BlackBerry Media Card Encryption a Security Risk?

UPDATE 2: Elcomsoft just reached out to me, and the company claims that the latest version of its Phone Password Breaker software, v1.80, can indeed recover BlackBerry device passwords and not just passwords to RIM’s BlackBerry Wallet and Password Keeper apps, via BlackBerry backups and assuming the necessary BlackBerry media card encryption setting is enabled. Elcomsoft’s Chief Security Researcher, Andrey Belenko, has detailed the associated process on the company’s website.

UPDATE 1: I just heard from RIM, and though the company was quite cryptic in its response to my inquiry about Elcomsoft’s claims, the BlackBerry-maker did not say that the Elcomsoft Phone Password Breaker cannot crack BlackBerry passwords. However, RIM suggested that Elcomsoft’s claims apply not to the BlackBerry device password, but to passwords for RIM’s BlackBerry Password Keeper and BlackBerry Wallet apps and data, which Elcomsoft claims its software can retrieve from encrypted BlackBerry data backups stored on PCs.

(BlackBerry Password Keeper and BlackBerry Wallet apps are native BlackBerry apps that users employ to store various passwords and payment/loyalty card information.)

So while BlackBerry media card encryption may not pose as much of a security risk as I first thought, because Elcomsoft’s product cannot determine BlackBerry device passwords, according to RIM, it should still be considering a risk, since it could potentially be exploited to access Password Keeper and BlackBerry Wallet data via PC-based BlackBerry backups.

The BlackBerry OS is known for the many security safeguards it affords individual users and organizations, the most basic–and most important–of which is probably the device password. In fact, I’ve written countless mobile device security tips and tricks posts, and “Enable a password” is almost always atop my list of suggestions.

However, Russian software vendor Elcomsoft has just released an updated version of its Phone Password Breaker product, and the company claims the software can crack any BlackBerry handheld’s password, as long as the BlackBerry owner has enabled a media card encryption option within the smartphone’s security settings.

I’m not sure what to make of this claim, and I’m definitely not about to shell out the $200 Elcomsoft is charging for the “Professional Edition” of the software, which the company says is required to crack a BlackBerry’s password using the encrypted media card. But if it proves to be true, people and organizations that want or need the highest levels of security may wish to ensure that this media-card encryption setting is disabled for the time being–though that would also make data stored on the media card less secure.

This purported method of cracking a BlackBerry password is a bit worrisome, since a Bad Guy could presumably quickly remove a BlackBerry user’s microSD card, and then go to work cracking the device password without the owner even knowing it’s gone. Said Bad Guy could then grab the device, unlock it using the cracked password and steal data, etc., before the user could report it missing and have the device wiped via BlackBerry Enterprise Server (BES) or otherwise.

I’ve reached out to RIM for a comment, but haven’t received a response. I’ll update this post accordingly as soon as I do.

By default, BlackBerry media card encryption is disabled, so you or your IT administrator would have had to have purposefully turned the setting on. But if you want to make sure the media card encryption setting is disabled on your BlackBerry 7 device, click the Options icon on your home screen–it looks like a wrench–scroll down to and click the Security listing, then Encryption and, on the following screen, make sure the Encrypt box beneath the Media Card heading is unchecked. Save your changes, and you’re good to go.

AS

Via PCWorld, Image Credit: Brian Sacco