Blackberry Exploits

**TheCotMan** · January 17, 2005, 12:15

Originally posted by ademonaco

I am currently looking into the localized encryption for RIM Blackberry Server 4.0 and I am looking into tactics used to pull information off the device.
My research has turned up little in the way of exploits and tools that can be used. Does anyone have any thoughts on how I can go about testing the encryption on the device?

There are two parts to examine:

Attack the Model/Examine the Theory:
Examine border cases, and places where trust is implied or assumed, places where a transition occurs from plain-text/trusted to encrypted/untrusted, maybe the protocol used defaults to use a much less secure system for establishing trust (consider NT Auth vs. the older auth in SMB for MS Windows FileSharing and the weaknesses backwards compatability created.)

Attack the implementation:
Find where the implementation does not meet the criteria of the model. Maybe keys are extensively re-used, maybe the key is easy to guess, maybe the implementation of the cipher is faulty, maybe the cipher sucks (double-XOR with same key ;-) maybe there is information leakage, maybe it does not work at all, etc.

Most anything you would look to try with software or MiM or passive attacks will likely use one of the above as hypothisis, and then observation, testing, evalution would follow to allow you to start a new round all over again.

**cindy** · January 17, 2005, 13:10

Originally posted by ademonaco

Does anyone have any thoughts on how I can go about testing the encryption on the device?

Are you looking to test the encryption of e-mail sent through the BES server or are you looking to test encryption of PIN to PIN with the updated blackberry client with certificate handling?

**AlxRogan** · January 17, 2005, 17:49

Originally posted by ademonaco

I am currently looking into the localized encryption for RIM Blackberry Server 4.0 and I am looking into tactics used to pull information off the device.
My research has turned up little in the way of exploits and tools that can be used. Does anyone have any thoughts on how I can go about testing the encryption on the device?

SMS, PIN messaging and any standard tcp/ip traffic, with the exception of the BES hosted e-mail, are transmitted in the clear. BES hosted e-mail is encrypted using FIPS 140-2 compilant AES for new versions and 3DES for earlier versions with a symmetric key. The handheld is required to sync to create a new key at least every 30 days, I believe it can be changed by BES settings, not sure.

Go nuts and good luck. :)

**cindy** · January 17, 2005, 18:36

Originally posted by AlxRogan

SMS, PIN messaging and any standard tcp/ip traffic, with the exception of the BES hosted e-mail, are transmitted in the clear.

BlackBerry Security for the S/MIME Security Package version 1.5

**AlxRogan** · January 18, 2005, 07:58

Originally posted by cindy

BlackBerry Security for the S/MIME Security Package version 1.5

I stand corrected.

Serves me right for quoting year old data. Either way, cracking a BlackBerry should be a very challenging task.

**Chris** · January 18, 2005, 13:01

Originally posted by AlxRogan

I stand corrected.

Serves me right for quoting year old data. Either way, cracking a BlackBerry should be a very challenging task.

http://msnbc.msn.com/id/6836110/

**cindy** · January 18, 2005, 13:17

Slightly off topic

There was an article in the Toronto star today that indicated all messaging, if S/MIME encrypted, would be private. This is true, but remember that this is a corporate environment. As with the case with the corporate employees that used the blackberry's to start their own company, I sure no one was sniffing your data, you were just audited! Simple. You’re Pin's and mail are archived. Encrypted or not.

**AlxRogan** · January 18, 2005, 14:07

Originally posted by Chris

http://msnbc.msn.com/id/6836110/

Ok, obviously I just should stop posting today before I get my ass kicked. :)

I'm thinking they probably got into her mail store, versus getting into the blackberry itself, or just swiped the damn thing with no password on it. Either way, /me is the asshat of the day.

**ademonaco** · January 18, 2005, 15:00

Clarification

I should have been more clear. I am not as concerned about the encrypted traffic as much as I am concerned about the information residing locally on the Blackberry device. The new release has local content encryption and I am looking into testing its validity versus soliciting a third party vendor to build a full hard disk encryption solution.
I would much rather someone sniff 5 minutes of my traffic versus 5 minutes of physically having access to the device.

Thanks for all the replies.

**someb0dy** · February 2, 2005, 11:44

You should try some hardware hacking. You should at least be able to locate the flash were the data is written.

Once you have your dump, you should try to locate were the hash is. (That is what I am trying to do, without much success yet) I say that to accomplish this formidable task, you need a very decent reverse-engineer. Once you have the hash, you MIGHT be able to brute force it. Alas, the encryption algo is SHA-1 and the pseudo random is ARC4.

If you are able to do anything beyond dumping the memory, keep me posted. I am very interested on such topic.

**astcell** · February 2, 2005, 19:21

If you have access to the BES, even for a minute, you can change a setting so that all the Blackberries will send all the messages as a bcc: to a specified address. Then just sit back and watch your mailbox fill up!

**not5150** · February 20, 2005, 22:35

Encase and Paraben

Both companies sell software that forensically access the Blackberry and other PDAs.

Be prepared to pay big bucks.

**erehwon** · February 27, 2005, 01:41

With any luck, you might find a Blackberry that hasn't been wiped...

http://www.wired.com/news/business/0,1367,60052,00.html

**astcell** · February 27, 2005, 03:54

I blame Morgan Stanley sysadmin. On the BES there is a KILL button, just highlight a Blackberry and send the kill command. I heard this was a fatal blow to the device, this would have been a good time to find out just how much so.

There was a story a while back about a guy who got dozens of hard drives off of *bay in all different shapes, you know there was data there.

Just goes to show that even the l33test among us are sometimes just handle the keys to the proverbial castle!

Blackberry Exploits

Blackberry Exploits

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment