcomsoft, a computer forensics software maker, said on Thursday (PDF) that it has developed the ability to crack passwords used to protect Blackberry phones. An update to the company’s Phone Password Breaker software can recover device passwords securing BlackBerry phones in cases when the user has enabled the Device Password security option to encrypt data stored on a removable media card.
The Device Password option allows BlackBerry users to encrypt phone data stored on an encrypted media card on the BlackBerry. Users must enter the password when the device is powered on, or after it has timed out in order to access data on the phone. Failing to enter the password correctly more than 10 times in a row causes the data on the phone to be wiped clear.
However, Elcomsoft said it has discovered that the password can be recovered directly from the removable media card in cases where the user has opted to encrypt that data also. By analyzing the data on the removable card, separate from the phone, the company said its tool can circumvent the 10 wrong password limit, trying millions of password combinations per second to break the code – a so-called “brute force” attack.
BlackBerry users who do not opt to encrypt data on the removable media card are not vulnerable to having their device password cracked.
“To the contrary of this feature’s intent, those opting for extra security may be actually opening a way for investigators to overcome BlackBerry’s hallmark security feature,” the company said in a press release.
Once the password is recovered from the media card, it can be used to access data stored on the phone, Elcomsoft said.
Elcomsoft, which is based in Russia, said it estimates around a third of BlackBerry users opt to encrypt the media card data.
Lost and stolen phones represent the single biggest threat to smart phone users and their employers, especially as more workers use their phones to check work e-mail and other sensitive activities.
The Threatpost Enterprise Mobile Survey found that more than 40% of respondents used their mobile devices to connect to corporate WiFi networks. More than 90% used it to check work e-mail.