[Dshield] Thoughts on Blackberry Security?

Security Guy securityguy at dslextreme.com
Wed Oct 6 21:34:03 GMT 2004

I've been a lot of input and I'm trying to put it together.  I'll post the
final document (hoping for your criticism and input) once it's done.

It turns out that the Blackberry has a fairly good password protection plan.
Blackberry passwords allow a user to set a custom password between 4 and 14
characters long. The Blackberry also rejects weak passwords such as
identical characters or those of a natural sequence. With the password set,
after a specific period of inactivity, the Blackberry activates a
screensaver and requires the user to input the password to access the
information on the handheld.

The password is stored on an encrypted SHA-1 hash store. Using this method
of encryption makes cracking the password on the handheld difficult, even if
they have the contents of the memory. Unfortunately, this is not a
requirement for handheld use, and the user has the ability to disable this

I've also been informed that those companies that implement the Blackberry
Secure Server have the ability to "kill" a stolen handheld by deactivating
the sim card so that it can not talk back to the parent server. A
list-member has advised me that they have used this feature many times when
employees have left and tried to take their handhelds with them.  That
sounds excellent to me!

- WB

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Fitton, Robert (Bob)
Sent: Wednesday, October 06, 2004 2:05 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Thoughts on Blackberry Security?

On Wed Oct 6, Wayne Beckham said:

>SOOOOO, their email, is being sent clear text.
>Problem #2 - I read that a blackberry has no passwords, local data 
>encryption, etc.
>a stolen blackberry is a thief's dream.  

I'm new to the blackberry recently issued to me, but it does have a
password.  It times out and locks after a preset length of idle time (max is
one hour - I have to keep unlocking the damn thing).  How good it is
(whether you can get around it easily) I do not know.

DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list