Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages

from the so-much-for-the-one-thing-Blackberry-used-to-have-going-for-it... dept

Blackberry's CEO, John Chen, didn't care for the fact that Apple was "locking" law enforcement out of its devices by providing customers with default encryption. As he saw it, Apple was placing profits ahead of Mom, Apple pie and American-made motorcars.

For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world's most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would "substantially tarnish the brand" of the company. We are indeed in a dark place when companies put their reputations above the greater good.
Chen refused to "extend privacy to criminals." How he had any way of knowing who was or wasn't a criminal at the point of sale was not detailed in his rant.

Then news surfaced that Dutch law enforcement could bypass Blackberry encryption with seeming impunity. At that point, Blackberry became defensive about its new stature as the least secure smartphone option. It claimed in a blog post that its stock phones were not open books for the world's law enforcement agencies. Despite promising earlier that the company would not aid criminals in keeping their secrets from law enforcement, Blackberry heatedly claimed its devices were secure as ever -- even in the hands of criminals.
[T]here are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.
Ah, but there is a backdoor. A big one. And it's on the opposite side of the "house." Motherboard is reporting that the Royal Canadian Mounted Police are able to access unencrypted communications thanks to the Blackberry's built-in "feature."
Imagine for a moment that everybody's front door has the same key. Now imagine that the police have a copy of that key, and can saunter into your living room to poke around your belongings while you're out, and without your knowledge.

By way of metaphor, this is exactly how the Royal Canadian Mounted Police, Canada's federal police force, intercepted and decrypted "over one million" BlackBerry messages during an investigation into a mafia slaying, called “Project Clemenza," that ran between 2010 and 2012.
Citizen Lab privacy expert Christopher Parsons backs up Motherboard's analogy. [emphasis in the original]
In addition to routing and compressing data traffic, RIM's service offerings also include a measure of security in excess of the practices adopted by their competitors. BBM, as an example, is encrypted. However, it is encrypted using a global key. RIM has written that,

"The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives."

This means that RIM can decrypt consumers' messages that are encrypted with the global key. Consumer devices include all RIM offerings that are not integrated with a BlackBerry Enterprise Server (BES). The BES lets administrators change the encryption key, which prevents RIM from using the global decryption key to get at the plaintext of BES-secured communication.
Blackberry may be technically correct when it asserts it has no access to user passwords. But that hardly matters when it holds the key that can decrypt any BBM communications that pass through its service (with the exception of administrator-level business accounts). This single key's access to unencrypted communications is likely what allowed (and possibly still allows) the RCMP to obtain plaintext messages.

According to the documents obtained by Motherboard, the RCMP appears to be using some sort of Stingray-but-for-BBM technology to intercept and decrypt messages.
[The RCMP maintains a server in Ottawa that "simulates a mobile device that receives a message intended for [the rightful recipient]." In an affidavit, RCMP sergeant Patrick Boismenu states that the server "performs the decryption of the message using the appropriate decryption key." The RCMP calls this the "BlackBerry interception and processing system."
By inserting itself into the middle of communications, the RCMP can intercept the messages. Access to the Golden Key ensures they can be read. The conclusion reached by both the defense team and the judge presiding over the case? The RCMP has Blackberry's global encryption key.
The defence in the case surmised that the RCMP must have used the "correct global encryption key," since any attempt to apply a key other than BlackBerry's own global encryption key would have resulted in a garbled mess. According to the judge, "all parties"—including the Crown—agree that "the RCMP would have had the correct global key when it decrypted messages during its investigation."
Unfortunately, there aren't many more details. Many of the documents related to this case remain under seal and the RCMP certainly isn't going to discuss its interception/decryption secrets if it doesn't have to. It could very well be that it demanded (and obtained) the key from Blackberry, much in the way the FBI demanded Lavabit's SSL key. If so, Blackberry was far more cooperative than Lavabit, which chose to shut down the service rather than allow the government to have total access. (And it has been hinted by the DOJ that this sort of request may be headed Apple's way if it continues to fight its All Writs orders.)

Somewhat ironically, the RCMP acknowledged in court that outing a cellphone provider as Junior G-Men would probably tarnish Blackberry's reputation -- basically the same thing Blackberry CEO John Chen claimed was the height of Apple impudence
RCMP inspector Mark Flynn testified in a heavily redacted transcript that BlackBerry "facilitated the interception process," however, Flynn also stated that facilitation could mean mere information sharing or a physical action to aid interception.

Flynn further testified that revealing the key would jeopardize the RCMP's working relationship with BlackBerry, and harm BlackBerry itself, since "it is not a good marketing thing to say we work with the police."
The question now is whether the RCMP still has this level of access. To cut off the RCMP, Blackberry would have needed to alter the global decryption key -- something that would have required "a massive update... on [a] per-handset basis," according to Citizen Lab's Christopher Parsons. And if Canada's law enforcement has it (or had it), odds are law enforcement agencies in other countries had similar access. Investigators may not be keen to expose techniques in court or in released documents, but they're usually pretty good about sharing this info with like-minded law enforcement agencies.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 15 Apr 2016 @ 8:52am

    I seem to recall...

    ...hearing of Blackberry; didn't they used to be a company or something?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2016 @ 12:41pm

      Re: I seem to recall...

      >...hearing of Blackberry; didn't they used to be a company or something?

      I think more like a subsidiary of Indian Intelligence? I remember reading an article about that somewhere!

      Also, I love all this 'for the greater good' talk. Reminds me of pro-genocidal arguments. At least he didn't say 'Unamerican'.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 8:53am

    Interesting, so the statements of a corporate officer truthfully reflect their actual policies.

    reply to this | link to this | view in chronology ]

  • icon
    AricTheRed (profile), 15 Apr 2016 @ 9:01am

    Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages!

    Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages!!!

    They got both of them...

    reply to this | link to this | view in chronology ]

  • identicon
    Dan J., 15 Apr 2016 @ 9:02am

    Clinton and Obama

    Why do you think the government agents in the know were pushing so hard for Obama and Hillary Clinton to get rid of their Blackberrys?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 9:05am

    "We don't have a backdoor - only a master key." - Blackberry.

    reply to this | link to this | view in chronology ]

  • identicon
    SpaceLifeForm, 15 Apr 2016 @ 9:05am

    So, does Obama text?

    Is he sure that the NSA
    really locked down his phone?

    reply to this | link to this | view in chronology ]

  • icon
    James Burkhardt (profile), 15 Apr 2016 @ 9:07am

    I am going to bet the US knows about this pin too, which is why Clinton was denied a blackberry. They said it was insecure at scale, and it is.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 9:21am

    Blackberry would have needed to alter the global decryption key -- something that would have required "a massive update... on [a] per-handset basis,"

    A massive update is an understatement.
    As messaging is not real time interactive, which key to use cannot be negotiated. Therefore until all phones have the new key, nobody can use it for reliable messaging.
    This is a problem with all such golden key/ backdoor systems, updating to remove any compromise is an extremely difficult operation, especially as phones may be off the network for considerable periods of time, the owner abroad, in hospital or any such reason that keeps the phone off of the network for a prolonged period..

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 15 Apr 2016 @ 9:34am

    Working With the Police is Bad Marketing?

    If saying you work with the police is bad marketing, then whose fault is that?

    The Police! That's who.

    Once upon a time, it would simply go unsaid that you work with law enforcement. In fact, working against law enforcement would be seen negatively.

    The fact that it is now a marketing feature to safeguard you from abusive law enforcement is the best evidence that something is deeply wrong in law enforcement. At all levels.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 10:02am

    If the RCMP have it

    Then CSIS has it.
    If CSIS has it the five eyes have it.
    Ergo - Assume all intelligence agencies have it.
    The only thing a blackberry may be good for now is
    RIM's burial marker.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 12:41pm

    Remember India & Blackberry?

    This doesn't surprise me. Remember a couple years ago when India wanted access to Blackberry messages? Blackberry claimed they couldn't give access. Then suddenly they reached a deal but nothing was ever made of that. I knew right then that Blackberry was lying and had given India access. Since then who knows how many countries have been given access.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 15 Apr 2016 @ 12:49pm

    What's Blackberry?

    Ahem. If for the company alone it wouldn't matter ;~)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 1:56pm

    That's easy, A criminal is anyone that does not provide a clear benefit to chen's bank account

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 15 Apr 2016 @ 4:03pm

    Don’t Confuse BIS With BES

    BlackBerry operates two different kinds of messaging service: BlackBerry Internet Server (BIS) and BlackBerry Enterprise Server (BES).

    BES is the one where businesses set up their own servers, with their own encryption keys. BlackBerry is supposed to have no access to these (as reported previously—but then there’s this). BIS is the one accessed by ordinary individual customers, where the encryption is done on BlackBerry’s own servers.

    The latter has been pretty much wide open to the authorities from day one. This report is specifically about BIS, so there is really nothing new here.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2016 @ 4:36pm

    It should be renamed as Blackhatberry.

    reply to this | link to this | view in chronology ]

  • identicon
    D Fitzgerald, 17 Apr 2016 @ 5:41pm

    Meaning all of the '5 eyes' countries had it too...

    Meaning that - in all of the cases before the courts - which are based on BB cell phone evidence - in any of these countries - can and will be challenged. Nice going coppers!
    I wonder what this will cost us taxpayers...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2016 @ 11:00am

    How many terrorists use Blackberry? :)

    reply to this | link to this | view in chronology ]

  • identicon
    FxckFxcx, 29 Apr 2016 @ 11:32pm

    Bio centric metric exploited data

    Any all users of Facebook work for free for any all things related to law enforcement and government fraud and commercial gain from exploited technological user data

    "God Satan and the RCMP"

    ?

    Kanaskis

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.