ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Smartphone Forensics: Cracking BlackBerry Backup Passwords

September 30th, 2010 by Vladimir Katalov

BlackBerry dominates the North American smartphone market, enjoying almost 40 per cent market share. A 20 per cent worldwide market share isn’t exactly a bad thing, too. The total subscriber base for the BlackBerry platform is more than 50 million users.

Today, we are proud to present world’s first tool to facilitate forensic analysis of BlackBerry devices by enabling access to protected data stored on users’ BlackBerries.

One of the reasons of BlackBerry high popularity is its ultimate security. It was the only commercial mobile communication device that was ever allowed to a US president: Barack Obama has won the privilege to keep his prized BlackBerry despite resistance from NSA. (On a similar note, Russian president Dmitry Medvedev was handed an iPhone 4 a day before its official release by no one but Steve Jobs himself. No worries, we crack those, too).



All data transmitted between a BlackBerry Enterprise Server and BlackBerry smartphones is encrypted with a highly secure AES or Triple DES algorithm. Unique private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Even more; to secure information stored on BlackBerry smartphones, password authentication can be made mandatory through the policies of a BlackBerry Enterprise Server (default, password authentication is limited to ten attempts, after which the smartphone's wiped clean with all its contents erased). Local encryption of all data, including messages, address book and calendar entries, memos and tasks, is also provided, and can be enforced via the IT policy as well. With the supplied Password Keeper, Advanced Encryption Standard (AES) encryption allows password entries to be stored securely on the smartphone, enabling users to keep their online banking passwords, PIN codes and financial information handy – and secure. If that’s not enough, system administrators can create and send wireless commands to remotely change BlackBerry device passwords, lock or delete information from lost or stolen BlackBerries.

Sounds pretty secure, does it? As always, there is the weakest link. With BlackBerry, the weakest link is its offline backup mechanism.

Backups are good. If you don’t do backups yet you definitely should. Any decent IT policy will mandate you to backup data at certain intervals. This is true not only for laptops, desktops or servers, but also for mobile devices and smartphones. A lost BlackBerry can definitely ruin your day without having a recent backup handy. How long will it take you to get everything back on your new BlackBerry? Count contacts, appointments, mail accounts and their settings, installed applications, photos, device preferences, etc. Backups offer a convenient way to reduce this time to just a few minutes.

Backups are also evil. They create a new instance of information that might be private or sensitive. It is easy to manage this information while it stays inside a secure device, and it might be a nightmare to manage it when it is out. Backup encryption is supposed to solve the problem. If you’re one of those guys with search warrants, I doubt that you like the idea of encrypting anything, BlackBerry backups included. At least if this isn’t your own backup.

Smartphone manufacturers provide software not only for syncing devices with desktop computers, but also for creating backups. For example, Apple iPhone users have iTunes. For BlackBerries, it is BlackBerry Desktop Software. According to the application manual:

The BlackBerry Desktop Software is designed to link the content and applications on your BlackBerry device with your computer.

You can use the BlackBerry Desktop Software to do the following tasks:

• synchronize your organizer data (calendar entries, contacts, tasks, and memos) and media files (music, pictures, and videos)

• back up and restore your device data

• manage and update your device applications

• transfer your device settings and data to a new BlackBerry device

• use your device as a modem to connect to the Internet from your computer

• manage multiple devices

• charge your device

Creating device backup is quite simple; again, following the manual:

To back up data that is in your built-in media storage, mass storage mode must be turned on.

1. Connect your BlackBerry device to your computer.

2. In the BlackBerry Desktop Software, click [Device] > [Back up].

3. Do one of the following:

• To back up all your device data, click [Full].

• To back up all your device data except for email messages, click [Quick].

• To select which types of device data to back up, click [Custom]. Select the check box next to the data you want to back up.

4. If your device includes built-in media storage and you want to back up data that is stored there, select the [Files saved on my built-in media storage] check box.

5. Do any of the following:

• To change the default name for the backup file, in the File name field, type a new name.

• To encrypt your data, select the [Encrypt backup file] check box. Type a password.

• To save your settings so that you are not prompted to set these options again when you back up your device, select the [Don't ask for these settings again] check box.

6. Click [Back up].

So when you restore the device from a backup, you will have to supply the same password you entered to create it (as if it’s not obvious).

Contrary to iPhone backups that consist of a collection of multiple files, BlackBerry backups are stored in a single file – either with .ipd (Windows version of BlackBerry Desktop) or .bbb (Mac version) extension. In fact, .bbb is simply a ZIP archive incorporating .ipd file inside.

Backup encryption uses AES with a 256-bit key. So far, so good. An AES key is derived from the user-supplied password, and this is where the problem arises.

In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2’000 iterations in iOS 3.x, and 10’000 iterations in iOS 4.x, BlackBerry uses only one. Another significant shortcoming is that it’s BlackBerry Desktop Software that encrypts data, not the BlackBerry device itself. This means that the data is passed from the device to the computer in a plain, unencrypted form. Apple devices act differently; the data is encrypted on the device and never leaves it in an unencrypted form. Apple desktop software (iTunes) acts only as a storage and never encrypts/decrypts backup data. This is quite surprising since the BlackBerry platform is known for its unprecedented security, and we’ve been expecting BlackBerry backup protection to be at least as secure as Apple’s, which turned not to be the case.

What does that mean for us? We can run password recovery attacks on BlackBerry backups really fast – even without GPU acceleration we can go over millions of passwords per second. Here is the performance chart

In case these numbers don't give you much of a hint, here is the tip: if the password is 7 character long (a typical length) and contains only small letters or only capitals, it will take only about half an hour to recover the password on an Intel Core i7 CPU. And even if the password is composed of both uppercase and lowercase letters, the recovery will succeed in less than three days.

Of course, longer passwords will take more time, but the big question is: are you able to memorize longer passwords, or will you write them down?

Sorry, forgot to mention. To recover BlackBerry passwords, you'll need our Elcomsoft Phone Password Breaker (formerly "Elcomsoft iPhone Password Breaker" – sorry Apple, we've dropped an 'i' because not only iPhone backups are supported now, but your competitors as well. The abbreviated name remains EPPB for the time being).

And now some quick tips. First, not only brute-force attack is available: the dictionary attack (our favorite, especially when used with permutations) is there as well.

Second, once the password is recovered (or if you already know it), EPPB can decrypt the backup so that you can use it to restore the device or analyze its contents using any 3rd party mobile forensic tools like ABC Amber BlackBerry Converter.


Tags: , , , , , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

36 Responses to “Smartphone Forensics: Cracking BlackBerry Backup Passwords”

  1. Justin Goldberg says:

    Is there a tool that can access deleted data on blackberries? Not the memory card, the phone itself? That would be useful!

  2. InetFree says:

    with the BlackBerry enterprise Server I never used the Desktop Manager with more than 2500 devices. all informations are in the back office, mostly in the Exchange Servers and all user profiles are stocked in the BES database. During the BB World, I have discussed with lot of IT managers in the other companies none of them use backup file from the Desktop Manager. One IT told me they have set up an IT policy to forbidden that.

  3. Deez says:

    Does the Elcomsoft Phone Password Breaker only brute force the password again the backed up file and not the device itself? Let’s say someone got hold of a lost\stolen phone, is the blackberry device hardware encryption still at risk of being cracked?

    • Yes, Elcomsoft Phone Password Breaker is designed to recover password for the backup, not for the device itself.
      If someone got your Blackberry the the amount of data he can get from the device depends on settings (i.e. is encryption on, how complex is the device password, etc). If someone got your iPhone then he can get almost everything from the device no matter how complex your passcode was. Our iOS Acquisition Toolkit can help with this.

  4. john silva says:

    Will the Elcomsoft Phone Password Breaker brute force the password again the backed up file and not the device itself? As i lost my phone, is the blackberry device hardware encryption still at risk of being cracked even if my phone was password protected.

    • Elcomsoft Phone Password Breaker can only brute-force passwords for device backups. So far Blackberry device encryption is strong enough and if you’ve set the security password on the device then you’re probably safe.

  5. Derek says:

    I’ve lost my Blackberry when I was on vacation and haven’t got a clue what the password on the backup file is. So far I’ve been using this software for combination of letters and digits for up to 6 characters with no luck. For my computer to attempt 7 characters it would take over 100 days. Was wondering if you can provide some advice on what to do as the info is very important to me. Is a high end computer the only solution? If so are there any services that rent out these kind of machines? Your input would be very much appreciated.

    • As far as we know, there is no way around the password for BlackBerry backups. This means that your best chance to get access to contents of that backup is to remember or recover the password.

      If that was your BlackBerry then you have set the password; try to remember it. Usually people reuse passwords heavily so try one of your standard passwords or its variations.

      Our next suggestion would be to run a wordlist attacks with different levels of mutations (depending on the performance you’ve got; the deeper mutations are is the better).

      Bruteforce (i.e. trying all 7-character password) is really a last resort as it is very slow. Again, any knowledge about probable password is very valuable and can significantly reduce the search space.

  6. jansher says:

    how do i back up my blackberry if my hp has died..i cant on my phone..how do i perform i back up..i tried connecting it to my computer but i still was unable to do the back up..someone help me please

    • You can care ate backup copy of your BlackBerry handset by using BlackBerry Desktop Software (you need to download it from RIM’s website). You may be asked to enter device password to create a backup.

  7. LSM says:

    How about iOS 5: Is the security any better? Or would a BB with strong device encryption and no local backup would still be safer for Enterprise use?

    • That’s a trick question. Security in iOS 5 is better than in iOS 4, but the ability to do full physical acquisition on all devices except iPad 2 and iPhone 4S makes iOS little less attractive than BlackBerry from the security point of view.

      At the same time I am confident that iOS devices can be safely used in an Enterprise given the adequate policy and user training.

  8. Vin Gustav says:

    Hi, I forgot my BlackBerry Smarphone password.. so I’m unable to access any of its functions or data, very important stored emails are involved.
    Any suggestion?

    • If you have media card in your BlackBerry and media card encryption is turned on to “Encrypt using device password” then EPPB (Elcomsoft Phone Password Breaker) may be able to help. Download trial version from our website and open info.mkf from your media card. If it opens without errors/warnings then chances that you’ll be able to recover the password are good!

  9. Julie says:

    Hi, I recently lost my blackberry and am worried that the finder will be able to access my email inboxes… The device was password protected, but only by a four character password. I was wondering, do you know what the default settings for the Blackberry Bold are with regards to security, mainly would encryption and media card encryption be set to on at time of purchase? I can’t remember what I had for these settings. THANKS.

  10. jashion says:

    i forgot my blackberry password. can u help me ?

  11. yesi says:

    Does Anyone know of a free software that can crack the password of one of my backup file . I had this backup for almost a year now but I have some memo, task and phone numbers I wish to access. I got myself a new 9700 so I would appreciate it if anyone can help me out.


  12. nsp says:

    can someone please help me how to recover .rem files on blackberry. i’ve search everywhere but i ended up here, but this program give me an error code -4 when i try to decrypt sd card. please if some one know how email me at w3sani@gm**l.com
    im so desperate, thousand of my pictures from my wedding etc. now just cannot be open
    thank you very much

  13. furr says:

    Hi there, I’ve recently had to change my yahoo account password and I now can’t remember it and the recovery account email linked to it has been disabled without my knowledge. I can still access emails on my BB but can’t change any settings. By any chance would my BB have a stored copy of the password and would I be able to recover it from the device or a backup?

  14. Gift Bibian says:

    I lost my pinging password and i will like to recover it thanks

  15. Gift Bibian says:

    thanks for your concern in the sending of my password i really want to say thanks to you

  16. Gift Bibian says:

    i lost my password and wilkl like to regain it the phone is bold 5 and my e-mail is right there in in the gap ple

  17. shagie says:

    I changed my bold5 password days ago and laater I couldn’t remember the new password, I entered wrong code 10 times and now my fone is wiped. Please am so concern bout my pictures and videos is there any software blackberry can use to get me back my videos and pictures? I need them so badly I don’t really care for the contacts, emails and messages, I need my pictures *crying* please help!!!!!!

  18. shagie says:

    I changed my bold5 password days ago and laater I couldn’t remember the new password, I entered wrong code 10 times and now my fone is wiped. Please am so concern bout my pictures and videos is there any software blackberry can use to get me back my videos and pictures? I need them so badly I don’t really care for the contacts, emails and messages, I need my pictures *crying* please help!!!!!!

  19. Johng502 says:

    Good website! I truly love how it is easy on my eyes and the data are well written. I’m wondering how I could be notified whenever a new post has been made. I have subscribed to your RSS feed which must do the trick! Have a great day! edgddgcdeffa

  20. shagie,

    Sorry, but if the device has been wiped after a few unsuccessful attempts, there is absolutely no way to get your information back (until you have the device backup).

  21. Bolanle O. Omotoso says:

    We are the foremost data recovery and digital Forensics Services Company in Nigeria.

    The essence of this mail is to seek partnership with a reputable Organisation in Data Recovery and Forensic Services so that we can collaborate to deliver forensic services in our region.

    As I write this mail, a client brought 6 Blackberry phones to us, ranging from a Blackberry Porsche Design P’9981: IMEI: 359850040348604, a Curve 9320, a Bold 9990, another Touch 9550, a Sony Erickson, and a Tecno Phone.

    The customer reported inaccessibility, having forgotten the passcode to some of them.

    We gave the 4 phones to a firm in the UK who had carried out a chip-off procedures on the phones in order to access the contents of the phones. This UK firm could not get what the client wanted, although he got some items, the client is particularly interested in the DELETED BBM chats, WebHistory, and ANY other deleted communications.

    Kindly assist to locate and recommend an experienced Mobile Forensic Company that can recover BBM/Whatsapp chats, images, and cookies, web history, and ALL the deleted data items, although, he will also want the NOT-Yet Deleted to be preserved as well.

    Regards and thanks

  22. Carol says:

    Hi Vladimir

    Nice article. Do you have information about the new Blackberry 10 OS and Blackberry Link? How secure are their new encryptions?


  23. Carol,

    Thank you!

    With BlackBerry 10, backup encryption has been changed completely. The system (BB 10) has backup server running, which generates (and sends to the Link for further saving into backup file) already encrypted data; the encryption key is stored deep inside the device and cannot be extracted from there. This key is generated when you activate the device using BB ID (and password).

    We have found the way to obtain the encryption key (and so decrypt the backup) if password to BB ID is known. That feature implemented in Phone Password Breaker (Forensic).

  24. Oliver says:


    I just discover your blog and your tools ! I am amazed with your discoveries !
    If you have to choose between a bb10 device and an iPhone, which one would you choose depending only on security ? I do not take pictures or play game so those criterias are irrelevant to me.
    I had an iPhone 4s but the last discoveries of zdziarski freak me out. And the fact that it could happen even over 4G makes me more crazy. Is it possible to generate those pairing keys even without a previously trusted computer ?

    Thanks !

    • Oliver,

      iPhone provides an adequate level of security (until you installed the jailbreak). Pairing records do create some risk, but they expire once you restart the device, and there is no way to generate them without connecting it to the computer. There is actually nothing to worry about.

  25. Oliver says:

    Thanks for your answer Vladimir.
    I just want to make sure I understood. If, after disconnecting from my computer, I restart my iPhone, does the pairing records become obsolete ? If someone get access to my computer (in anyways) is there something he can use to decrypt backups I made or acces my phone ?

    I just feel that it’s so cumbersome compared to blackberry where the only way to access the phone is by knowing the bbid and the password associated which are different from the device password.

    Also your software’s price is so low that anybody can buy them making the security of iPhone useless lol

  26. kaya says:

    Dear Vladimir I have some questions regarding BB10 device activated with a workspace setup via BES. The server forced me to use a 12 character minimum (alpha-number-symbol) password rule when activating te device on BES.

    The server also forced the device to enable encryption. A BB ID has never been setup. If the device is locked, I need to enter the device password which was created during activation, to unlock the device..after which the device enters directly into the work space.

    My question:

    in what way are forensics able to de-crypt my device if they have physical access to my BB device?