You've encrypted data on your SD card?

[psiphi]

Think your encrypted (Micro and Mini) SD card is safe from hacking? Think again!

The Crowbar… looks like a rugged diagnostic tool but is actually a brute force cracking tool that can shred passwords surprisingly quickly. It’s so dangerous that the company only sells it to law enforcement officers and the military.

"...The Crowbar is both powerful and subtle. You can use it to crack security on a handheld device without alerting the owner that the device’s security has been compromised. The Crowbar also stores log-in information for the cracked handheld, so anytime you need to access the hacked device again, you can without going through the entire brute force process again, unless the user changes the password..."

More info here:
http://gcn.com/articles/2009/08/24/g...ecurity_240809

[frazell]

A skim of the article didn't mention Windows Mobile. I wonder how well their device works on Windows Mobile since Windows Mobile 6.1 just recently gotten government certification for use holding confidential government data using its encryption. I'm inclined to think if the encryption could be easily broken with an off the shelf device like this governments wouldn't consider it safe.

[daoom]

Read the article: this is meant to crack SD or MMC cards, not the phones themselves.

[frazell]

Quote:

Originally Posted by daoom

Read the article: this is meant to crack SD or MMC cards, not the phones themselves.

The encryption WinMo uses on the SD card is included in the security testing the government certification body conducted

[Naldiian]

Well, the #1 rule in informaiton security is that if you have physical access to the data storage media, and time to work with, you own the data.

That said, a good understanding of cryptography also presents that fact that no form of brute force attack can crack a lot of the encryption systems out their currently, and it takes an understanding of how something was encrypted to even know where to start to decrypt it. In this case it looks like they are referring to specific enrycption processes and therefor have a lot of the info need to try and crack it ... but anyone that has government or law enforcement officials wanting to covertly hack their phone should be able to figure out how to use one of the many tools out there to encrypt data to a ridiculous level.

Sure,the basic level of encryption used on a mobile device to make data casually obfuscated from anyone that might find your SD card laying around is probably a simple process - especially if you know the manner in which it was encrypted very specifically, but that encryption is not meant to be a bulletproof means of protecting data from someone with malicious intent and the resources to work on it.

The Window Mobile encryption that is certified for government is actually not just the encryption algorythm and capability built in, but rather the entire methodology possible with managed Windows Mobile devices using enterprise PKI-issued certificates and all of the necessary key recovery capabities to ensure decryption for data recovery when needed as well.