InfoWorld ran a story about ElcomSoft’s announcement of support for BlackBerry backups in their backup file decrypting tool. Obviously all the lemmings ran for the hills and the little red hen ran screaming that the sky has fallen! I did a bit of digging and found that while ElcomSoft has a point that BlackBerry backup’s are insecure I don’t think it is a huge deal and is something RIM could probably fix with little work but it is a weird oversight for a company so anal retentive about security. I would consider this a shameful black eye for their security team.
To give you some perspective it is almost impossible to truly protect a consumer backup file from a brute force password attack. A brute force attack essentially just tries billions and trillions of passwords and permutations until one works. With a device like the BlackBerry it is easy to set a 10 wrong password limit before wiping the device but with a backup file a hacker can just make a billion copies of the file and keep on hacking away.
What I found very interesting is that in this one regard RIM is actually trailing Apple when it comes to backup file security. Both of the companies use AES encryption with a 256-bit key which is pretty good though the key is derived from a user supplied password which is where the vulnerability comes from. Standard practice for key strengthening user supplied passwords for AES involves PBKDF2 which strengthens the keys by making it harder and more processor intensive to brute force a password. It uses a salt along with this value for over 1000+ recommended iterations to create derived keys which make it really hard to try multiple passwords. They need the salt to make it harder to use rainbow tables to just easily find a password from its hash.
So now that we know that PBKDF2 is supposed to be used at least 1000+ times as a recommended MINIMUM we learn that RIM only uses ONE iteration. That makes it MUCH easier to brute force in around 3 days. It is also way behind the curve since the iPhone OS 4.x uses 10,000 iterations and the 3.x iOS uses 2,000. The other difference is that RIM only encrypts the data once it is transferred in clear text to your computer adding another place where this data is at risk.
Many companies with a BES implementation could care less about this since most information is backed up to the BES and users have no real need of performing backups. BES admins can even block these backup’s if they thing there is a risk from it. I am not sure if this is also the case for device upgrades that perform a backup but I assume that it is. On the other hand consumers, who usually do not have a password or data encryption on in the first place, will probably not care too much though it is valuable to know not to share your backups all over the internet. I think that the encryption of backups was only a recent addition and only added in recent versions of desktop manager but that could be why it has such an immature level of protection. Still I don’t doubt that RIM will release a patch or update for this soon.
So no the sky is not falling though keep in mind there are still people who can read your email… and just because you are not paranoid does not mean no one is out to get you.