Vulnerability in the security of BlackBerry device backups using the BlackBerry Desktop Software

Article ID: KB24764

Type:   Security Advisory

First Published:

12-15-10

Last Modified: 01-03-2012

 

Product(s) Affected:

  • BlackBerry Desktop Software Version 6.0
  • BlackBerry Desktop Software Version 4.7
  • BlackBerry Desktop Software Version 5.0
Collapse Products
ExpandAffected Software
  • BlackBerry® Desktop Software 4.7 (PC OS)
  • BlackBerry® Desktop Software 5.0 (PC OS)
  • BlackBerry® Desktop Software 6.0 (PC OS)
  • BlackBerry® Desktop Software 1.0 (Mac OS)
ExpandNon Affected Software
  • BlackBerry® Device Software
  • BlackBerry® Enterprise Software
  • BlackBerry® Internet Service
  • BlackBerry Desktop Software versions earlier than 4.7 (PC OS)
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity
This vulnerability has a Common Vulnerability Scoring System (CVSS) of 5.6.
CollapseOverview

This advisory describes an issue related to how the BlackBerry Desktop Software version 1.0 for Mac and the BlackBerry Desktop Software version 4.7 through 6.0 for PC encrypts BlackBerry device backup files. The issue may allow a malicious user to decrypt the backup file by means of a brute force attack (repetitive password guessing attempts).

ExpandWho should read this advisory?
  • IT administrators
  • BlackBerry Desktop Software for PC users
  • BlackBerry Desktop Software for Mac users
ExpandWho should apply the software fix(es)?
  • IT administrators
  • BlackBerry Desktop Software for PC users
  • BlackBerry Desktop Software for Mac users
ExpandRecommendation

Complete the resolution actions documented in this advisory.

RIM recommends that BlackBerry device users always use a strong password to encrypt their data. RIM also recommends that BlackBerry device users store their backup files securely, whether they choose to encrypt them or not.

A strong password has the following characteristics:

  • includes punctuation marks, numbers, capital and lowercase letters
  • does not include the user name, account name, or any word or phrase that would be easily guessed
  • is not the same as the BlackBerry device password
ExpandReferences

CVE® Identifier: CVE-2010-2603

CollapseProblem

Successful exploitation of the issue using the affected versions of the BlackBerry Desktop Software requires the following steps:

  1. The BlackBerry Desktop Software user uses a weak password that is susceptible to brute force attacks to encrypt the backup file. Note that the encryption key generation process adds a random value to the password the user chooses to improve the strength of the password before generating the encryption key.
  2. The malicious user must be able to gain access to the backup file.
  3. The malicious user would need to rely on repeated attempts to determine the password to decrypt the backup file.
CollapseResolution

RIM has issued a software update that resolves this issue in BlackBerry Desktop Software version 6.0.1 and later for PC and BlackBerry Desktop Software version 2.0 and later for Mac. RIM recommends that BlackBerry Desktop Software users running versions earlier than these, upgrade their software to help protect their installation against brute force attacks.

BlackBerry Desktop Software for PC Users

Visit the BlackBerry Desktop Software Downloads for PC Users site to download the updated version of the BlackBerry Desktop Software (version 6.0.1 or later)

BlackBerry Desktop Software for Mac Users

Visit the BlackBerry Desktop Software Downloads for Mac Users site to download the updated version of the BlackBerry Desktop Software (version 2.0 or later).

The updated version of the BlackBerry Desktop Software includes changes to the method used to generate the encryption key that encrypts the BlackBerry device backup file. The BlackBerry Desktop Software 6.0.1 and later and the BlackBerry Desktop Software version 2.0 and later uses multiple iterations of the method to generate the encryption key, to help protect against brute force attacks on the encrypted backup file.

Users running BlackBerry Desktop Software version 4.7.0 or later may update to the latest version of the BlackBerry Desktop Software by responding to an auto-update prompt in the BlackBerry Desktop Manager.

CollapseWorkaround

If the BlackBerry device is on a BlackBerry Enterprise Server, the BlackBerry Enterprise Server administrator has the following options to help protect BlackBerry device backups in their organization.

 

Force BlackBerry devices to create encrypted backup files

The administrator can set the Generate Encrypted Backup Files IT policy rule to force BlackBerry devices to create encrypted backup files. See http://docs.blackberry.com/en/admin/deliverables/16713/Generate_Encrypted_Backup_Files_840680_11.jsp for more information.

 

Prevent users from performing BlackBerry device backups using the BlackBerry Desktop Software

The administrator can set the Desktop Backup IT policy rule to prevent users from performing BlackBerry device backups using the BlackBerry Desktop Software. See http://docs.blackberry.com/en/admin/deliverables/16713/Desktop_Backup_204186_11.jsp for more information.

CollapseAdditional Information

CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

BlackBerry Security

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements
This issue was identified by ElcomSoft Co. Ltd.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.