September 25, 2016

BlackBerry 10 sending email passwords in plain text

blackberry-logoGerman researcher Frank Rieger has discovered that BlackBerry is transmitting user names and passwords from its internal servers to external email servers in plain text when BlackBerry 10 users setup email accounts using the BlackBerry 10 email Discovery Service.

The problem, which Rieger is calling a backdoor which could be used by the NSA, is that when a BlackBerry 10 user configures a new email account the smartphone sends the email credentials to an internal server at BlackBerry which in turn contacts the user’s email server. If the user’s email server isn’t configured to force the use of SSL/TLS then the BlackBerry server defaults to plain text (without trying an encrypted connection). The result is that the user credentials are send by BlackBerry’s internal server to the user’s email server in plain text.

There are two concerns here. One is that BlackBerry’s internal servers used for the Discovery Service hasn’t been configured to use SSL/TLS at all times and only fall back to plain text if no alternative is available (or maybe better still to reject accounts without SSL/TLS). The other worry is that BlackBerry is storing user credentials for external mail services on its servers without notifying the user.

Although BlackBerry initially denied any such actions by its servers, it has now acknowledged that this does happen and suggests that its customers should use the advanced options during account setup to bypass the discovery service. It also has tried to reassure its customers that the credentials are only used during the setup process and that they are not stored by BlackBerry afterwards. According to BlackBerry when the credentials are sent from the BlackBerry 10 smartphone to its internal servers TLS is used, but it has neglected to comment on the configuration of the discovery service software and why its uses plain text.

As a result of Frank’s findings security firm Risk Based Security has reached out to its clients and various contacts, including the FBI warning them of the potential privacy and security issue.

ElcomSoft Launches New Software To Crack BlackBerry Device Passwords

(LiveHacking.Com) – ElcomSoft have released a new version of their Phone Password Breaker (EPPB), with the ability to recover passwords protecting BlackBerry phones. Data on a BlackBerry can be protected using a password (known as the the device password) which needs to be entered every time the device it being switched on, or optionally, after a certain timeout. If the wrong password is entered more than 10 times in a row all the data on the phone is erased.

It was previously thought that cracking this device password was impossible, however now ElcomSoft say that it can be cracked in a matter of hours without any danger to the data on the phone.

However there is a caveat. To work, Media Card encryption needs to be configured and set to either “Security Password” or “Device Password” mode.

ElcomSoft estimates that about 30 per cent of all BlackBerry smartphone users opt to protect their media cards with this option, making their devices open to this attack.

To crack the password EPPB only needs the media card from the device. Using a PC with an Intel i7-970, EPPB can try 1.8 million passwords per second in wordlist mode, and about 5.9 million passwords per second in bruteforce mode.

 

Phone Password Breaker Cracks Open the BlackBerry Password Keeper

(LiveHacking.Com) – ElcomSoft Co. Ltd. has updated its Phone Password Breaker software and added the ability to recover the master password which locks the passwords stored in the BlackBerry Password Keeper app. The new version can also unlock the financial information kept in the BlackBerry Wallet app.

The BlackBerry Password Keeper and Wallet apps allow users to store their passwords and their financial information, like credit card numbers, in a password protected store. To unlock the Password Keeper, users must enter the master password.

Elcomsoft Phone Password Breaker can recover the master passwords for the Password Keeper and Wallet apps and so provide forensic investigators full access to stored login credentials and passwords in plain-text.

The Elcomsoft Phone Password Breaker allows forensic investigators to open a BlackBerry backup and then it uses brute-force to recover the master passwords by trying hundreds of thousands of passwords per second.

RIM Releases Details of Vulnerabilities in BlackBerry Enterprise Server

(LiveHacking.Com) – RIM has released a security advisory to address a vulnerability in the BlackBerry MDS Connection Service and BlackBerry Messaging Agent for the BlackBerry Enterprise Server.

Vulnerabilities exist in how they process PNG and TIFF images for rendering on the BlackBerry smartphone.

Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

The issue affects the following software versions:

  • BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for Microsoft Exchange
  • BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for IBM Lotus Domino
  • BlackBerry® Enterprise Server version 4.1.7 and version 5.0.1 through 5.0.1 MR3 for Novell GroupWise
  • BlackBerry® Enterprise Server Express version 5.0.1 through 5.0.3 for Microsoft Exchange
  • BlackBerry® Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino

BlackBerry Enterprise Server version 5.0.3 MR3 and later for Microsoft Exchange and IBM Lotus Domino are not affected, neither are the actual BlackBerry smartphones.

ElcomSoft Releases New Software to Recover Passwords on NIST Certified BlackBerry PlayBook Backups

(LiveHacking.Com) – Only a few days ago the BlackBerry PlayBook became the first tablet to be certified for US government use by passing the FIPS 140-2 certification from the National Institute of Standards and Technology (NIST). No other tablet, including the iPad, has gained this certification and the PlayBook is the only tablet ready for deployment within the U.S. federal government.

Since this particular FIPS (Federal Information Processing Standard) certification is about cryptography, you would think that any government data on a PlayBook would be secure… Not so… ElcomSoft has updated its Phone Password Breaker with the ability to recover passwords protecting BlackBerry PlayBook backups. This means that it can recover the original plain-text password protecting the PlayBook backups. Once the password is known the backup can be restored to and analyzed on another PlayBook device.

The result is that forensic investigators (or hackers, spies and foreign governments) can access email messages, call history, contacts, web browsing history, voicemail and email accounts stored in those backup files.

To crack the passwords on the Backups, ElcomSoft use GPU-accelerated attacks, offloading parts of the computation-intensive jobs onto highly parallel units available in today’s ATI and NVIDIA video cards. The result is that the Elcomsoft Phone Password Breaker can try tens of thousands of passwords per second.

ElcomSoft plans to add a PlayBook backup decryption module, which allows the backups to be cracked open without restoring them to another PlayBook device, to the next version of Elcomsoft Phone Password Breaker.