BlackBerry devices have always been renowned as the most secure mobile device. In most cases BlackBerrys are superior in their security. However, a new flaw has been discovered in the encryption of BlackBerry backup data.
ElcomSoft is a Russian developer of password recovery software. They have released a new tool that effectively cracks the encryption on BlackBerry backups by leveraging a weakness in the key-derivation function.
The BlackBerry encryption algorithm uses AES with a 256-bit key, which is theoretically strong enough. However, the CEO of ElcomSoft, Vladimir Katalov, claims there is a problem with the key generation.
“In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one,” he explains on his company’s blog.
Katalov says that even without GPU acceleration, a seven character long password with both uppercase and lowercase letters would be recovered in under three days. But, cracking a single-case password would only take half an hour.
It will be interesting to see how Research In Motion responds to the flaw and if they will correct it. For now, try and use a longer password with numbers and other special characters, which should at least make it take longer for your password to be cracked.