top of page

BlackBerry password security not so secure


BES12 Client

(Versions Affected: 12.0.4.146, 12.0.5.150, 12.0.6.154, 12.0.8.164, 12.0.9.174, 12.0.10.175, 12.0.11.177)

It is our intention in sharing this information that Blackberry and others will make changes to implement better security practices. These issues have been secured so there is no risk in exposing this data. Blackberry users, the Internet, and world as a whole deserves to have their data secure and taken care of by the companies we put trust in.

BlackBerry has always had a strong name for being secure. It disappoints us that in our research we found the use of incredibly insecure passwords.

These passwords are used to secure personal, corporate, government, military, and defense data.

The passwords Blackberry used:

1. Toronto@1

2. Boeing123

3. password

Risk:

These passwords were in use to secure the encryption keys in BlackBerry's Flagship BES12 iOS mobile application, this is concerning, as they might be used elsewhere, and furthermore they were listed in plain text.

Timeline:

Feb 9th, 2016 - we alerted BlackBerry of the issue.

And promptly 30 days later they have fix in place.

Sadly the weak passwords existed From Feb 24th, 2015 - March 9th, 2016.

379 days and were only fixed after we brought it to their attention.

BlackBerry has since removed the weak passwords but has left other insecurities in the most recent app store release.

With Blackberry now entering the field of "cyber security specialists", We hope the work harder to secure their own data as well.

http://press.blackberry.com/en/press/2016/blackberry-launches-new-professional-cybersecurity-services-practice-to-expand-portfolio.html

We have offered and continue to offer to help work with Blackberry to secure their software, but in our last communication informed us they were not interested.

Wishing Blackberry, you and yours well on your side of the screen :)

-Eric

eric@codecancare.com

Issue for June: Google HangOuts, Turning on any users camera via ios application without any user interaction.

Issue for July: The Fortune 500: 90 days of research, 90% with unresolved security issues.


bottom of page