BlackBerry -- Which Said It Wouldn't Protect Criminals -- Assures Criminals Its Phones Are Still Secure

from the organized-criminal-activity-still-a-go dept

Tue, Jan 19th 2016 6:29am — Tim Cushing

Bad news for BlackBerry. Its PGP phones -- considered much more secure than its off-the-shelf versions -- are compromised. On January 11th, Motherboard reported that Dutch law enforcement officials claimed to be able to bypass/crack the phones' encryption.

Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.

“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email.

Never mind the "reportedly may be used by organized criminal groups." That's something any law enforcement agency would say when describing its ability to crack open phones and pull out contents presumed to be protected by the device. There are privacy concerns that need to be addressed -- along with concerns about how these devices are searched -- and claiming Device X is "reportedly" used by Unnamed Criminal Organization Y is a simple way of sidestepping these uncomfortable questions.

One day later, Motherboard reported Canadian law enforcement could also circumvent the PGP phones' built-in protections.

"This encryption was previously thought to be undefeatable,” one 2015 court document in a drug trafficking case reads, referring to the PGP encryption used to secure messages on a BlackBerry device. “The RCMP technological laboratory destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected.”

In another case from 2015, centering around charges of kidnap and assault, three out of four BlackBerrys seized by the RCMP were analysed by the “Technical Assistance Team in Ottawa and the contents were decrypted and reports prepared.”

Other law enforcement agencies have refused to confirm or deny their ability to crack BlackBerry phones for obvious reasons. No sense in tipping off "organized criminal groups" that their encrypted communication devices are considered open books by Local Law Enforcement Agency Z.

BlackBerry has fired back, claiming its phones are still as secure as ever.

There have been recent media reports that police-affiliated groups in the Netherlands have been able to ‘crack’ the encryption protecting e-mails and other data that are stored on BlackBerry devices.

BlackBerry does not have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have details on the nature of the communications that are claimed to have been decrypted.

If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.

Furthermore, there are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.

While there could be some truth to BlackBerry's assertions, one wonders why it even cares. After all, its own CEO went after Apple for "locking out" law enforcement with its encryption-by-default design.

For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would “substantially tarnish the brand” of the company. We are indeed in a dark place when companies put their reputations above the greater good. At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.

CEO John Chen openly stated BlackBerry will not protect criminals. If law enforcement agencies are able to bypass the security in PGP phones, they're presumably doing so to capture criminals. Applied to Chen's Apple-bashing statement, this isn't a flaw in the encryption. It's serendipity. BlackBerry will help law enforcement access your phone's content if it's asked to. All that's happening here is a middleman (BlackBerry) being bypassed. Maybe BlackBerry is upset because this method doesn't give it warm feelings and a pat on the back by law enforcement for being Stand Up Guys.

And while the assurance that BlackBerry doesn't insert backdoors into its products is nice to hear, it's ultimately meaningless when its CEO has stated he's willing to come 'round back with the master key if law enforcement wants to take a look around.

All this statement does is assure the very people CEO John Chen said the company has no interest in protecting ("criminals") that its phones are still safe to use in organized criminal efforts.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, criminals, encryption, going dark, john chen, netherlands, pgp, pgp phone
Companies: blackberry

34 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ehud Gavron (profile), 19 Jan 2016 @ 3:52am

Awesome
That's really awesome, that a formerly-relevant now disregarded manufacturer of nobody-uses phones said something.

Blackberry was an important part of history. I will miss their pansy-ass way of giving foreign governments and security agencies access to their never-proven-private encryption.

Stay down, Blackberry. You give rimjob a bad name.

E
[ link to this | view in chronology ]
That One Guy (profile), 19 Jan 2016 @ 5:04am

Seems to me they're trying to have it both ways, telling the public and the politicians/police very different things.

The public is assured that there are no backdoors in their products, and their devices are secure, such that if police are able to bypass the security measures it's only thanks to things outside their control.

Politicians and police on the other hand are assured that the company is more than willing to hand over any and all personal data from the devices owned by 'criminals', and that the company is absolutely against encryption that would prohibit them from doing so.

One group is almost certainly being lied to, and past actions by the company strongly suggest that it's the public.

The company has shown a willingness in the past to bypass their own encryption in order to give access to government agencies, making their priorities with regards to 'customer privacy' clear, so while they're likely honest when they assure politicians that they have no interest in 'protecting criminals', their claims that they care about the privacy and security of their customers is almost certainly little more than empty words to con people into using the company's products.
[ link to this | view in chronology ]
- tqk (profile), 19 Jan 2016 @ 10:11am
  
  Bafflegab! :-)
  Seems to me they're trying to have it both ways, telling the public and the politicians/police very different things.
  
  You underestimate the power of bafflegab. I define the meaning of that pseudo-word along the lines of "least untruthful answer."
  
  I expect BB's telling the truth, but not all of it. BBs are secure, until the LEOs show up complaining about criminality. Then, BB installs a back door of some sort, keypad reader perhaps, on that phone as part of a software update. Voila!
  
  BB's been very upfront about not wanting to help criminals so I doubt they bother with niggling details like warrants 'cause they don't have to. Problem easily solved.
  [ link to this | view in chronology ]
TechDescartes (profile), 19 Jan 2016 @ 6:58am

And That's What You Call...
...a rimshot.
[ link to this | view in chronology ]
Ninja (profile), 19 Jan 2016 @ 6:59am

Oh, Blackberry still exists. I thought they were gone. That said, I'd think criminals using Blackberry phones are a topic for the other Tim under the "Dumb criminal" headline, no?
[ link to this | view in chronology ]
- JBDragon (profile), 19 Jan 2016 @ 8:49am
  
  Re:
  Well BlackBerry the OS is done for as soon as they released a Android phone, the PRIV. With plans to release more in the future. Who in their right mind would have any faith in BlackBerry at that point?
  [ link to this | view in chronology ]
  - Ninja (profile), 19 Jan 2016 @ 9:33am
    
    Re: Re:
    That was a smart move taken way too late. But maybe not late enough to bury the company for good. This could help it gain some relevance back.
    [ link to this | view in chronology ]
Anonymous Coward, 19 Jan 2016 @ 7:06am

I wonder...
Who decides that anyone is a criminal?

Blackberry?
The police?
The Nine System Administrators?
[ link to this | view in chronology ]
- Pixelation, 19 Jan 2016 @ 8:31pm
  
  Re: I wonder...
  "Who decides that anyone is a criminal?"
  
  These days that would be the RIAA.
  [ link to this | view in chronology ]
DannyB (profile), 19 Jan 2016 @ 7:36am

BlackBerry known to be insecure for at least 5 years
Two examples:

BlackBerry ban lifted in Saudi Arabia

http://www.theguardian.com/technology/2010/aug/10/blackberry-saudi-arabia-ban-lifted

BlackBerry bows to Saudi Arabia

http://www.theregister.co.uk/2010/08/09/rim_saudi_arabia/

Just one quote:
Authorities in Saudi Arabia had said some BlackBerry Messenger services would be blocked from Friday, 6 August, citing security fears about the way the Canadian technology firm encrypts personal data on its devices.

So we know BlackBerry has been known to bend over for countries with dubious human rights records for at least five years. Why wouldn't you think they would also bend over for other bad parties: China, Russia, the NSA, CIA, FBI, and even local law enforcement.

No wonder the president of the US is forced to use a BlackBerry against his wishes. The choice of the people's regimes everywhere.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Jan 2016 @ 8:45am
  
  Re: BlackBerry known to be insecure for at least 5 years
  My thought on why government uses BlackBerries is because they ARE willing to backdoor their product. Otherwise I can't imagine how they are still in busiess.
  [ link to this | view in chronology ]
  - Eldakka (profile), 19 Jan 2016 @ 3:23pm
    
    Re: Re: BlackBerry known to be insecure for at least 5 years
    Large organisations (large enterprises, government agencies and so on) that use BlackBerries install their own Blackberry Enterprise Server (BES).
    
    Blackberry the company doesn't have access to these BES servers. It is these servers that control and funnel the encryption between the users of blackberry devices connected to the same BES server. Each 'owner' of the BES server sets it up and initiates the encryption, keys, and so on. But the administrators of these BES servers CAN decrypt the communications between 'their' blackberry handsets, as they hold the master keys. That way, a 3rd-party (defined as someone outside the organization who owns the BES, including BlackBerry itself) cannot decrypt communications (without hacking the BES server etc). But the organization itself who owns the local BES can decrypt it's employees communications.
    
    There are 'public' BES servers, these are owned and operated by BlackBerry. These public servers are what are used if someone just goes and buys a blackberry off the shelf and uses it on the 'public' mobile network. It is THESE that BlackBerry can decrypt, since they are the owners and operators of the public BES servers and hence hold the keys. However BlackBerry cannot decrypt the communications of those who purchase, install, operate and use their own BES servers, as they don't have the keys for those.
    
    Of course, this assumes the operators of the BES servers don't leave the default keys/passwords in place and actually take the time to properly set up and secure the BES server and the master keys ;)
    [ link to this | view in chronology ]
    - klaus (profile), 20 Jan 2016 @ 1:30am
      
      Re: Re: Re: BlackBerry known to be insecure for at least 5 years
      Interesting. So the likely explanation behind this story is that the Dutch & Canadians simply went to the public BES admins (presumably with warrants) and got them to decrypt the phones.
      
      Quite simple really.
      [ link to this | view in chronology ]
    - Anonymous Coward, 20 Jan 2016 @ 1:12pm
      
      Re: Re: Re: BlackBerry known to be insecure for at least 5 years
      Who owns/controls the master key is not relevant: it only unlocks the front door.
      
      The idea of a back door is to facilitate access to the data without having the master key.
      [ link to this | view in chronology ]
- tqk (profile), 19 Jan 2016 @ 10:17am
  
  Re: BlackBerry known to be insecure for at least 5 years
  No wonder the president of the US is forced to use a BlackBerry against his wishes.
  
  What?!? The way I remember it is he was forced to stop using his BB once elected, until they provided one sufficiently hardened to satisfy the Secret Service.
  [ link to this | view in chronology ]
  - DannyB (profile), 19 Jan 2016 @ 11:19am
    
    Re: Re: BlackBerry known to be insecure for at least 5 years
    Sufficiently backdoored to satisfy the SS ?
    [ link to this | view in chronology ]
- Anonymous Coward, 19 Jan 2016 @ 3:08pm
  
  Re: BlackBerry known to be insecure for at least 5 years
  I sure the POTUS "uses" one in the hope that others will follow his lead (however, most people are not idiotic enough to do such a thing).
  
  Regardless, this from The Gaurdian:
  
  "...An RIM spokeswoman declined to comment.
  
  The manufacturer had earlier said that "any claims we provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries, are unfounded"..."
  
  Which obviously means "we offer the same compromise to the governments of all countries".
  [ link to this | view in chronology ]
- Well-Actually, 20 Jan 2016 @ 9:13pm
  
  Re: BlackBerry known to be insecure for at least 5 years
  Just so you know. The blackberry the US president had was NOT a standard blackberry.
  
  You cant buy the phone, other connecting hardware or custom software.
  
  One could argue that the blackberry is far from being a... blackberry.
  [ link to this | view in chronology ]
crade (profile), 19 Jan 2016 @ 8:06am

The Netherlands is one of the countries that actually came out publicly against any backdoor requirements. Apparently they are confident enough in their ability that they don't need to cheat!
[ link to this | view in chronology ]
- Anonymous Coward, 19 Jan 2016 @ 8:40am
  
  Re:
  Why would they need to? They can probably just ask for access and get it in most cases.
  [ link to this | view in chronology ]
  - crade (profile), 19 Jan 2016 @ 10:11am
    
    Re: Re:
    Ask for access from who? The people they are trying to convict? Obviously this would be kept in reserve for that rare case when they are not inclined to help with the investigation for some wierd reason :)
    [ link to this | view in chronology ]
    - klaus (profile), 20 Jan 2016 @ 1:35am
      
      Re: Re: Re:
      Check out Eldakka's comment above (he/she's right BTW) - my money is on warrants being served to the BES admins...
      [ link to this | view in chronology ]
Anonymous Coward, 19 Jan 2016 @ 8:25am

Wait... people still use Blackberrys?
[ link to this | view in chronology ]
Billy, 19 Jan 2016 @ 8:46am

Security and Social Responsibility
After a quick discussion with my 12 year old kid about Security and Social Responsibility relating to Apple's "Brand protection", my kid was the first to dumped her iPhone and ipad followed by the rest of our family and friends. We now view Apple as an Immoral and Criminal organization.
[ link to this | view in chronology ]
- That One Guy (profile), 19 Jan 2016 @ 9:10am
  
  Re: Security and Social Responsibility
  ... what?
  
  If you're talking about Apple's actions as mentioned in the article, the Blackberry CEO was taking cheap shots at them for their encryption-by-default stance, which is a good thing for tech companies to adopt, as better encryption protects far more 'good' people than 'bad'.
  
  As for Apple's refusal to decrypt the device relating to that case, both the company and the public is better off from their having done so. The company is better off as it allows them to demonstrate that they care enough about their customer's privacy to go to court for it, even against the DOJ, while the public is better off as forcing the ones wishing to perform the search to get a warrant and apply it to the owner of the data stops the police and government agencies from side-stepping laws against self-incrimination and unreasonable searches.
  [ link to this | view in chronology ]
- Anonymous Coward, 19 Jan 2016 @ 1:34pm
  
  Re: Security and Social Responsibility
  What? Whoever you've listened to regarding Apple and encryption? Stop listening to them because they lied to you.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Jan 2016 @ 8:56am

Either phrasing works, for different reasons...
Furthermore, there are no backdoors that we know of in any BlackBerry devices, ...

... since the last time we audited our software, and to the extend of our engineers' expertise.

Furthermore, there are no backdoors in any BlackBerry devices that we know of, ...

... that we've been able to examine. But, you know, we haven't seen the ones the RCMP and the Dutch tore apart, so there is that.
[ link to this | view in chronology ]
Anonymous Coward, 19 Jan 2016 @ 11:11am

Remember Blackberry in India?
Wasn't it just 2 or 3 years ago that India wanted access to communications across Blackberry phones and Blackberry said they couldn't provide it. Next thing you hear is that India and Blackberry have some agreement. So I am not sure Blackberry has ever been as secure as they claim. I think they have always had their own back door.
[ link to this | view in chronology ]
- Eldakka (profile), 19 Jan 2016 @ 3:29pm
  
  Re: Remember Blackberry in India?
  There are 2 types of BES servers, 'public', which are owned and operated by BlackBerry, and private, which are purchased from BlackBerry and owned and operated by private organisations. BlackBerry can access and decrypt communications that use the public BES servers, as BlackBerry manages those and holds the keys. However, BlackBerry cannot decrypt communications that use the private BES servers, unless the administrators of those servers do it or provide the master keys of those servers.
  
  It is these public BES servers that BlackBerry has agree to decrypt for the Indian government, not the privately owned and operated BES servers.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Jan 2016 @ 4:43am
    
    Re: Re: Remember Blackberry in India?
    BlackBerry cannot decrypt communications that use the private BES servers, unless the administrators of those servers do it or provide the master keys of those servers
    
    And this comes from which source? Blackberry?
    
    You see, a backdoor doesn't need master keys.
    That's why they call it a backdoor...
    [ link to this | view in chronology ]
Anonymous Coward, 19 Jan 2016 @ 2:54pm

It's so painfully obvious that these Blackberry devices, likes Apple's, share data with feds utilizing pre-compromised hardware, and the illusion that the tech/fed alliance has been foisting upon the press (i.e. "there is no cooperation of that type") is simply falling apart in the way one might expect it would (embarrassingly).

And fall apart it should.
[ link to this | view in chronology ]
Anonymous Coward, 20 Jan 2016 @ 7:53am

I BBs were even trying to be private they would be nailguned or glueguned or defenestrated
[ link to this | view in chronology ]
FxckFxcx, 29 Apr 2016 @ 11:02pm

Contorted and Twisted for Job Stablity in the Judicial Branch
Vote Trump and maybe Morpho will have some restrictions put into place to free up resources and develop a borderless world
[ link to this | view in chronology ]
Myntex, 26 Jun 2017 @ 4:41pm

At the time these encrypted emails were decrypted it was due to negligent encryption processes by a particular security provider, no fault of the device itself.

BlackBerry will obviously listen to a court order, however they do walk a thin line... Ensuring your devices are secure as well as complying with law enforcement is a tricky balancing act.

If they themselves have no way to get into an encrypted phone (Which is the case) then when law enforcement subpoenas them they don't really have any information to give.. Which therefore does protect its users. (This is a good thing)

Any company that deals with security is obligated to ensure no one can access files or information they deem "secure", even if someone is them.

I'm still giving BlackBerry kudos for playing both sides, and keeping our devices secure.
[ link to this | view in chronology ]