BlackBerry — Which Said It Wouldn't Protect Criminals — Assures Criminals Its Phones Are Still Secure
from the organized-criminal-activity-still-a-go dept
Bad news for BlackBerry. Its PGP phones — considered much more secure than its off-the-shelf versions — are compromised. On January 11th, Motherboard reported that Dutch law enforcement officials claimed to be able to bypass/crack the phones’ encryption.
Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.
“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email.
Never mind the “reportedly may be used by organized criminal groups.” That’s something any law enforcement agency would say when describing its ability to crack open phones and pull out contents presumed to be protected by the device. There are privacy concerns that need to be addressed — along with concerns about how these devices are searched — and claiming Device X is “reportedly” used by Unnamed Criminal Organization Y is a simple way of sidestepping these uncomfortable questions.
One day later, Motherboard reported Canadian law enforcement could also circumvent the PGP phones’ built-in protections.
“This encryption was previously thought to be undefeatable,” one 2015 court document in a drug trafficking case reads, referring to the PGP encryption used to secure messages on a BlackBerry device. “The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected.”
In another case from 2015, centering around charges of kidnap and assault, three out of four BlackBerrys seized by the RCMP were analysed by the “Technical Assistance Team in Ottawa and the contents were decrypted and reports prepared.”
Other law enforcement agencies have refused to confirm or deny their ability to crack BlackBerry phones for obvious reasons. No sense in tipping off “organized criminal groups” that their encrypted communication devices are considered open books by Local Law Enforcement Agency Z.
BlackBerry has fired back, claiming its phones are still as secure as ever.
There have been recent media reports that police-affiliated groups in the Netherlands have been able to ‘crack’ the encryption protecting e-mails and other data that are stored on BlackBerry devices.
BlackBerry does not have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have details on the nature of the communications that are claimed to have been decrypted.
If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.
Furthermore, there are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.
While there could be some truth to BlackBerry’s assertions, one wonders why it even cares. After all, its own CEO went after Apple for “locking out” law enforcement with its encryption-by-default design.
For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would “substantially tarnish the brand” of the company. We are indeed in a dark place when companies put their reputations above the greater good. At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.
CEO John Chen openly stated BlackBerry will not protect criminals. If law enforcement agencies are able to bypass the security in PGP phones, they’re presumably doing so to capture criminals. Applied to Chen’s Apple-bashing statement, this isn’t a flaw in the encryption. It’s serendipity. BlackBerry will help law enforcement access your phone’s content if it’s asked to. All that’s happening here is a middleman (BlackBerry) being bypassed. Maybe BlackBerry is upset because this method doesn’t give it warm feelings and a pat on the back by law enforcement for being Stand Up Guys.
And while the assurance that BlackBerry doesn’t insert backdoors into its products is nice to hear, it’s ultimately meaningless when its CEO has stated he’s willing to come ’round back with the master key if law enforcement wants to take a look around.
All this statement does is assure the very people CEO John Chen said the company has no interest in protecting (“criminals”) that its phones are still safe to use in organized criminal efforts.