Monday, April 29, 2013

Blackberry isn't as secure as we once believed

While it's widely believed that Blackberry is the 'most secure mobile platform on earth', it seems that by Research In Motion's own statements, that isn't true.

The relevant portion of this document is:

"The PIN encryption key is a Triple DES 168-bit key that a BlackBerry® device uses to encrypt BlackBerry® Messenger messages that it sends to other devices and to authenticate and decrypt BlackBerry Messenger messages that it receives from other devices. If a BlackBerry device user knows the PIN of another device, the user can send a BlackBerry Messenger message to the device. Before a user can send a BlackBerry Messenger message, the user must invite the recipient to add the user to the recipient's contact list.

"By default, each device uses the same global PIN encryption key, which Research In Motion adds to the device during the manufacturing process. The global PIN encryption key permits every device to authenticate and decrypt every BlackBerry Messenger message that the device receives. Because all devices share the same global PIN encryption key, there is a limit to how effectively BlackBerry Messenger messages are encrypted. BlackBerry Messenger messages are not considered as confidential as email messages that are sent from the BlackBerry® Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN encryption key is sometimes referred to as "scrambling".

In other words, every single Blackberry device uses the exact same 'secret' PIN to encrypt Blackberry Messenger messages. Whoever has that PIN can easily decrypt anyone's BBM messages. While RIM says that they only provide that PIN when required by law enforcement (like the fiasco in India a few years ago) the fact of the matter is that there is a backdoor in the BBM system and, if there's a backdoor, it can be exploited by anyone who knows how.

Remember when President Obama wanted to keep his Blackberry and RIM said they would have to 'harden' it to make it more secure? One of the things they likely did was change this global PIN to be unique to only his device.

Lastly, it seems email sent over the Blackberry Enterprise Server is much more secure as it is more heavily encrypted. But, as is usually the case, if you didn't encrypt it yourself and you don't control the keys, you can't guarantee anything.

No comments: