Firm Claims To Break Blackberry Device Password

Research in Motion’s phones are considered the premiere maker of enterprise-grade mobile devices. But now a Russian firm says that a forensics tool it developed can reliably crack strong passwords used to secure the company’s BlackBerry phones.

Blackberry passwordsResearch in Motion’s phones are considered the premiere maker of enterprise-grade mobile devices. But now a Russian firm says that a forensics tool it developed can reliably crack strong passwords used to secure the company’s BlackBerry phones.

Elcomsoft, a computer forensics software maker, said on Thursday (PDF) that it has developed the ability to crack passwords used to protect Blackberry phones. An update to the company’s Phone Password Breaker software can recover device passwords securing BlackBerry phones in cases when the user has enabled the Device Password security option to encrypt data stored on a removable media card.

The Device Password option allows BlackBerry users to encrypt phone data stored on an encrypted media card on the BlackBerry. Users must enter the password when the device is powered on, or after it has timed out in order to access data on the phone. Failing to enter the password correctly more than 10 times in a row causes the data on the phone to be wiped clear.

However, Elcomsoft said it has discovered that the password can be recovered directly from the removable media card in cases where the user has opted to encrypt that data also. By analyzing the data on the removable card, separate from the phone, the company said its tool can circumvent the 10 wrong password limit, trying millions of password combinations per second to break the code – a so-called “brute force” attack.

BlackBerry users who do not opt to encrypt data on the removable media card are not vulnerable to having their device password cracked.

“To the contrary of this feature’s intent, those opting for extra security may be actually opening a way for investigators to overcome BlackBerry’s hallmark security feature,” the company said in a press release.

Once the password is recovered from the media card, it can be used to access data stored on the phone, Elcomsoft said.

Elcomsoft, which is based in Russia, said it estimates around a third of BlackBerry users opt to encrypt the media card data.

Lost and stolen phones represent the single biggest threat to smart phone users and their employers, especially as more workers use their phones to check work e-mail and other sensitive activities.

The Threatpost Enterprise Mobile Survey found that more than 40% of respondents used their mobile devices to connect to corporate WiFi networks. More than 90% used it to check work e-mail. 

Suggested articles

Discussion

  • Chris on

    Makes sense. If there's known plaintext that can be mapped directly to an area of ciphertext, it's just a matter of bruteforcing it.

    Of course there's the matter of how long it will take to bruteforce. "Millions of passwords per second" sounds impressive, but compared to 2^128 is less than a drop in the bucket - maybe some condensation around the rim at best.

    Still, nice illustration of the flaw, and here's hoping RIM takes notice to fix it.

  • Lance on

    Yeah,but how long/difficult is someone going to make their phone password? Especially if you have to enter it all the time.
  • Shanvaidya on

    This post is a big shit. The information given in this news is not new and even enough. A company named paraben already made a cellphone forensic tool which also recovers the same. But the question is, If a culprit have not saved any backup ion memory card, then hw elcomsoft is about to crack the password?

     

     

    ????

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.