BlackBerry Security Incident Response Team Responds to Elcomsoft Brute Force Password Attack

RIM sent an email to some of their customers regarding a recent password attack that Russian hacking team Elcomsoft claimed as their work. When it comes to offline password systems, such as BlackBerry’s ID program, they are susceptible to brute force password guessing because of the missing hardware protection.

RIM has released this email to answer the questions that customers have voiced about Elcomsoft’s attack methods. The answer came directly from the BlackBerry Security Incident Response Team (BBSIRT):

The article states that the tool uses a brute-force attack to guess the smartphone password by attempting to decrypt the contents of a media card that has been removed from the smartphone. For this tool to do what Elcomsoft claims, an IT administrator or the smartphone user must have chosen to encrypt the contents of the media card with the smartphone password only. Furthermore, an attacker must have access to the media card from the smartphone, and the tool would have to successfully guess the password. To then use the password to unlock the smartphone, that attacker would also have to have access to the smartphone.

For stronger protection, users can choose to encrypt the contents of an optional media card, choose the option to encrypt using a device key or the combination of a device key and the device password. See Enforcing encryption of internal and external file systems on BlackBerry devices for more information.

To increase the difficulty of guessing passwords, RIM recommends that users always use strong passwords. A strong password has the following characteristics: includes punctuation marks, numbers, capital and lowercase letters does not include the user name, account name, or any word or phrase that would be easily guessed.

The security of mobile devices and major networked systems is tested by third party security researchers every day. RIM also continually tests the security of its own products, and volunteers its products to recognized industry experts for security testing and certification to help identify possible security vulnerabilities and protect BlackBerry customers against potential security threats.

For information on BlackBerry security, visit

This is a great explaination without getting really techinical, but if you want more explaination here it is.

Say you had a password using 62 possible characters (from the 26 lower case, 26 upper case, 10 digits):

  • An 8 character password has ~221+ trillion combinations (Computers can crack this in hours if not a day or two)
  • A 10 character password has ~850+ quadrillion combinations (Computers could brute force this password in months)
  • A 12 character password which is a bit absurd has ~3 sextillion combinations (Current computers could brute force this in about a 100 years)

Device keys create a 128/256 bit key that came be combined with your password.  This adds exponetial difficulty to the cracking of the password.