Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages
from the so-much-for-the-one-thing-Blackberry-used-to-have-going-for-it... dept
Blackberry's CEO, John Chen, didn't care for the fact that Apple was "locking" law enforcement out of its devices by providing customers with default encryption. As he saw it, Apple was placing profits ahead of Mom, Apple pie and American-made motorcars.
For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world's most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would "substantially tarnish the brand" of the company. We are indeed in a dark place when companies put their reputations above the greater good.Chen refused to "extend privacy to criminals." How he had any way of knowing who was or wasn't a criminal at the point of sale was not detailed in his rant.
Then news surfaced that Dutch law enforcement could bypass Blackberry encryption with seeming impunity. At that point, Blackberry became defensive about its new stature as the least secure smartphone option. It claimed in a blog post that its stock phones were not open books for the world's law enforcement agencies. Despite promising earlier that the company would not aid criminals in keeping their secrets from law enforcement, Blackberry heatedly claimed its devices were secure as ever -- even in the hands of criminals.
[T]here are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.Ah, but there is a backdoor. A big one. And it's on the opposite side of the "house." Motherboard is reporting that the Royal Canadian Mounted Police are able to access unencrypted communications thanks to the Blackberry's built-in "feature."
Imagine for a moment that everybody's front door has the same key. Now imagine that the police have a copy of that key, and can saunter into your living room to poke around your belongings while you're out, and without your knowledge.Citizen Lab privacy expert Christopher Parsons backs up Motherboard's analogy. [emphasis in the original]
By way of metaphor, this is exactly how the Royal Canadian Mounted Police, Canada's federal police force, intercepted and decrypted "over one million" BlackBerry messages during an investigation into a mafia slaying, called “Project Clemenza," that ran between 2010 and 2012.
In addition to routing and compressing data traffic, RIM's service offerings also include a measure of security in excess of the practices adopted by their competitors. BBM, as an example, is encrypted. However, it is encrypted using a global key. RIM has written that,Blackberry may be technically correct when it asserts it has no access to user passwords. But that hardly matters when it holds the key that can decrypt any BBM communications that pass through its service (with the exception of administrator-level business accounts). This single key's access to unencrypted communications is likely what allowed (and possibly still allows) the RCMP to obtain plaintext messages.
"The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives."
This means that RIM can decrypt consumers' messages that are encrypted with the global key. Consumer devices include all RIM offerings that are not integrated with a BlackBerry Enterprise Server (BES). The BES lets administrators change the encryption key, which prevents RIM from using the global decryption key to get at the plaintext of BES-secured communication.
According to the documents obtained by Motherboard, the RCMP appears to be using some sort of Stingray-but-for-BBM technology to intercept and decrypt messages.
[The RCMP maintains a server in Ottawa that "simulates a mobile device that receives a message intended for [the rightful recipient]." In an affidavit, RCMP sergeant Patrick Boismenu states that the server "performs the decryption of the message using the appropriate decryption key." The RCMP calls this the "BlackBerry interception and processing system."By inserting itself into the middle of communications, the RCMP can intercept the messages. Access to the Golden Key ensures they can be read. The conclusion reached by both the defense team and the judge presiding over the case? The RCMP has Blackberry's global encryption key.
The defence in the case surmised that the RCMP must have used the "correct global encryption key," since any attempt to apply a key other than BlackBerry's own global encryption key would have resulted in a garbled mess. According to the judge, "all parties"—including the Crown—agree that "the RCMP would have had the correct global key when it decrypted messages during its investigation."Unfortunately, there aren't many more details. Many of the documents related to this case remain under seal and the RCMP certainly isn't going to discuss its interception/decryption secrets if it doesn't have to. It could very well be that it demanded (and obtained) the key from Blackberry, much in the way the FBI demanded Lavabit's SSL key. If so, Blackberry was far more cooperative than Lavabit, which chose to shut down the service rather than allow the government to have total access. (And it has been hinted by the DOJ that this sort of request may be headed Apple's way if it continues to fight its All Writs orders.)
Somewhat ironically, the RCMP acknowledged in court that outing a cellphone provider as Junior G-Men would probably tarnish Blackberry's reputation -- basically the same thing Blackberry CEO John Chen claimed was the height of Apple impudence
RCMP inspector Mark Flynn testified in a heavily redacted transcript that BlackBerry "facilitated the interception process," however, Flynn also stated that facilitation could mean mere information sharing or a physical action to aid interception.The question now is whether the RCMP still has this level of access. To cut off the RCMP, Blackberry would have needed to alter the global decryption key -- something that would have required "a massive update... on [a] per-handset basis," according to Citizen Lab's Christopher Parsons. And if Canada's law enforcement has it (or had it), odds are law enforcement agencies in other countries had similar access. Investigators may not be keen to expose techniques in court or in released documents, but they're usually pretty good about sharing this info with like-minded law enforcement agencies.
Flynn further testified that revealing the key would jeopardize the RCMP's working relationship with BlackBerry, and harm BlackBerry itself, since "it is not a good marketing thing to say we work with the police."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blackberry, canada, encryption, interception, law enforcement, master key, rcmp
Companies: blackberry
Reader Comments
Subscribe: RSS
View by: Time | Thread
I seem to recall...
[ link to this | view in chronology ]
Re: I seem to recall...
I think more like a subsidiary of Indian Intelligence? I remember reading an article about that somewhere!
Also, I love all this 'for the greater good' talk. Reminds me of pro-genocidal arguments. At least he didn't say 'Unamerican'.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages!
They got both of them...
[ link to this | view in chronology ]
Clinton and Obama
[ link to this | view in chronology ]
Re: Clinton and Obama
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So, does Obama text?
really locked down his phone?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A massive update is an understatement.
As messaging is not real time interactive, which key to use cannot be negotiated. Therefore until all phones have the new key, nobody can use it for reliable messaging.
This is a problem with all such golden key/ backdoor systems, updating to remove any compromise is an extremely difficult operation, especially as phones may be off the network for considerable periods of time, the owner abroad, in hospital or any such reason that keeps the phone off of the network for a prolonged period..
[ link to this | view in chronology ]
Working With the Police is Bad Marketing?
The Police! That's who.
Once upon a time, it would simply go unsaid that you work with law enforcement. In fact, working against law enforcement would be seen negatively.
The fact that it is now a marketing feature to safeguard you from abusive law enforcement is the best evidence that something is deeply wrong in law enforcement. At all levels.
[ link to this | view in chronology ]
Re: Working With the Police is Bad Marketing?
[ link to this | view in chronology ]
If the RCMP have it
If CSIS has it the five eyes have it.
Ergo - Assume all intelligence agencies have it.
The only thing a blackberry may be good for now is
RIM's burial marker.
[ link to this | view in chronology ]
Remember India & Blackberry?
[ link to this | view in chronology ]
Ahem. If for the company alone it wouldn't matter ;~)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Don’t Confuse BIS With BES
BES is the one where businesses set up their own servers, with their own encryption keys. BlackBerry is supposed to have no access to these (as reported previously—but then there’s this). BIS is the one accessed by ordinary individual customers, where the encryption is done on BlackBerry’s own servers.
The latter has been pretty much wide open to the authorities from day one. This report is specifically about BIS, so there is really nothing new here.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Blackhatberry
[ link to this | view in chronology ]
Meaning all of the '5 eyes' countries had it too...
I wonder what this will cost us taxpayers...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Bio centric metric exploited data
"God Satan and the RCMP"
?
Kanaskis
[ link to this | view in chronology ]