funsec mailing list archives

Previous By Date Next
Previous By Thread Next

How did the RCMP crack BlackBerry's security?

From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 12 Jun 2014 20:05:18 -0400
http://ottawacitizen.com/technology/internet/how-did-the-rcmp-crack-blackberrys-security

BlackBerry Ltd. has long held that its BlackBerry devices are among
the most secure in the world, but it turns out the platform isn’t as
bulletproof as many had been led to believe.

On Thursday, Royal Canadian Mounted Police revealed the results of
Project Clemenza, which it began in 2010. During the course of its
investigation, the federal police force says, it intercepted more than
a million private messages sent using BlackBerry’s PIN-to-PIN
messaging, which led police to identify suspects in a series of
violent crimes that included arson, forcible confinement and drug
trafficking.

Personal Identification Number (PIN)-to-PIN messages are not the
company’s popular BlackBerry Messenger service (BBM,) which the
company still contends is ironclad when it comes to keeping messages
secure. PIN-to-PIN allows BlackBerry users to send email directly to
one another, keeping it from going out into the Internet where it
could be spied on by prying eyes.

PIN-to-PIN messages are encrypted with what is known as Triple Data
Encryption Standard (DES) encryption technology, which is among the
best in the world. However, BlackBerry devices use what is known as a
global cryptographic key to decode all of the messages sent to its
devices. By faking, or “spoofing”, the PIN of the receiving BlackBerry
device and utilizing the global cryptographic key, all messages sent
to that device can be viewed by an eavesdropper.

The flaw in BlackBerry’s PIN-to-PIN messaging technology has long been
known by security researchers. In March 2011, the Communications
Security Establishment of Canada, the federal electronic intelligence
agency, released a security bulletin warning public servants to avoid
the use of PIN-to-PIN messaging and even urged federal departments to
disable the feature on the devices in order to ensure that it is not
used.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: