Desperate RIM Gives In And Lets Indian Gov't Spy On Blackberry Communications

from the impossible-doesn't-mean-what-it-used-to dept

Fri, Aug 3rd 2012 2:25pm — Mike Masnick

Back in 2008, we wrote about how the Indian government was demanding that RIM let it snoop on encrypted messages from Blackberry users. RIM's response was that it was simply impossible to snoop on its enterprise customers' messages, since they set their own encryption keys. A few months later, the government claimed to have cracked RIM's encryption, though the whole claim was sketchy. In 2010, the government again demanded the right to spy on Blackberry users (raising more questions about that encryption cracking claim). RIM apparently offered up a "solution" that the Indian government rejected, because it didn't let them snoop enough (basically it allowed snooping on consumers, but not corporate accounts).

Now, however, there are reports that RIM has come up with a "solution" to let the Indian government spy on enterprise users as well:

RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies, according to an exchange of communications between the Canadian company and the Indian government.

If you're a RIM Blackberry customer, and you bought into it because of the security features, now would be the point where you get pretty pissed off and start seeking alternatives. The report from the Economic Times suggests RIM did this because of the "importance" of the Indian market. RIM is clearly in trouble. Its failure to keep up on the innovation front means that the company is clearly struggling. But kowtowing to a government by allowing it to spy on users is hardly the sort of thing that's likely to get you more customers. It seems like it should do exactly the opposite.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blackberry, encryption, india, snooping
Companies: rim

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 3 Aug 2012 @ 2:32pm

They'll get plenty of new customers
It will just be the constituents of various governments that require the use of devices they can monitor. No shortage of authoritarian governments.
[ link to this | view in thread ]
sehlat (profile), 3 Aug 2012 @ 2:43pm

What's POTUS going to do?
As I understand it, he got a special "super-secure" blackberry when he took office.
[ link to this | view in thread ]
Dave (profile), 3 Aug 2012 @ 3:00pm

Re: What's POTUS going to do?
Which only the NSA, CIA, FBI, and Metro Police can monitor.
[ link to this | view in thread ]
Anonymous Coward, 3 Aug 2012 @ 3:20pm

The way things are going now the only way to make sure the government can't spy on you is to ditch all cell phone equivalents, and other electronics you carry around with you, and make sure your computer has no Internet connection. Oh, and ditch your credit cards and bank accounts to.

That's why RIM gave in, what safe alternate to protect you from government spying is there? Even Skype doesn't seem to be safe anymore.
[ link to this | view in thread ]
Anonymous Coward, 3 Aug 2012 @ 3:24pm

and anyone with a laptop and some easy-to-obtain open source software that can smush Blackberry security within minutes.......that's able to get within 500 foot of the handset of course......
[ link to this | view in thread ]
AzureSky (profile), 3 Aug 2012 @ 3:33pm

Rim is dead....long live RIM....

note: I say this because may corporate users get RIM devices specifically due to their reputation for being secure....now that this is clearly no longer the case, i expect many to move to android and just use apps said to be secure.
[ link to this | view in thread ]
Tim, 3 Aug 2012 @ 3:38pm

Interesting technical implications
I'm rather interested in the technical implications here, as this implies a major underlying flaw in the encryption RIM is using. It shouldn't be a trivial thing to break the level of encryption RIM uses without the keys. If I were still administrator for any BESs I'd be in the process of implementing the optional PGP encryption (assuming it wasn't on already) and setting the Blackberry Router on my devices to bypass SRP and connect directly to my BES, those steps should give users some protection, assuming of course that the actual attack resembles what is being described in news reports.
[ link to this | view in thread ]
RIM sells out, 3 Aug 2012 @ 4:05pm

RIM was already loosing space in the smartphone market place and lay offs abundant. Now allowing for snooping they have just killed themselves completely. A good Canadian company again killed off. RIM have fun in the unemployment line.
[ link to this | view in thread ]
Anonymous Coward, 3 Aug 2012 @ 4:33pm

Re:
Quite a bit. First of all, cell phones should require a warrant for a specific person or connection before you can 'monitor'.

Same thing for internet connections.

Same thing for credit cards and bank account (in this case, that is actually how it goes).

Bottom line is that 'criminals' should not drive exceptions to our system of protections.
[ link to this | view in thread ]
Anonymous Coward, 3 Aug 2012 @ 5:04pm

I wonder exactly how Verint's "solution" works? I'm guessing a firmware update that installs a rootkit like CarrierIQ.
[ link to this | view in thread ]
Anonymous Coward, 3 Aug 2012 @ 5:06pm

Re:
It would be easier to say that in order to ensure the gov't doesn't spy on us is to ditch all third party services and do everything ourselves. Given enough time, all these services will roll over and allow spying, see RIM for example.
[ link to this | view in thread ]
Anonymous Coward, 3 Aug 2012 @ 8:21pm

"If you're a RIM Blackberry customer..."
You just got a RIMjob.
[ link to this | view in thread ]
The eejit (profile), 4 Aug 2012 @ 2:23am

Re: Re: What's POTUS going to do?
Why have them monitoring when you can just have the Illuminati do it band be much more secret about it?
[ link to this | view in thread ]
jon, 4 Aug 2012 @ 12:16pm

Russia
in russia, they have already worked around this issue. The cellular provider owns the BES, and you provide them with an account that has access to your blackberry users' mailboxes. Its super effective and your level of privacy is transparent. This isnt required for activesync connections, which makes me believe that activesync is already cracked.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2012 @ 1:14pm

place I work for just got rid of 150 blackberry handsets less than 2 years after implementing them manager-wide.

Stating that they weren't sure if they were secure, they've changed to a multiple-handset model not wanting to get burned twice.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2012 @ 1:15pm

Re: Interesting technical implications
thats assuming RIM doesn't throw an unencrypted feed along with the encrypted.....or a secondary feed only THEY can decrypt thats sent out at an OS level so can't be bypasses by apps/settings.
[ link to this | view in thread ]
gama rays, 4 Aug 2012 @ 9:20pm

You guys must realize that spying is for the national security. While I agree this can be abused, I also realize it is used generally for the country's own good majority of the time.

Why do people feel the need to communicate with utter secrecy? If you feel the need to talk with that kind of privacy, better talk with them face to face or use encrypted mail.(unless you are doing anything illegal of course) Again i agree again that this can be abused just like any other technology(like 1%-10% of the time)[my numbers;not to be taken as fact]. The government must make sure it has the ability to intercept emails from possible terrorists that may get hold of this technology.

Just imagine terrorists using this technology to co-ordinate their attacks. It will become an utter nightmare. And imagine how will this becomes if government does not have the ability to stop them.

tl;dr privacy is compromised slightly for the greater good.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2012 @ 9:24pm

Rim job?
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2012 @ 9:28pm

Re:
I think you got your numbers backwards.

Real threats rarely happen, so most of the time this will be used to spy on others for other reasons.

Iran contras was not a fantasy and it highlights why spying in secrecy without any kind of oversight is bad.

Maybe you are to young to remember what that was, but some still remember it and know exactly why spying on our own people was forbidden.
[ link to this | view in thread ]
gama rays, 4 Aug 2012 @ 9:33pm

Re: Re:
"Bottom line is that 'criminals' should not drive exceptions to our system of protections"

I vehemently disagree with this point. Do you know that ONLY FIVE PEOPLE killed 3000 people during 9/11?
[ link to this | view in thread ]
gama rays, 4 Aug 2012 @ 10:05pm

Re: Re:
Iam not denying any of your points. At least we both agree real threats DO occur.

Terrorists are not dumb; they are not going to just strap a bomb and kill themselves all the time. They are constantly evolving and they try to use any means possible to make their job easy.

The reality is that if we want to feel safe anywhere we go, we need to tolerate the spying. Bad guys kills other people. It may be today, tomorrow or even after 10 years. Spying is only one of the tools many tools we have at our disposal to beat them. Because I am more than happy to compromise my privacy if that means it helps save a few people's lives or mine for that matter.
[ link to this | view in thread ]
gama rays, 4 Aug 2012 @ 10:48pm

Re: Re: Re: correction
its 19 not 5. sorry for the error.
[ link to this | view in thread ]
Tim, 5 Aug 2012 @ 9:13am

Re: Re: Interesting technical implications
Unlikely, an unencrypted feed would be trivial to detect and even a second encrypted feed should show up in deep packet analysis, though you wouldn't be able to read it, you'd definitely know it was there. Given the design of the Blackberry network, this sounds like some sort of man in the middle attack, probably being run against the encrypted AES packets as they pass through the Blackberry network after SRP authentication before they're passed back to the corporate BES. That would be the point that the packets would be most vulnerable to attack, but you'd still need to break the AES encryption, which must have a flaw that allows it to be broken that easily, what's surprising is that such a flaw hasn't been more widely reported.
[ link to this | view in thread ]
Anonymous Coward, 5 Aug 2012 @ 2:08pm

Re:
Watch the "South Park" movie. The term is explained.
[ link to this | view in thread ]
dfdfg, 5 Aug 2012 @ 8:09pm

ethics?
This is what really pisses me off about online journalism. Not only is the article incorrect. It was published atleast a day AFTER RIM came out and said this is not true.

You really should post a retraction on your front page.
[ link to this | view in thread ]
Ninja (profile), 6 Aug 2012 @ 9:19am

So RIM is officially dead. Let us see how long Nokia and its stubbornness will hold.
[ link to this | view in thread ]
John Fenderson (profile), 6 Aug 2012 @ 11:00am

Re: Re: Re: Re: correction
Actually, a lot more than 19 if you count the "back-office" support infrastructure.

But even if it was 19, so what? How does that counter the argument that criminals shouldn't drive exceptions to our legal protections?
[ link to this | view in thread ]
John Fenderson (profile), 6 Aug 2012 @ 11:07am

Re: Re: Re:
Because I am more than happy to compromise my privacy if that means it helps save a few people's lives or mine for that matter.

And I am not.

Here's the problem -- the risk of abuse, even life-threatening abuse -- in the name of security far outweighs the risk from terrorist acts. There are indeed circumstances where civil rights should be abridged for the greater good, but these must be truly exceptional in nature, and only for a limited time.

The threat posed by terrorists is neither of those things.

Let me put this in perspective: the odds that you will be killed driving on a freeway is many orders of magnitude greater than the odds of you being killed by a terrorist act. Are you arguing that we need to be stripped of civil rights to mitigate the freeway threat? If not, then why the difference?
[ link to this | view in thread ]
mongolking, 7 Aug 2012 @ 1:03pm

Garbage Article.
This Article is riddled with unproven "facts", biased language, even small gramatical errors.

It's absolutely ridiculous that people read this and take the statements as facts. There are no references to people, institutions or reports used to aquire this information.
[ link to this | view in thread ]