A Russian company that specialises in cracking tools claims it has broken the password protection used to secure data backups from BlackBerry smartphones. A Russian company that specialises in cracking tools claims it has broken the password protection used to secure data backups from BlackBerry smartphones.According to Elcomsoft, a weakness in the way BlackBerry has implemented the apparently secure 256-bit AES encryption in its PC and Mac backup program, BlackBerry Desktop Software, makes it possible to carry out a successful password recovery attack on the backup archive with relative ease.‘Relative’ in this context means breaking a 7-character password consisting of small letters with two capitalisation in around half an hour using an Intel Core i7 processor. More complex variations of this basic password could be broken in three days using the same hardware, the company claims, before adding that using graphics hardware such as the ATI Radeon HD5970 card would cut this considerably.“In short, standard key-derivation function, PBKDF2 [password-based key derivation function], is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one,” says Elcomsoft’s Vladimir Katalov in an explanatory blog posting. The BlackBerry archive encryption is also carried out using the desktop or Mac PC, rather than the smartphone itself, which means that the data is exchanged in unencrypted form, Katalov adds.What such a backup archive contains will vary from user to user, but in the case of a managed business user, will likely be all data from the BlackBerry, including contacts, email, and password settings for email and WiFi. Almost as an aside, the company says the same software will also do the same for iPhone, iPad and iPod Touch backups, although it is clear that the possibility of attacking backups made from a device famously used by President Obama is the bigger prize.Elcomsoft has given itself a controversial reputation with previous cracking tools, including one to derive some WiFi WPA encryption passphrases, which was, coincidentally, updated last week. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe