According to the force, “investigators were able to identify the suspects in relation to a series of violent crimes committed on the Montréal territory between 2010 and 2012: arson, weapon cache, forcible confinement, drug trafficking, gangsterism and conspiracy.” But serious questions still remain. Does the RCMP still have the key? Who else has it? And why does a company that places such emphasis on security use a questionable cryptographic architecture?
As Apple fights for the privacy rights of their customers, Canada’s BlackBerry CEO John Chen’s blog post on April 18, 2016 did little to allay concerns. He confirmed that the company complies with “reasonable lawful access requests,” but provided no helpful information with respect to the PIN to PIN interception. His post reminded readers that when it comes to BlackBerry, there are two classes of customers: consumers and enterprise.
Consumers, businesses, and governments buy the same BlackBerry handhelds. But from a security perspective, there can be significant differences depending on how the devices are deployed. All BlackBerry handhelds worldwide include the same shared global encryption key. Unless used with a specially configured BlackBerry Enterprise Server (BES), PIN to PIN messages are encrypted using the shared global key.
BlackBerry’s claim that PIN to PIN messages are encrypted is technically true. However, as is often the case with cryptography, the devil is in the details. Embedding the same key in every device is like selling cars that all start with the same key, or combination locks that all open with the same digits. The only difference is that in BlackBerry’s case, it requires considerable expertise to extract the key from a device. But since the key is contained within every device, it is reasonable to assume that major intelligence and law enforcement agencies already have it — with or without BlackBerry’s cooperation. Once the key is obtained, it can be used to decrypt PIN to PIN communication between almost every BlackBerry handheld in the world.
Chen’s post states, “at no point was BlackBerry’s BES server involved. Our BES continues to be impenetrable – also without the ability for backdoor access – and is the most secure mobile platform for managing all mobile devices.” Setting aside the arrogance of his claim that BES is “impenetrable,” his statement appears to stem from the fact that once a BlackBerry handheld is connected to a BES server, different cryptographic keys are used to protect some communications including email. But PIN to PIN encryption remains problematic. Organizations with a BES server can override the global encryption key for their handhelds, but doing so will also prevent the organization’s users from communicating PIN to PIN with anyone outside the server. As a result, few companies and government departments use this feature.
Whether there is “the ability for backdoor access” to data in a BES environment depends on the definition of backdoor. The BES server itself includes the capability to log every PIN (and SMS) message sent to and from the BlackBerry handhelds it services. While intended for corporate and government compliance, it is conceivable that organizations in some jurisdictions could be compelled to activate the functionality and turn data over to authorities.
The fact that the RCMP appears capable of decrypting PIN to PIN messages to and from almost any BlackBerry in the world is certainly cause for concern, but the RCMP didn’t design BlackBerry’s cryptographic architecture. The RCMP appears to have obtained the cryptographic key required to investigate and prosecute serious criminal activity that falls squarely within their mandate. It is certainly not their fault that the same key can decrypt the communications of parties who are unrelated to the investigation.
Chen’s blog post claims that “protecting customer privacy is a core BlackBerry principle.” It is difficult to reconcile his statement with the company’s inadequate protection of PIN to PIN communication. Shame on BlackBerry.
Have a security or privacy question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…