Russian Software Company Says Its App Can Crack BlackBerry Security 78
AZA43 leaps into the ranks of accepted submitters, writing "Russian security software vendor Elcomsoft has released an app that it claims can determine BlackBerry handheld passwords. The software supposedly hacks the BlackBerry password via an advanced handheld security setting that's meant to encrypt data stored on a user's memory card. And a hacker doesn't even need to have the BlackBerry to determine a password, just the media card."
Not reliable... (Score:5, Interesting)
Same key? (Score:2, Interesting)
Pure speculation here:
Since this only works with media encryption enabled, I'm guessing this is an alternative cipher attack. They can't directly obtain the Blackberry device password, but they can break the media encryption (perhaps because it is a much weaker cipher). The media encryption key is likely the same as or derived from the device password, allowing an expedited attack on that.
Moral of the story: If you derive a key for a weak cipher from a key used for a strong one, make sure you use an irreversible function to do so.
Re:someone cracks blackberry security (Score:4, Interesting)
RIM stuff is largely security by obscurity at this point however, very few people have seemingly tried to pull their stuff apart, and the few that have didn't find good things, see the pwn2own contest from this year for one such example.
Android, iphone and even windows mobile devices are much easier to target because they are largely based on existing systems which are well understood... RIM are using a totally obscure black box that requires significant investment of time to reverse engineer. This doesn't mean it's secure, it just means that hackers will need to spend more time to find holes in it. On the other hand, it means that whitehats will also require more time to reverse engineer the system, whereas its highly possible that blackhats have already stolen the sourcecode.
Most devices provide the option to run a VPN between the handset and a server under your control, only RIM require that there be a server under their control sitting in between.
Most devices (RIM included) can also boot up and start talking to the network without requiring any user input, therefore the keys used for this encryption must be stored on the device somewhere, just waiting for someone appropriately skilled and motivated to work out how to extract them...