Blackberry suffering blight

Cooking, like security, is both art and craft; you must understand both what to do and what not to do in order to create something that is fit for purpose. Consider a turnip: boil one, mince it in a food-processor and the resulting tasty goo...

Share

Cooking, like security, is both art and craft; you must understand both what to do and what not to do in order to create something that is fit for purpose. Consider a turnip: boil one, mince it in a food-processor and the resulting tasty goo will be irrevocably different from the original root; plus you'll unlikely need to mince it more than once - overmincing your puree will yield soup.

However when mincing digital data you're probably pursuing one of two goals: one goal is encryption where someone will eventually feed the puree backwards through the mincer to reconstitute the original turnip. This is possible because algorithmic mincing may be infinitely and precisely repeatable and in these cases as Mr Haynes tells us reassembly can be the reverse of disassembly.

Your other typical goal is to use a one-way hash function which as the name suggests is meant to be as irreversible as mincing a real turnip. Hash functions are frequently used in authentication systems, eg: to turn short, memorable passwords into blobs of pseudorandom goo which may then serve as cryptographic keys. This impacts RIM because they've tried to use this mechanism to protect Blackberry backups - but they haven't done it properly. Russian crypto outfit Elcomsoft has announced a tool for breaking into Blackberry phone backups, which works by virtue of RIM's misapplication of the PKCS#5 PBKDF2 Password-Based Key Derivation Function.

To generate some crypto keys to protect your backups PBKDF2 recommends that you repeatedly mince and re-mince your password at least 1000 times - yielding a password soup - however as Elcomsoft's Vladimir Katalov writes:

Where Apple has used 2000 iterations in iOS 3.x, and 10000 iterations in iOS 4.x, BlackBerry uses only one.

The effect of this is to greatly reduce the time/cost of applying brute-force and dictionary-based password cracking to Blackberry backups; the effort is simply multiplicative - if protected by only 1 rather than 1000 iterations, backup passwords may be broken in 1/1000th of the time and effort. Katalov is citing time-to-crack figures in the order of hours or a few days, so if you pick your target carefully you'll soon have access to everything they've stored. It's worth observing that the more senior the Crackberry user, the more likely that compliance and other regulation will demand regular backups of their data be made - so the bigger the name the greater amount of target data available.

In the light of RIM's recent discussions/agreements with the UAE, India, Saudi Arabia and Kuwait to permit limited law-enforcement access into Blackberry traffic - the revelation of this weakness will do nothing positive for RIM's current security story.

But in the meantime CSOs of Blackberry-friendly enterprises should look to the potential exposure of their backups, because there's suddenly a multi-year corpus of data that probably requires better protection than it was thought natively to have. E.g.: If you're outsourcing your storage or are "hosting it in the cloud" without extra crypto, you may have an additional reason to review whether the security that you're contracting is commensurate with the sensitivity of any/all data being stored.

And on the flipside if this article makes you wonder whether you're not actually backing up your Blackberry data, that's something else you should check.

"Recommended For You"

RIM co-CEO Lazaridis on the iPhone, mobile device management Best practices for BlackBerry instant messaging