I received a copy of this email that RIM has been sending out to customers about the brute force passwords attack Elcomsoft has announced for BlackBerry media cards. We told you earlier this month that practically any offline password system devoid of hardware protection is vulnerable to a brute force password guessing attack and how to mitigate it on BlackBerrys.This is what RIM has been using as an answer for customers worried about Elcomsoft’s attack vector from the BlackBerry Security Incident Response Team (BBSIRT):
The article states that the tool uses a brute-force attack to guess the smartphone password by attempting to decrypt the contents of a media card that has been removed from the smartphone. For this tool to do what Elcomsoft claims, an IT administrator or the smartphone user must have chosen to encrypt the contents of the media card with the smartphone password only. Furthermore, an attacker must have access to the media card from the smartphone, and the tool would have to successfully guess the password. To then use the password to unlock the smartphone, that attacker would also have to have access to the smartphone.
For stronger protection, users can choose to encrypt the contents of an optional media card, choose the option to encrypt using a device key or the combination of a device key and the device password. See Enforcing encryption of internal and external file systems on BlackBerry devices for more information.
To increase the difficulty of guessing passwords, RIM recommends that users always use strong passwords. A strong password has the following characteristics: includes punctuation marks, numbers, capital and lowercase letters does not include the user name, account name, or any word or phrase that would be easily guessed.
The security of mobile devices and major networked systems is tested by third party security researchers every day. RIM also continually tests the security of its own products, and volunteers its products to recognized industry experts for security testing and certification to help identify possible security vulnerabilities and protect BlackBerry customers against potential security threats.
For information on BlackBerry security, visit http://www.blackberry.com/security.
It gets the point across without getting technical but it could have done more to explain the situation. Essentially if you password is less than 8 characters and you don’t use a device key to encrypt then computers are capable of cracking it if they are given enough time.
Here is a simple to understand breakdown. Say you had a password using 62 possible characters (from the 26 lower case, 26 upper case, 10 digits):
- An 8 character password has ~221+ trillion combinations (Computers can crack this in hours if not a day or two)
- A 10 character password has ~850+ quadrillion combinations (Computers could brute force this password in months)
- A 12 character password which is a bit absurd has ~3 sextillion combinations (Current computers could brute force this in about a 100 years)
What a device key essentially does is create a 128 bit or 256 bit key that can possibly be combined with your password. That would take current computers ages to crack. The thing is there are some downsides to using a device key and encryption does cost you in terms of performance… So once again it is all up to how paranoid you actually are…