ElcomSoft Password Breaker gives you access to BlackBerry Wallet and Password Keeper

By DJ Reyes on 2 Sep 2011 10:17 am EDT

Unlock BlackBerry

One of the great things about BlackBerry devices is the ability to password protect the device itself, as well as certain applications or areas on the device from prying eyes. Browse BlackBerry App World or even the CrackBerry app store and you’ll find a whole host of third party apps that allow you to password protect files, folders, photos, BBM, website passwords etc but the BlackBerry itself has one built in already - Password Keeper. You can also download a BlackBerry app that lets you save billing information, credit card details etc to save you time in filling out forms. Of course this is also password protected with a master password. You also would not want anybody accessing that kind of information, bringing me to the point of this post. ElcomSoft, a sotware company, has developed the first commercially available product that allows you to access passwords that are stored in Password Keeper as well as the information stored in BlackBerry Wallet.

Previous versions of ElcomSoft’s Password Breaker only decrypted passwords for backups of a BlackBerry device so that you could restore those backups when you had forgotten the password used to encrypt the backup. But even when recovering those backups the password data kept within Password Keeper and details within BlackBerry Wallet would still be protected by the master passwords governing those applications. With this latest update, the Password Breaker can access details within those two previously undecryptable apps.

At first I thought this can’t be right but then again, there are some cases where you may forget your master password and may need to reset or recover the password. The Password Breaker will be able to help you recover those passwords and even decrypt keychains of third party apps. Now this is all good and well for personal use and recovering your own forgotten password details on your BlackBerry device but this software is commercially available, what happens when others use it for the wrong reasons? The software does require you to have the backup file you want to recover the passwords from so that makes it a little harder for just anybody to use.

It’s still quite a scary thought knowing that there is software like this out there. Software that can be bought for use in the home or even by corporations and authorities. Would this stop you from using these applications? Would you look at using third party applications to store your password from now on? Tell us your thoughts in the comments.

Read ElcomSoft’s Full Press Release

Reader comments

ElcomSoft Password Breaker gives you access to BlackBerry Wallet and Password Keeper


way to go RIM? Same thing can be done to your PC/MAC passwords etc. JUST having a password is virtually useless. Two+ factor authentication is what you need if you are security conscious.

To date Password Keeper has effectively been two-factor. To gain access to the data, you've needed the actual Blackberry itself. The data wasn't accessible remotely as is the case with typical discussion of two-factor access.

The backup files have been known to be of a much lower encryption level than the device itself. Simple answer is, dont back up password keeper or BlackBerry wallet. Or, dont let people have access to your backup files?

There isnt anything really groundbreaking. Its a brute force attack that runs on the backup. Since there is no wipe of the backup file it can literally continue until it breaks it.

What about the BES? The Password Keeper data is also stored there. That's what I liked about Password Keeper. Changes you make are automatically backed up on the BES. Question is, is the BES safe now. Can a unscrupulous admin retrieve all the passwords?

While not for this specific reason, this type of reason is why I only put my passwords into password manager, not my usernames. It's useless to have passwords if you don't know what the passwords are for, just as it's useless to have somebody's username if you don't know their password.

One more thing to add: While this is still bad, it doesn't look like it's as bad as it seems. If I read correctly, it doesn't give the information stored in those apps, only the passwords to access those apps. If so, you'd still need to restore from the backup, which would probably require you to have the specific phone the person backed up from. While I'm still careful with my security, I don't think that most people who would steal your passwords would invest enough money to buy every BlackBerry device, so you should be safe if you're using a Pearl or an old phone.

They don't need to buy every BlackBerry device. They could only download and install on a PC the respective BlackBerry Device Simulator.

Once, a public transport bus ran over my 6 month old BB Pearl (yeah, it sucked). Obviously the device was useless after that, but it refused to die completely. When I connected it to my PC I was able to do one last backup!

I had no money for a new BB and I was on a 1 year plan, so I had to wait 6 months to get a new BlackBerry without breaking the bank.

One day, when I was still BlackBerryless, I needed some info I had stored within Password Keeper. I tried to open some files from my last backup using word pad. The info from Memo's and such was readable, but of course the info from Password Keeper wasn't.

Then it struck my: "What if I try to load this last backup on a BB simulator for my old, now defunct, device?". I downloaded it, installed it, opened it, and then I opened BlackBerry Desktop. It recognized the simulator as a new device! Then I just loaded my backup on it, opened Password Keeper, entered my master password, and voilà! All my info was there, on the screen of my virtual BlackBerry Pearl!

Ok I'm freaked out now. I use mine for EVERYTHING. Can this software be used remotely as in from somewhere else, or do they have to have access to my phone to use this?

It requires the backup of the device. If you store passwords to say, your banking website, along with usernames, or CC numbers then it can be used from anywhere. But generally, where do you keep your backups? At home or at work. So unless someone has, or gets, access to your home or work PC, then you are fine.

I have switched to Lastpass which is awesome it is encrypted and you have access on multiple devices as well as computers and browsers.

Steve Gibson from Security Now has given it his seal of approval and did an entire episode that described how it works in detail.

By pure chance, I switched to using KeePass the other day. I like being able to move my database file around and open it on other operating systems, being able to organise things into categories, and to my knowledge there's no easy to use program that can crack it open yet. It's also open source, so I can change anything I don't like about it.

I didn't really research any others, I went straight to KeePass from the BB password keeper from a recommendation and due to switching devices anyway.

So I read their press release and as I understand it, it uses a brute force method and " can try hundreds of thousands passwords per second, making dictionary and brute-force attacks feasible and the recovery time reasonable". So just have a longer password! If your password is composed of just 10 letters (i.e., no digits or other chars), there are 1.41*10^14 possible combinations for brute force attack. Now let's say the program can actually run 999,999 passwords per second. To run through all combinations would take 141167236 seconds, or 1633.88 days. Throw it a couple letters and other characters, and quit worrying!