Table of Contents
Advertisement
BlackBerry Enterprise Solution
The BlackBerry Enterprise Server administrator should send the Set a Password and Lock Handheld IT
administration command to a content-protected BlackBerry device that is in the possession of the BlackBerry
device user only. Sending this command to a BlackBerry device in the possession of an attacker allows an
attacker that uses a hardware-based attack to recover the key pair that the BlackBerry device creates when it
receives the IT policy from flash memory, and thereby decrypt all the data on the BlackBerry device.
For more information about the protocol, see "Appendix L: Protocol for resetting the password on a content-
protected BlackBerry device remotely" on page 89.
Types of remote BlackBerry device wipes
The BlackBerry device wipe process is designed to delete all data in internal memory and overwrite that memory
with zeroes.
Type
factory default device wipe
security wipe of data (standard
security wipe)
security wipe of data and third-
party applications (standard
security wipe with Include third
party applications option
selected on device)
security wipe of data on a
content-protected device
(standard security wipe on a
content-protected device)
For more information, see Erasing File Systems on BlackBerry Devices Technical Overview.
The BlackBerry device performs the following actions, depending on the method used to wipe the internal device
memory:
BlackBerry device action
deletes user data
deletes corporate PIN-to-PIN
encryption key
deletes the master encryption
key
unbinds the smart card (if
applicable)
www.blackberry.com
Description
This method of removing BlackBerry device data is initiated by the
BlackBerry Enterprise Server administrator remotely using the Remote
Wipe Reset to Factory Defaults IT policy rule. See "Removing third-party
applications during a user-initiated security wipe" on page 65 for more
information.
This method of removing BlackBerry device data is initiated by the
BlackBerry Enterprise Server administrator remotely, or by the BlackBerry
device user locally on the BlackBerry device. See "Remotely erasing data
from BlackBerry device memory and making the BlackBerry device
unavailable" on page 63 for more information.
This method of removing BlackBerry device data is initiated by the
BlackBerry device user locally on the BlackBerry device. The BlackBerry
Enterprise Server administrator can achieve the same result by performing
a factory default device wipe. See "Removing third-party applications
during a user-initiated security wipe" on page 65 for more information.
If content protection is turned on, during a security wipe the BlackBerry
device uses a memory scrub process to overwrite the BlackBerry device
flash memory file system. The BlackBerry memory scrub process complies
with United States government requirements for clearing sensitive user
data, including Department of Defense directive 5220.22-M and National
Institute of Standards and Technology Special Publication 800-88.
Description
The BlackBerry device permanently deletes all user data in memory.
The BlackBerry device permanently deletes its references to the corporate
peer-to-peer, or PIN-to-PIN, encryption key in memory.
The BlackBerry device permanently deletes its references to the master
encryption key in memory.
The BlackBerry device permanently deletes the smart card binding
information from the NV store so that a user can authenticate with the
BlackBerry device using a new smart card.
62
Advertisement
Table of Contents
