Blackberry security and governments

[zCypher]

I keep seeing articles about governments moving away from using Blackberries, due to "security concerns". The articles usually say something about the Blackberry being more secure than other smartphones (encryption?). So basically if they can't eavesdrop, they don't want it.

Well ... How much more secure is it, really? Do both parties need to be using a BB for it to be more secure than any other device?

RIM supposedly has around 19% of global smartphone market share. Think this will have a big hit on RIM? What are your thoughts on blackberry, its security features and what do you think will happen with BB in our neck of the woods - or do you care?

Here are a couple links for those who care to check it out:

http://www.reuters.com/article/idUSTRE6731VC20100804
http://www.bloomberg.com/news/2010-...sion-cuts-service-in-biggest-arab-market.html

edit, a third link:
http://news.yahoo.com/s/ap/ml_emirates_blackberry

 

[gsaldivar]

I pretty much assumed all Blackberry traffic was surveillance-ready because of the reliance on centralized servers. If everyone used a Blackberry, the government wouldn't have to go through any extraordinary measures to capture data, they would only have to get RIM to provide them with server access to data that they *already have*.

It's confusing to me how this is big news today, when RIM's centralized systems have been in place for as long as I remember...

Didn't all the nationwide Blackberry outages clue anyone on to the fact that their data was passing through a massive single point of access? It's practically presented to the government on a silver platter. The only thing that's changed is that all the *other* governments are waking up to the fact that they can also join the party by pressuring RIM for access to those servers...

Edit: Link below for stories over the past few years about RIM handing over access to their network and encryption keys for government surveillance:

http://economictimes.indiatimes.com...ackBerry_mailbox_soon/articleshow/3041313.cms

 

[yllus]

I pretty much assumed all Blackberry traffic was surveillance-ready because of the reliance on centralized servers. If everyone used a Blackberry, the government wouldn't have to go through any extraordinary measures to capture data, they would only have to get RIM to provide them with server access to data that they *already have*.

It's actually the opposite from what I understand. BlackBerry Enterprise Server (BES) is a software add-on to the Microsoft Exchange (or Lotus Notes, or Novell) e-mail infrastructure a telecom or private company has set up. All communication between BlackBerry devices on that infrastructure flows through BES.

The first time two BB devices talk to each other, they exchange encryption keys so that only each other (and the BES server) know how to decode messages sent between them. As a result of this, RIM themselves have no clue what the encryption keys are, so they can't provide them to a government. I think the confusion in thinking RIM can do this is due to the BES software routing most/all traffic through a network built and maintained by RIM.

So two things need to happen to allow BB devices to be eavesdropped upon:

1. RIM needs to write a patch for BES that takes each message, decrypts it using the private key that it's got stored away, and writes that decrypted message to somewhere the government can see.

2. The telecoms and private companies must take and install this patch to enable the eavesdropping.

With enough political pressure/threats both can and will occur. It's too bad, though. None of this is by any means done to improve security, simply to snoop on private citizen's lives.

More technical details: How the BlackBerry infrastructure works

BlackBerry Enterprise Server, also known as BES, manages flow of traffic between application servers and handhelds via BlackBerry's SRP network. The primary feature of BES from IT administrator perspective is ability to have granular control over BlackBerry devices. It allows capability to remotely deploy applications, wipe devices, lock devices and enforce security polices. BES delivers most of the functionality on the market to effectively manage fleet of BlackBerry devices.

BES must connect through the Internet and RIM's SRP Network to communicate with BlackBerry handheld. IT administrators usually do not have control over those networks but we can make sure our BES can talk to the internet and RIM's SRP Network.

How data flows in the infrastructure:

1. BES picks up a new email message from Exchange Server in real-time.

2. BES connects to RIM's SRP network--srp.blackberry.net on port 3101 via Internet.

3. BlackBerry device is identified by its PIN and new email message is delivered.

 

[gsaldivar]

(BES) is a software add-on to the Microsoft Exchange (or Lotus Notes, or Novell) e-mail infrastructure a telecom or private company has set up. All communication between BlackBerry devices on that infrastructure flows through BES.

BES is simply the middleware that allows information to flow between a company's Exchange server and RIM's network. The point that I was making, is that RIM still maintains a single massive point of access because all traffic (BIS, BES, or otherwise) must travel across RIM's data servers to ultimately reach users' individual phones ("srp.blackberry.net" in your diagram).

As a result of this, RIM themselves have no clue what the encryption keys are, so they can't provide them to a government.

There is a big difference from something being theoretically secure, and real-world secure. There is a long history of reliance on methods that were once-thought completely secure but were later discovered to be flawed in ways that provided eavesdropping. I'm not saying that's certainly the case here, but it's not a secret that there exist a variety of methods the government might use to circumvent flaws in encryption schemes. In fact, many those flaws have been commercialized for the express purpose of sale to governments who want to monitor encrypted communications.

Just because data is encrypted doesn't mean it can't be monitored. When a government threatens RIM with a ban on their devices because the traffic can not be monitored by the government, they company can choose to provide users with a reduced level of encryption, or come to some "other" arrangement that satisfies the government's needs and preserves RIM's ability to keep selling devices to that country's consumers.

2. The telecoms and private companies must take and install this patch to enable the eavesdropping.

This is not without precedent.

 

[yllus]

Just because data is encrypted doesn't mean it can't be monitored.

This statement is nonsensical. If the messages are indecipherable, you're not monitoring anything.

RIM appears to use 3DES and AES to encrypt messages. Neither can be brute forced in a timely fashion.

 

[gsaldivar]

This statement is nonsensical. If the messages are indecipherable, you're not monitoring anything.

RIM appears to use 3DES and AES to encrypt messages. Neither can be brute forced in a timely fashion.

It's not nonsensical at all. Brute force is simply a last-ditch method of attacking encryption, one method of many. If you could go back in time and enlighten people who thought SSL was unbreakable I'm sure they might think you were "nonsensical" as well.

Here is one example. And no, it doesn't rely on a brute force attack, so theoretically it would work with any key length you choose. One method of many...

 

[yllus]

Yes, there are other theoretical ways you could subvert encryption, none of which will come into play because governments will simply lean on RIM to release a patch that does what I've already mentioned.

I appear to be talking about the reality of the situation whereas you seem to be preoccupied with writing the intro to a Cryptography 101 textbook. Thanks, but I'll pass.

 

[Zorkorist]

If Blackberry is so secure it bugs Governments, more power to them.

It's a hard arguement to make, that secure, and anonymous communications should be made. but afterall, if you look at the U.S. Constitution, secure and anonymous communications are gauranteed.

-John

 

[Zorkorist]

It's called, Free Speech.

-John

 

[gsaldivar]

I appear to be talking about the reality of the situation whereas you seem to be preoccupied with writing the intro to a Cryptography 101 textbook.

With all due respect, I think you're the one writing the textbook. Neither I or the OP brought up details like 3DES, AES, or brute-force encryption attacks...

I simply linked to real-world examples of how the government is bypassing those methods today.

 

[Oric]

The real problem is some governments don't like the idea of government officials and businessmen mails going through servers in other countries. Would you use a ChineseBerry smart phone in similar fashion in USA ?

 

[yllus]

With all due respect, I think you're the one writing the textbook. Neither I or the OP brought up details like 3DES, AES, or brute-force encryption attacks...

I simply linked to real-world examples of how the government is bypassing those methods today.

If you don't know why 3DES and AES directly relate to this topic, you really shouldn't be posting in this thread.

In other news, it looks like the solution India is working towards for intercepts is on the BES server, which is what I said would happen and is what you said "is simply the middleware". Will wonders never cease.

India testing ways to access BlackBerry e-mails: source

PROPOSED SOLUTION

Indian telecom officials said they had been told by RIM the only way an e-mail could be intercepted is when it temporarily stores itself in an Enterprise server in a decrypted form while travelling between two BlackBerry devices.

Indian agencies are now checking if they have the technology to monitor e-mails when they get briefly stored in an Enterprise server.

It is not possible to unscramble e-mails at any other stage. RIM says it does not have a master key that controls every system in its network.

“There have been a number of suggestions offered and this is one of them. A technical team will check those suggestions over the next few days,” a senior government source, who did not want to be identified, told Reuters.

 

[gsaldivar]

If you don't know why 3DES and AES directly relate to this topic, you really shouldn't be posting in this thread

The encryption method isn't the point. The point is that RIM's network is built in such a way that messages are protected from being intercepted and read by outsiders. However, the same network lends itself to being accessible to insiders. That is, RIM and whatever government they choose to extend those privileges to. When you send your encryption keys and encrypted messages through the same centralized network, anyone privy to that data can read the encrypted messages that follow.

RIM's press statements on the subject are a simple play on words:

"It is not possible" to unscramble messages at any stage... yes, that's true because they don't have the encryption keys. But it's a trivial matter for them to setup a trap to capture those keys as they are initially exchanged between devices and the server because they own the network. Only if you choose not to build or use such a trap would it be impossible to unscramble that data.

 

[Thump553]

If Blackberry is so secure it bugs Governments, more power to them.

It's a hard arguement to make, that secure, and anonymous communications should be made. but afterall, if you look at the U.S. Constitution, secure and anonymous communications are gauranteed.

-John

It's called, Free Speech.

-John

You're confusing the implicit right to privacy found by the Supreme Court in Roe v. Wade with the right of free speech. The right of free speech is the right to make your voice heard, not keep it hidden. If the "strict constructionists" succeed in overturning Roe v. Wade then we have no constitutional guarantees of privacy at all.

 

[yllus]

The encryption method isn't the point. The point is that RIM's network is built in such a way that messages are protected from being intercepted and read by outsiders. However, the same network lends itself to being accessible to insiders. That is, RIM and whatever government they choose to extend those privileges to. When you send your encryption keys and encrypted messages through the same centralized network, anyone privy to that data can read the encrypted messages that follow.

Uh... No. That's just flat out wrong. You don't know what you're talking about.

 

[gsaldivar]

Uh... No. That's just flat out wrong. You don't know what you're talking about.

I guess whatever lets you sleep comfortably at night. Time will prove the fallibility of this "secure" system. It has happened before, and will happen again. Should it ever come to light that governments were indeed privy to citizens' secrets, I'm sure it will be said that it was only for our best interests.

 

[Zorkorist]

You're confusing the implicit right to privacy found by the Supreme Court in Roe v. Wade with the right of free speech. The right of free speech is the right to make your voice heard, not keep it hidden. If the "strict constructionists" succeed in overturning Roe v. Wade then we have no constitutional guarantees of privacy at all.

That's interesting, and I had never heard that arguement. I will research it, but anything else you have to offer along those lines, I'd appreciate.

-John

 

[Zorkorist]

So Roe v. Wade is THE privacy arguement?

And without it, Government pretty much has a say in anything we do? (duh)

I knew it was important to women, but I didn't know I cared until now.

-John

 

[AnnonUSA]

Blackberry it seems has a large problem. In granting some Middle Eastern countries access to their servers, all countries and government's are going to want the same thing.

Oh and besides, nothing on the internet is secure. NOTHING. Anyone that thinks there is total security on the internet is dreaming.

 

[Zorkorist]

So Roe v. Wade is THE privacy arguement?

And without it, Government pretty much has a say in anything we do? (duh)

I knew it was important to women, but I didn't know I cared until now.

-John

That actually makes a lot of sense when you see the Religious "Republicans" trying to over-throw Roe v. Wade. They aren't trying to instill freedom, they are trying to deny it.

Democrats are worse... before anyone lays into me.

-John

 

[Zorkorist]

Blackberry it seems has a large problem. In granting some Middle Eastern countries access to their servers, all countries and government's are going to want the same thing.

Oh and besides, nothing on the internet is secure. NOTHING. Anyone that thinks there is total security on the internet is dreaming.

There is relative security on the internet, for those that take it.

But it is fading away.

Makes me so mad that people can target my niece in an outskirt of Paris, and she is not protected, in any way shape or form.

-John

 

[yllus]

I guess whatever lets you sleep comfortably at night.

No skin off my nose. I just hope you're not giving anyone/any company advice on security with nonsense like you just typed.

 

[gsaldivar]

I just hope you're not giving anyone/any company advice on security with nonsense like you just typed.

No, I leave companies who want to be lulled into a false sense of security to the academics.

 

[Thump553]

So Roe v. Wade is THE privacy arguement?

And without it, Government pretty much has a say in anything we do? (duh)

I knew it was important to women, but I didn't know I cared until now.

-John

Pretty much, although the real seminal case establishing a right of privacy was Griswold v. CT, a 1965 US Supreme Court case that held unconsitutional a Connecticut statute prohibiting the use of contraceptives. In your research I suggest first going to the source material and actually reading the Supreme Court opinions in Roe v. Wade as well as Griswold-they are hardly the wild-eyed trampling of the Constitution that anti-abortionists claim they are. In fact, if Roe didn't involve abortion I suspect most people would trumpet it as among the greatest Supreme Court decisions of the last century.

 

[Zorkorist]

I swear I have read the decisions before but will read them again in new light.

-John