Forgot your password?

Russian Hackers Discover The Obvious – Weak BlackBerry Passwords Can Be Brute Forced


I remember when I was a kid I discovered that those amazing Master Locks could be “Hacked” if you had enough time on your hands to guess passwords. A Russian firm Elcomsoft has made a business model out of doing just that. They perform attacks called “Brute Force Attacks” which essentially means guessing every possible password and just announced that encrypted BlackBerry Media Cards are susceptible to such an attack. I am surprised they did not “discover” this ages ago since it is pretty rudimentary and the most unsophisticated form of “hacking” but they have made it much simpler to perform which is very useful. On the other hand its not really a “run for the hills the sky is falling” issue. The difference is between “Cracking” encryption and simply brute forcing a weak password. Here is why…

Elcomsoft announced (via that their new software can break and recover the password of a BlackBerry through its encrypted memory card. They claim their brute force attacks are achieving 1.8 million passwords per second in wordlist mode, and about 5.9 million passwords per second in bruteforce mode. The way this works is because they are targeting one file info.mkf on the BlackBerry memory card file system which they can replicate exponentially and then try to crack it by guessing passwords over and over. Since it is not attached to BlackBerry hardware and can easily be replicated then eventually you will succeed in brute forcing it. The only limitation is how easy it is to replicate the keyfile.

Encryption options

The thing is this has been a known factor for years in cryptography with practically any password based encryption on a replicate-able file. Especially considering the fact that passwords on mobile phones are usually only 4-6 characters. ElcomSoft learned that the lowest possible encryption option for BlackBerry smartphones “device password” is guessable. If you look at a password brute forcing chart like and examine their class D (10 million password guesses per second) you will see how it breaks down.

A password with mixed lower case, upper case, and numbers (62 possible characters) should take about a second or two to crack a 4 character password since there are only 15 million possible combinations. A 5 character password with 916 million combinations would take a minute and a half. A 6 character password would take an hour and a half. All the way up to an 8 character password which would take 253 days… So in other words if you can keep trying different keys in the lock you will eventually succeed especially with passwords with less than 8 characters.

The thing is for years RIM has provided multiple solutions that alleviate this problem significantly for corporations or users who are that paranoid and are willing to sacrifice usability. Users have the option to encrypt their memory card with either the “Device Password” which is brute force-able or what RIM calls the “Device Key” which would encrypt the data with a cryptographic key that is built into the device. The problem is then that if the device no longer works then the data is as good as gone… It also makes things like USB Mass Storage mode more complicated.

In other words there are options with better security that better stand up against brute force attacks but every defense only protected with a password and no other controls will eventually fail to a brute force attack. RIM offers solutions for government use like two factor authentication with a bluetooth smartcard or simply using the device key to encrypt the media card but what I have seen most paranoid companies do is simply disable backups and mass storage mode and encrypt the media card with both the device key and password.

Alternatively you could try using a stronger password that will stand up to brute force attacks better. For example, a annoying password like B33r&Mug would take Elcomsofts solution about 23 years to crack using the Class D hardware they were recommending though a supercomputer could do it in 83.5 days.

At the end of the day the question is how secure is enough? My friend used to say that the ultimate encryption was to write the information on a piece of paper and burn it and then soak the ashes in bleach… VERY secure but totally impractical. The goal is to find the balance that fits your needs. Hopefully RIM also works on finding a way to beef up their on device encryption options to be harder to brute force with a few tricks. On the other hand additional encryption protection usually leads to slower performance…

PS: If you are interested in this sort of stuff read up on “password entropy” or “Brute Force Search”

2 total comments on this postSubmit your comment!
  1. Nice article :). At least, on a BlackBerry, you need to wait a few days for a supercomputer to crack the password giving access to the user’s data. On other platforms, unless you use specific software to protect your data (for BlackBerry like protection), you better not lose sight of your mobile…

  2. This is very interesting, thank you.

    What is ‘encryption’?

    I use Blackberry Protect which would work well if your phone is ‘lost’; and incorporated into BB Protect is phone lock.

    I’m on BIS and just never understood encryption.

1 pingback on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC