BlackBerry — Which Said It Wouldn't Protect Criminals — Assures Criminals Its Phones Are Still Secure

from the organized-criminal-activity-still-a-go dept

Bad news for BlackBerry. Its PGP phones — considered much more secure than its off-the-shelf versions — are compromised. On January 11th, Motherboard reported that Dutch law enforcement officials claimed to be able to bypass/crack the phones’ encryption.

Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.

“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email.

Never mind the “reportedly may be used by organized criminal groups.” That’s something any law enforcement agency would say when describing its ability to crack open phones and pull out contents presumed to be protected by the device. There are privacy concerns that need to be addressed — along with concerns about how these devices are searched — and claiming Device X is “reportedly” used by Unnamed Criminal Organization Y is a simple way of sidestepping these uncomfortable questions.

One day later, Motherboard reported Canadian law enforcement could also circumvent the PGP phones’ built-in protections.

“This encryption was previously thought to be undefeatable,” one 2015 court document in a drug trafficking case reads, referring to the PGP encryption used to secure messages on a BlackBerry device. “The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected.”

In another case from 2015, centering around charges of kidnap and assault, three out of four BlackBerrys seized by the RCMP were analysed by the “Technical Assistance Team in Ottawa and the contents were decrypted and reports prepared.”

Other law enforcement agencies have refused to confirm or deny their ability to crack BlackBerry phones for obvious reasons. No sense in tipping off “organized criminal groups” that their encrypted communication devices are considered open books by Local Law Enforcement Agency Z.

BlackBerry has fired back, claiming its phones are still as secure as ever.

There have been recent media reports that police-affiliated groups in the Netherlands have been able to ‘crack’ the encryption protecting e-mails and other data that are stored on BlackBerry devices.

BlackBerry does not have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have details on the nature of the communications that are claimed to have been decrypted.

If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.

Furthermore, there are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.

While there could be some truth to BlackBerry’s assertions, one wonders why it even cares. After all, its own CEO went after Apple for “locking out” law enforcement with its encryption-by-default design.

For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would “substantially tarnish the brand” of the company. We are indeed in a dark place when companies put their reputations above the greater good. At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.

CEO John Chen openly stated BlackBerry will not protect criminals. If law enforcement agencies are able to bypass the security in PGP phones, they’re presumably doing so to capture criminals. Applied to Chen’s Apple-bashing statement, this isn’t a flaw in the encryption. It’s serendipity. BlackBerry will help law enforcement access your phone’s content if it’s asked to. All that’s happening here is a middleman (BlackBerry) being bypassed. Maybe BlackBerry is upset because this method doesn’t give it warm feelings and a pat on the back by law enforcement for being Stand Up Guys.

And while the assurance that BlackBerry doesn’t insert backdoors into its products is nice to hear, it’s ultimately meaningless when its CEO has stated he’s willing to come ’round back with the master key if law enforcement wants to take a look around.

All this statement does is assure the very people CEO John Chen said the company has no interest in protecting (“criminals”) that its phones are still safe to use in organized criminal efforts.

Filed Under: , , , , , , ,
Companies: blackberry

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “BlackBerry — Which Said It Wouldn't Protect Criminals — Assures Criminals Its Phones Are Still Secure”

Subscribe: RSS Leave a comment
34 Comments
Ehud Gavron (profile) says:

Awesome

That’s really awesome, that a formerly-relevant now disregarded manufacturer of nobody-uses phones said something.

Blackberry was an important part of history. I will miss their pansy-ass way of giving foreign governments and security agencies access to their never-proven-private encryption.

Stay down, Blackberry. You give rimjob a bad name.

E

That One Guy (profile) says:

Seems to me they’re trying to have it both ways, telling the public and the politicians/police very different things.

The public is assured that there are no backdoors in their products, and their devices are secure, such that if police are able to bypass the security measures it’s only thanks to things outside their control.

Politicians and police on the other hand are assured that the company is more than willing to hand over any and all personal data from the devices owned by ‘criminals’, and that the company is absolutely against encryption that would prohibit them from doing so.

One group is almost certainly being lied to, and past actions by the company strongly suggest that it’s the public.

The company has shown a willingness in the past to bypass their own encryption in order to give access to government agencies, making their priorities with regards to ‘customer privacy’ clear, so while they’re likely honest when they assure politicians that they have no interest in ‘protecting criminals’, their claims that they care about the privacy and security of their customers is almost certainly little more than empty words to con people into using the company’s products.

tqk (profile) says:

Re: Bafflegab! :-)

Seems to me they’re trying to have it both ways, telling the public and the politicians/police very different things.

You underestimate the power of bafflegab. I define the meaning of that pseudo-word along the lines of “least untruthful answer.”

I expect BB’s telling the truth, but not all of it. BBs are secure, until the LEOs show up complaining about criminality. Then, BB installs a back door of some sort, keypad reader perhaps, on that phone as part of a software update. Voila!

BB’s been very upfront about not wanting to help criminals so I doubt they bother with niggling details like warrants ’cause they don’t have to. Problem easily solved.

DannyB (profile) says:

BlackBerry known to be insecure for at least 5 years

Two examples:

BlackBerry ban lifted in Saudi Arabia

http://www.theguardian.com/technology/2010/aug/10/blackberry-saudi-arabia-ban-lifted

BlackBerry bows to Saudi Arabia

http://www.theregister.co.uk/2010/08/09/rim_saudi_arabia/

Just one quote:

Authorities in Saudi Arabia had said some BlackBerry Messenger services would be blocked from Friday, 6 August, citing security fears about the way the Canadian technology firm encrypts personal data on its devices.

So we know BlackBerry has been known to bend over for countries with dubious human rights records for at least five years. Why wouldn’t you think they would also bend over for other bad parties: China, Russia, the NSA, CIA, FBI, and even local law enforcement.

No wonder the president of the US is forced to use a BlackBerry against his wishes. The choice of the people’s regimes everywhere.

Eldakka (profile) says:

Re: Re: BlackBerry known to be insecure for at least 5 years

Large organisations (large enterprises, government agencies and so on) that use BlackBerries install their own Blackberry Enterprise Server (BES).

Blackberry the company doesn’t have access to these BES servers. It is these servers that control and funnel the encryption between the users of blackberry devices connected to the same BES server. Each ‘owner’ of the BES server sets it up and initiates the encryption, keys, and so on. But the administrators of these BES servers CAN decrypt the communications between ‘their’ blackberry handsets, as they hold the master keys. That way, a 3rd-party (defined as someone outside the organization who owns the BES, including BlackBerry itself) cannot decrypt communications (without hacking the BES server etc). But the organization itself who owns the local BES can decrypt it’s employees communications.

There are ‘public’ BES servers, these are owned and operated by BlackBerry. These public servers are what are used if someone just goes and buys a blackberry off the shelf and uses it on the ‘public’ mobile network. It is THESE that BlackBerry can decrypt, since they are the owners and operators of the public BES servers and hence hold the keys. However BlackBerry cannot decrypt the communications of those who purchase, install, operate and use their own BES servers, as they don’t have the keys for those.

Of course, this assumes the operators of the BES servers don’t leave the default keys/passwords in place and actually take the time to properly set up and secure the BES server and the master keys 😉

Anonymous Coward says:

Re: BlackBerry known to be insecure for at least 5 years

I sure the POTUS “uses” one in the hope that others will follow his lead (however, most people are not idiotic enough to do such a thing).

Regardless, this from The Gaurdian:

“…An RIM spokeswoman declined to comment.

The manufacturer had earlier said that “any claims we provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries, are unfounded”…”

Which obviously means “we offer the same compromise to the governments of all countries”.

Billy says:

Security and Social Responsibility

After a quick discussion with my 12 year old kid about Security and Social Responsibility relating to Apple’s “Brand protection”, my kid was the first to dumped her iPhone and ipad followed by the rest of our family and friends. We now view Apple as an Immoral and Criminal organization.

That One Guy (profile) says:

Re: Security and Social Responsibility

… what?

If you’re talking about Apple’s actions as mentioned in the article, the Blackberry CEO was taking cheap shots at them for their encryption-by-default stance, which is a good thing for tech companies to adopt, as better encryption protects far more ‘good’ people than ‘bad’.

As for Apple’s refusal to decrypt the device relating to that case, both the company and the public is better off from their having done so. The company is better off as it allows them to demonstrate that they care enough about their customer’s privacy to go to court for it, even against the DOJ, while the public is better off as forcing the ones wishing to perform the search to get a warrant and apply it to the owner of the data stops the police and government agencies from side-stepping laws against self-incrimination and unreasonable searches.

Anonymous Coward says:

Either phrasing works, for different reasons...

Furthermore, there are no backdoors that we know of in any BlackBerry devices, …

… since the last time we audited our software, and to the extend of our engineers’ expertise.

Furthermore, there are no backdoors in any BlackBerry devices that we know of, …

… that we’ve been able to examine. But, you know, we haven’t seen the ones the RCMP and the Dutch tore apart, so there is that.

Anonymous Coward says:

Remember Blackberry in India?

Wasn’t it just 2 or 3 years ago that India wanted access to communications across Blackberry phones and Blackberry said they couldn’t provide it. Next thing you hear is that India and Blackberry have some agreement. So I am not sure Blackberry has ever been as secure as they claim. I think they have always had their own back door.

Eldakka (profile) says:

Re: Remember Blackberry in India?

There are 2 types of BES servers, ‘public’, which are owned and operated by BlackBerry, and private, which are purchased from BlackBerry and owned and operated by private organisations. BlackBerry can access and decrypt communications that use the public BES servers, as BlackBerry manages those and holds the keys. However, BlackBerry cannot decrypt communications that use the private BES servers, unless the administrators of those servers do it or provide the master keys of those servers.

It is these public BES servers that BlackBerry has agree to decrypt for the Indian government, not the privately owned and operated BES servers.

Anonymous Coward says:

Re: Re: Remember Blackberry in India?

BlackBerry cannot decrypt communications that use the private BES servers, unless the administrators of those servers do it or provide the master keys of those servers

And this comes from which source? Blackberry?

You see, a backdoor doesn’t need master keys.
That’s why they call it a backdoor…

Anonymous Coward says:

It’s so painfully obvious that these Blackberry devices, likes Apple’s, share data with feds utilizing pre-compromised hardware, and the illusion that the tech/fed alliance has been foisting upon the press (i.e. “there is no cooperation of that type”) is simply falling apart in the way one might expect it would (embarrassingly).

And fall apart it should.

Myntex says:

At the time these encrypted emails were decrypted it was due to negligent encryption processes by a particular security provider, no fault of the device itself.

BlackBerry will obviously listen to a court order, however they do walk a thin line… Ensuring your devices are secure as well as complying with law enforcement is a tricky balancing act.

If they themselves have no way to get into an encrypted phone (Which is the case) then when law enforcement subpoenas them they don’t really have any information to give.. Which therefore does protect its users. (This is a good thing)

Any company that deals with security is obligated to ensure no one can access files or information they deem “secure”, even if someone is them.

I’m still giving BlackBerry kudos for playing both sides, and keeping our devices secure.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...