BlackBerry -- Which Said It Wouldn't Protect Criminals -- Assures Criminals Its Phones Are Still Secure

from the organized-criminal-activity-still-a-go dept

Bad news for BlackBerry. Its PGP phones -- considered much more secure than its off-the-shelf versions -- are compromised. On January 11th, Motherboard reported that Dutch law enforcement officials claimed to be able to bypass/crack the phones' encryption.

Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.

“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email.
Never mind the "reportedly may be used by organized criminal groups." That's something any law enforcement agency would say when describing its ability to crack open phones and pull out contents presumed to be protected by the device. There are privacy concerns that need to be addressed -- along with concerns about how these devices are searched -- and claiming Device X is "reportedly" used by Unnamed Criminal Organization Y is a simple way of sidestepping these uncomfortable questions.

One day later, Motherboard reported Canadian law enforcement could also circumvent the PGP phones' built-in protections.
"This encryption was previously thought to be undefeatable,” one 2015 court document in a drug trafficking case reads, referring to the PGP encryption used to secure messages on a BlackBerry device. “The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected.”

In another case from 2015, centering around charges of kidnap and assault, three out of four BlackBerrys seized by the RCMP were analysed by the “Technical Assistance Team in Ottawa and the contents were decrypted and reports prepared.”
Other law enforcement agencies have refused to confirm or deny their ability to crack BlackBerry phones for obvious reasons. No sense in tipping off "organized criminal groups" that their encrypted communication devices are considered open books by Local Law Enforcement Agency Z.

BlackBerry has fired back, claiming its phones are still as secure as ever.
There have been recent media reports that police-affiliated groups in the Netherlands have been able to ‘crack’ the encryption protecting e-mails and other data that are stored on BlackBerry devices.

BlackBerry does not have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have details on the nature of the communications that are claimed to have been decrypted.

If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.

Furthermore, there are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.
While there could be some truth to BlackBerry's assertions, one wonders why it even cares. After all, its own CEO went after Apple for "locking out" law enforcement with its encryption-by-default design.
For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would “substantially tarnish the brand” of the company. We are indeed in a dark place when companies put their reputations above the greater good. At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.
CEO John Chen openly stated BlackBerry will not protect criminals. If law enforcement agencies are able to bypass the security in PGP phones, they're presumably doing so to capture criminals. Applied to Chen's Apple-bashing statement, this isn't a flaw in the encryption. It's serendipity. BlackBerry will help law enforcement access your phone's content if it's asked to. All that's happening here is a middleman (BlackBerry) being bypassed. Maybe BlackBerry is upset because this method doesn't give it warm feelings and a pat on the back by law enforcement for being Stand Up Guys.

And while the assurance that BlackBerry doesn't insert backdoors into its products is nice to hear, it's ultimately meaningless when its CEO has stated he's willing to come 'round back with the master key if law enforcement wants to take a look around.

All this statement does is assure the very people CEO John Chen said the company has no interest in protecting ("criminals") that its phones are still safe to use in organized criminal efforts.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ehud Gavron (profile), 19 Jan 2016 @ 3:52am

    Awesome

    That's really awesome, that a formerly-relevant now disregarded manufacturer of nobody-uses phones said something.

    Blackberry was an important part of history. I will miss their pansy-ass way of giving foreign governments and security agencies access to their never-proven-private encryption.

    Stay down, Blackberry. You give rimjob a bad name.

    E

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 19 Jan 2016 @ 5:04am

    Seems to me they're trying to have it both ways, telling the public and the politicians/police very different things.

    The public is assured that there are no backdoors in their products, and their devices are secure, such that if police are able to bypass the security measures it's only thanks to things outside their control.

    Politicians and police on the other hand are assured that the company is more than willing to hand over any and all personal data from the devices owned by 'criminals', and that the company is absolutely against encryption that would prohibit them from doing so.

    One group is almost certainly being lied to, and past actions by the company strongly suggest that it's the public.

    The company has shown a willingness in the past to bypass their own encryption in order to give access to government agencies, making their priorities with regards to 'customer privacy' clear, so while they're likely honest when they assure politicians that they have no interest in 'protecting criminals', their claims that they care about the privacy and security of their customers is almost certainly little more than empty words to con people into using the company's products.

    reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 19 Jan 2016 @ 10:11am

      Bafflegab! :-)

      Seems to me they're trying to have it both ways, telling the public and the politicians/police very different things.

      You underestimate the power of bafflegab. I define the meaning of that pseudo-word along the lines of "least untruthful answer."

      I expect BB's telling the truth, but not all of it. BBs are secure, until the LEOs show up complaining about criminality. Then, BB installs a back door of some sort, keypad reader perhaps, on that phone as part of a software update. Voila!

      BB's been very upfront about not wanting to help criminals so I doubt they bother with niggling details like warrants 'cause they don't have to. Problem easily solved.

      reply to this | link to this | view in chronology ]

  • icon
    TechDescartes (profile), 19 Jan 2016 @ 6:58am

    And That's What You Call...

    ...a rimshot.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 19 Jan 2016 @ 6:59am

    Oh, Blackberry still exists. I thought they were gone. That said, I'd think criminals using Blackberry phones are a topic for the other Tim under the "Dumb criminal" headline, no?

    reply to this | link to this | view in chronology ]

    • icon
      JBDragon (profile), 19 Jan 2016 @ 8:49am

      Re:

      Well BlackBerry the OS is done for as soon as they released a Android phone, the PRIV. With plans to release more in the future. Who in their right mind would have any faith in BlackBerry at that point?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jan 2016 @ 7:06am

    I wonder...

    Who decides that anyone is a criminal?

    Blackberry?
    The police?
    The Nine System Administrators?

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 19 Jan 2016 @ 7:36am

    BlackBerry known to be insecure for at least 5 years

    Two examples:

    BlackBerry ban lifted in Saudi Arabia

    http://www.theguardian.com/technology/2010/aug/10/blackberry-saudi-arabia-ban-lifted

    BlackBerry bows to Saudi Arabia

    http://www.theregister.co.uk/2010/08/09/rim_saudi_arabia/

    Just one quote:
    Authorities in Saudi Arabia had said some BlackBerry Messenger services would be blocked from Friday, 6 August, citing security fears about the way the Canadian technology firm encrypts personal data on its devices.

    So we know BlackBerry has been known to bend over for countries with dubious human rights records for at least five years. Why wouldn't you think they would also bend over for other bad parties: China, Russia, the NSA, CIA, FBI, and even local law enforcement.

    No wonder the president of the US is forced to use a BlackBerry against his wishes. The choice of the people's regimes everywhere.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jan 2016 @ 8:45am

      Re: BlackBerry known to be insecure for at least 5 years

      My thought on why government uses BlackBerries is because they ARE willing to backdoor their product. Otherwise I can't imagine how they are still in busiess.

      reply to this | link to this | view in chronology ]

      • icon
        Eldakka (profile), 19 Jan 2016 @ 3:23pm

        Re: Re: BlackBerry known to be insecure for at least 5 years

        Large organisations (large enterprises, government agencies and so on) that use BlackBerries install their own Blackberry Enterprise Server (BES).

        Blackberry the company doesn't have access to these BES servers. It is these servers that control and funnel the encryption between the users of blackberry devices connected to the same BES server. Each 'owner' of the BES server sets it up and initiates the encryption, keys, and so on. But the administrators of these BES servers CAN decrypt the communications between 'their' blackberry handsets, as they hold the master keys. That way, a 3rd-party (defined as someone outside the organization who owns the BES, including BlackBerry itself) cannot decrypt communications (without hacking the BES server etc). But the organization itself who owns the local BES can decrypt it's employees communications.

        There are 'public' BES servers, these are owned and operated by BlackBerry. These public servers are what are used if someone just goes and buys a blackberry off the shelf and uses it on the 'public' mobile network. It is THESE that BlackBerry can decrypt, since they are the owners and operators of the public BES servers and hence hold the keys. However BlackBerry cannot decrypt the communications of those who purchase, install, operate and use their own BES servers, as they don't have the keys for those.

        Of course, this assumes the operators of the BES servers don't leave the default keys/passwords in place and actually take the time to properly set up and secure the BES server and the master keys ;)

        reply to this | link to this | view in chronology ]

        • icon
          klaus (profile), 20 Jan 2016 @ 1:30am

          Re: Re: Re: BlackBerry known to be insecure for at least 5 years

          Interesting. So the likely explanation behind this story is that the Dutch & Canadians simply went to the public BES admins (presumably with warrants) and got them to decrypt the phones.

          Quite simple really.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Jan 2016 @ 1:12pm

          Re: Re: Re: BlackBerry known to be insecure for at least 5 years

          Who owns/controls the master key is not relevant: it only unlocks the front door.

          The idea of a back door is to facilitate access to the data without having the master key.

          reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 19 Jan 2016 @ 10:17am

      Re: BlackBerry known to be insecure for at least 5 years

      No wonder the president of the US is forced to use a BlackBerry against his wishes.

      What?!? The way I remember it is he was forced to stop using his BB once elected, until they provided one sufficiently hardened to satisfy the Secret Service.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jan 2016 @ 3:08pm

      Re: BlackBerry known to be insecure for at least 5 years

      I sure the POTUS "uses" one in the hope that others will follow his lead (however, most people are not idiotic enough to do such a thing).

      Regardless, this from The Gaurdian:

      "...An RIM spokeswoman declined to comment.

      The manufacturer had earlier said that "any claims we provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries, are unfounded"..."

      Which obviously means "we offer the same compromise to the governments of all countries".

      reply to this | link to this | view in chronology ]

    • identicon
      Well-Actually, 20 Jan 2016 @ 9:13pm

      Re: BlackBerry known to be insecure for at least 5 years

      Just so you know. The blackberry the US president had was NOT a standard blackberry.

      You cant buy the phone, other connecting hardware or custom software.

      One could argue that the blackberry is far from being a... blackberry.

      reply to this | link to this | view in chronology ]

  • icon
    crade (profile), 19 Jan 2016 @ 8:06am

    The Netherlands is one of the countries that actually came out publicly against any backdoor requirements. Apparently they are confident enough in their ability that they don't need to cheat!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jan 2016 @ 8:40am

      Re:

      Why would they need to? They can probably just ask for access and get it in most cases.

      reply to this | link to this | view in chronology ]

      • icon
        crade (profile), 19 Jan 2016 @ 10:11am

        Re: Re:

        Ask for access from who? The people they are trying to convict? Obviously this would be kept in reserve for that rare case when they are not inclined to help with the investigation for some wierd reason :)

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jan 2016 @ 8:25am

    Wait... people still use Blackberrys?

    reply to this | link to this | view in chronology ]

  • identicon
    Billy, 19 Jan 2016 @ 8:46am

    Security and Social Responsibility

    After a quick discussion with my 12 year old kid about Security and Social Responsibility relating to Apple's "Brand protection", my kid was the first to dumped her iPhone and ipad followed by the rest of our family and friends. We now view Apple as an Immoral and Criminal organization.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 19 Jan 2016 @ 9:10am

      Re: Security and Social Responsibility

      ... what?

      If you're talking about Apple's actions as mentioned in the article, the Blackberry CEO was taking cheap shots at them for their encryption-by-default stance, which is a good thing for tech companies to adopt, as better encryption protects far more 'good' people than 'bad'.

      As for Apple's refusal to decrypt the device relating to that case, both the company and the public is better off from their having done so. The company is better off as it allows them to demonstrate that they care enough about their customer's privacy to go to court for it, even against the DOJ, while the public is better off as forcing the ones wishing to perform the search to get a warrant and apply it to the owner of the data stops the police and government agencies from side-stepping laws against self-incrimination and unreasonable searches.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jan 2016 @ 1:34pm

      Re: Security and Social Responsibility

      What? Whoever you've listened to regarding Apple and encryption? Stop listening to them because they lied to you.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jan 2016 @ 8:56am

    Either phrasing works, for different reasons...

    Furthermore, there are no backdoors that we know of in any BlackBerry devices, ...

    ... since the last time we audited our software, and to the extend of our engineers' expertise.

    Furthermore, there are no backdoors in any BlackBerry devices that we know of, ...

    ... that we've been able to examine. But, you know, we haven't seen the ones the RCMP and the Dutch tore apart, so there is that.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jan 2016 @ 11:11am

    Remember Blackberry in India?

    Wasn't it just 2 or 3 years ago that India wanted access to communications across Blackberry phones and Blackberry said they couldn't provide it. Next thing you hear is that India and Blackberry have some agreement. So I am not sure Blackberry has ever been as secure as they claim. I think they have always had their own back door.

    reply to this | link to this | view in chronology ]

    • icon
      Eldakka (profile), 19 Jan 2016 @ 3:29pm

      Re: Remember Blackberry in India?

      There are 2 types of BES servers, 'public', which are owned and operated by BlackBerry, and private, which are purchased from BlackBerry and owned and operated by private organisations. BlackBerry can access and decrypt communications that use the public BES servers, as BlackBerry manages those and holds the keys. However, BlackBerry cannot decrypt communications that use the private BES servers, unless the administrators of those servers do it or provide the master keys of those servers.

      It is these public BES servers that BlackBerry has agree to decrypt for the Indian government, not the privately owned and operated BES servers.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Jan 2016 @ 4:43am

        Re: Re: Remember Blackberry in India?

        BlackBerry cannot decrypt communications that use the private BES servers, unless the administrators of those servers do it or provide the master keys of those servers


        And this comes from which source? Blackberry?

        You see, a backdoor doesn't need master keys.
        That's why they call it a backdoor...

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jan 2016 @ 2:54pm

    It's so painfully obvious that these Blackberry devices, likes Apple's, share data with feds utilizing pre-compromised hardware, and the illusion that the tech/fed alliance has been foisting upon the press (i.e. "there is no cooperation of that type") is simply falling apart in the way one might expect it would (embarrassingly).

    And fall apart it should.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jan 2016 @ 7:53am

    I BBs were even trying to be private they would be nailguned or glueguned or defenestrated

    reply to this | link to this | view in chronology ]

  • identicon
    FxckFxcx, 29 Apr 2016 @ 11:02pm

    Contorted and Twisted for Job Stablity in the Judicial Branch

    Vote Trump and maybe Morpho will have some restrictions put into place to free up resources and develop a borderless world

    reply to this | link to this | view in chronology ]

  • identicon
    Myntex, 26 Jun 2017 @ 4:41pm

    At the time these encrypted emails were decrypted it was due to negligent encryption processes by a particular security provider, no fault of the device itself.

    BlackBerry will obviously listen to a court order, however they do walk a thin line... Ensuring your devices are secure as well as complying with law enforcement is a tricky balancing act.

    If they themselves have no way to get into an encrypted phone (Which is the case) then when law enforcement subpoenas them they don't really have any information to give.. Which therefore does protect its users. (This is a good thing)

    Any company that deals with security is obligated to ensure no one can access files or information they deem "secure", even if someone is them.

    I'm still giving BlackBerry kudos for playing both sides, and keeping our devices secure.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.