BlackBerry -- Which Said It Wouldn't Protect Criminals -- Assures Criminals Its Phones Are Still Secure
from the organized-criminal-activity-still-a-go dept
Bad news for BlackBerry. Its PGP phones -- considered much more secure than its off-the-shelf versions -- are compromised. On January 11th, Motherboard reported that Dutch law enforcement officials claimed to be able to bypass/crack the phones' encryption.
Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.Never mind the "reportedly may be used by organized criminal groups." That's something any law enforcement agency would say when describing its ability to crack open phones and pull out contents presumed to be protected by the device. There are privacy concerns that need to be addressed -- along with concerns about how these devices are searched -- and claiming Device X is "reportedly" used by Unnamed Criminal Organization Y is a simple way of sidestepping these uncomfortable questions.
“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email.
One day later, Motherboard reported Canadian law enforcement could also circumvent the PGP phones' built-in protections.
"This encryption was previously thought to be undefeatable,” one 2015 court document in a drug trafficking case reads, referring to the PGP encryption used to secure messages on a BlackBerry device. “The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected.”Other law enforcement agencies have refused to confirm or deny their ability to crack BlackBerry phones for obvious reasons. No sense in tipping off "organized criminal groups" that their encrypted communication devices are considered open books by Local Law Enforcement Agency Z.
In another case from 2015, centering around charges of kidnap and assault, three out of four BlackBerrys seized by the RCMP were analysed by the “Technical Assistance Team in Ottawa and the contents were decrypted and reports prepared.”
BlackBerry has fired back, claiming its phones are still as secure as ever.
There have been recent media reports that police-affiliated groups in the Netherlands have been able to ‘crack’ the encryption protecting e-mails and other data that are stored on BlackBerry devices.While there could be some truth to BlackBerry's assertions, one wonders why it even cares. After all, its own CEO went after Apple for "locking out" law enforcement with its encryption-by-default design.
BlackBerry does not have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have details on the nature of the communications that are claimed to have been decrypted.
If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.
Furthermore, there are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.
For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would “substantially tarnish the brand” of the company. We are indeed in a dark place when companies put their reputations above the greater good. At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.CEO John Chen openly stated BlackBerry will not protect criminals. If law enforcement agencies are able to bypass the security in PGP phones, they're presumably doing so to capture criminals. Applied to Chen's Apple-bashing statement, this isn't a flaw in the encryption. It's serendipity. BlackBerry will help law enforcement access your phone's content if it's asked to. All that's happening here is a middleman (BlackBerry) being bypassed. Maybe BlackBerry is upset because this method doesn't give it warm feelings and a pat on the back by law enforcement for being Stand Up Guys.
And while the assurance that BlackBerry doesn't insert backdoors into its products is nice to hear, it's ultimately meaningless when its CEO has stated he's willing to come 'round back with the master key if law enforcement wants to take a look around.
All this statement does is assure the very people CEO John Chen said the company has no interest in protecting ("criminals") that its phones are still safe to use in organized criminal efforts.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, criminals, encryption, going dark, john chen, netherlands, pgp, pgp phone
Companies: blackberry
Reader Comments
Subscribe: RSS
View by: Time | Thread
Awesome
Blackberry was an important part of history. I will miss their pansy-ass way of giving foreign governments and security agencies access to their never-proven-private encryption.
Stay down, Blackberry. You give rimjob a bad name.
E
[ link to this | view in chronology ]
The public is assured that there are no backdoors in their products, and their devices are secure, such that if police are able to bypass the security measures it's only thanks to things outside their control.
Politicians and police on the other hand are assured that the company is more than willing to hand over any and all personal data from the devices owned by 'criminals', and that the company is absolutely against encryption that would prohibit them from doing so.
One group is almost certainly being lied to, and past actions by the company strongly suggest that it's the public.
The company has shown a willingness in the past to bypass their own encryption in order to give access to government agencies, making their priorities with regards to 'customer privacy' clear, so while they're likely honest when they assure politicians that they have no interest in 'protecting criminals', their claims that they care about the privacy and security of their customers is almost certainly little more than empty words to con people into using the company's products.
[ link to this | view in chronology ]
Bafflegab! :-)
You underestimate the power of bafflegab. I define the meaning of that pseudo-word along the lines of "least untruthful answer."
I expect BB's telling the truth, but not all of it. BBs are secure, until the LEOs show up complaining about criminality. Then, BB installs a back door of some sort, keypad reader perhaps, on that phone as part of a software update. Voila!
BB's been very upfront about not wanting to help criminals so I doubt they bother with niggling details like warrants 'cause they don't have to. Problem easily solved.
[ link to this | view in chronology ]
And That's What You Call...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
I wonder...
Blackberry?
The police?
The Nine System Administrators?
[ link to this | view in chronology ]
Re: I wonder...
These days that would be the RIAA.
[ link to this | view in chronology ]
BlackBerry known to be insecure for at least 5 years
BlackBerry ban lifted in Saudi Arabia
http://www.theguardian.com/technology/2010/aug/10/blackberry-saudi-arabia-ban-lifted
BlackBerry bows to Saudi Arabia
http://www.theregister.co.uk/2010/08/09/rim_saudi_arabia/
Just one quote:
So we know BlackBerry has been known to bend over for countries with dubious human rights records for at least five years. Why wouldn't you think they would also bend over for other bad parties: China, Russia, the NSA, CIA, FBI, and even local law enforcement.
No wonder the president of the US is forced to use a BlackBerry against his wishes. The choice of the people's regimes everywhere.
[ link to this | view in chronology ]
Re: BlackBerry known to be insecure for at least 5 years
[ link to this | view in chronology ]
Re: Re: BlackBerry known to be insecure for at least 5 years
Blackberry the company doesn't have access to these BES servers. It is these servers that control and funnel the encryption between the users of blackberry devices connected to the same BES server. Each 'owner' of the BES server sets it up and initiates the encryption, keys, and so on. But the administrators of these BES servers CAN decrypt the communications between 'their' blackberry handsets, as they hold the master keys. That way, a 3rd-party (defined as someone outside the organization who owns the BES, including BlackBerry itself) cannot decrypt communications (without hacking the BES server etc). But the organization itself who owns the local BES can decrypt it's employees communications.
There are 'public' BES servers, these are owned and operated by BlackBerry. These public servers are what are used if someone just goes and buys a blackberry off the shelf and uses it on the 'public' mobile network. It is THESE that BlackBerry can decrypt, since they are the owners and operators of the public BES servers and hence hold the keys. However BlackBerry cannot decrypt the communications of those who purchase, install, operate and use their own BES servers, as they don't have the keys for those.
Of course, this assumes the operators of the BES servers don't leave the default keys/passwords in place and actually take the time to properly set up and secure the BES server and the master keys ;)
[ link to this | view in chronology ]
Re: Re: Re: BlackBerry known to be insecure for at least 5 years
Quite simple really.
[ link to this | view in chronology ]
Re: Re: Re: BlackBerry known to be insecure for at least 5 years
The idea of a back door is to facilitate access to the data without having the master key.
[ link to this | view in chronology ]
Re: BlackBerry known to be insecure for at least 5 years
What?!? The way I remember it is he was forced to stop using his BB once elected, until they provided one sufficiently hardened to satisfy the Secret Service.
[ link to this | view in chronology ]
Re: Re: BlackBerry known to be insecure for at least 5 years
[ link to this | view in chronology ]
Re: BlackBerry known to be insecure for at least 5 years
Regardless, this from The Gaurdian:
"...An RIM spokeswoman declined to comment.
The manufacturer had earlier said that "any claims we provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries, are unfounded"..."
Which obviously means "we offer the same compromise to the governments of all countries".
[ link to this | view in chronology ]
Re: BlackBerry known to be insecure for at least 5 years
You cant buy the phone, other connecting hardware or custom software.
One could argue that the blackberry is far from being a... blackberry.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Security and Social Responsibility
[ link to this | view in chronology ]
Re: Security and Social Responsibility
If you're talking about Apple's actions as mentioned in the article, the Blackberry CEO was taking cheap shots at them for their encryption-by-default stance, which is a good thing for tech companies to adopt, as better encryption protects far more 'good' people than 'bad'.
As for Apple's refusal to decrypt the device relating to that case, both the company and the public is better off from their having done so. The company is better off as it allows them to demonstrate that they care enough about their customer's privacy to go to court for it, even against the DOJ, while the public is better off as forcing the ones wishing to perform the search to get a warrant and apply it to the owner of the data stops the police and government agencies from side-stepping laws against self-incrimination and unreasonable searches.
[ link to this | view in chronology ]
Re: Security and Social Responsibility
[ link to this | view in chronology ]
Either phrasing works, for different reasons...
... since the last time we audited our software, and to the extend of our engineers' expertise.
... that we've been able to examine. But, you know, we haven't seen the ones the RCMP and the Dutch tore apart, so there is that.
[ link to this | view in chronology ]
Remember Blackberry in India?
[ link to this | view in chronology ]
Re: Remember Blackberry in India?
It is these public BES servers that BlackBerry has agree to decrypt for the Indian government, not the privately owned and operated BES servers.
[ link to this | view in chronology ]
Re: Re: Remember Blackberry in India?
And this comes from which source? Blackberry?
You see, a backdoor doesn't need master keys.
That's why they call it a backdoor...
[ link to this | view in chronology ]
And fall apart it should.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Contorted and Twisted for Job Stablity in the Judicial Branch
[ link to this | view in chronology ]
BlackBerry will obviously listen to a court order, however they do walk a thin line... Ensuring your devices are secure as well as complying with law enforcement is a tricky balancing act.
If they themselves have no way to get into an encrypted phone (Which is the case) then when law enforcement subpoenas them they don't really have any information to give.. Which therefore does protect its users. (This is a good thing)
Any company that deals with security is obligated to ensure no one can access files or information they deem "secure", even if someone is them.
I'm still giving BlackBerry kudos for playing both sides, and keeping our devices secure.
[ link to this | view in chronology ]