Is BlackBerry messaging secure?

Published Feb 22, 2012 04:13am

In a BlackBerry, PIN-to-PIN messaging uses Triple Data Encryption Standard (Triple DES). It is relatively more secure than regular unencrypted e-mail. – File photo
In a BlackBerry, PIN-to-PIN messaging uses Triple Data Encryption Standard (Triple DES). It is relatively more secure than regular unencrypted e-mail. – File photo

A little disclaimer to pacify the wrath (that I may face) of BlackBerry lovers: The idea behind this article is not to denounce or to find faults with the BlackBerry OS. If anything, I believe it to be one of the most secure mobile operating systems in the world. Instead, it is an effort to talk about how the integrity of communications originating from a BlackBerry device can be compromised. The ‘memo’ crisis in the country (hint: an ambassador, a businessman, and the media) makes the argument more interesting, as a claim is being made that BBM (BlackBerry Messenger) messages might be forged or spoofed, while the authorship of those text messages is yet to be confirmed.

Well, let’s not get carried away and just start off with the basics. In a BlackBerry, PIN-to-PIN messaging uses Triple Data Encryption Standard (Triple DES). It is relatively more secure than regular unencrypted e-mail, because the messages are not exactly travelling over the internet; rather, they are routed via the path described below:

  • A BBM PIN-to-PIN message sent by a user is sent to the cellular service provider’s network.
  • The cellular service provider then forwards the message to the Research in Motion (RIM) relay station in Canada.
  • The RIM relay station then relays the message to the receiving BlackBerry’s cellular service provider.
  • The (receiving) cellular service provider then transmits the message to the intended recipient.
The Achilles’ heel of BBM is that while PIN-to-PIN messages are encrypted using Triple DES, RIM adds a global cryptographic “key”, which is shared between every BlackBerry device manufactured. This automatically allows a situation (in theory, at least) where, if the messages can be intercepted at the cellular service provider’s network and the hacker party manages to spoof the intended recipient’s PIN, any BlackBerry device can be used to decrypt all PIN-to-PIN messages sent by any other BlackBerry device.While this has never happened as yet, or at least has not been brought to our attention, the scenario lies entirely within the realm of possibility.

The same key, used by all BlackBerry devices to be able to decrypt PIN-to-PIN messages, can be used by RIM at their relay station to decrypt any user’s messages. Again, this is not to suggest that RIM is in the business of reading their users’ content. However, if legally put to the task, RIM can provide decrypted PIN-to-PIN messages in clear-text to law enforcement authorities.

In addition to the above mentioned methods, commercial software is available in the market that can be:

  • deployed on your BlackBerry device by a non-authorised user or
  • remotely deployed by either state agencies or the network service provider on their behalf.
These software essentially act as key loggers on your BlackBerry, copying and transmitting all sorts of information that you view and have access to your smartphone. Furthermore, a BBM’s data can only be removed by carefully going through the list of applications/services installed on the device or by hard-resetting it.

If, as a business, you choose to keep the message exchange between you and your employees secure, you will need to install a BlackBerry Enterprise Server (BES) at your premises. That is the only way to enhance the security of the message before it leaves your BlackBerry handheld. While it is also possible to deploy Pretty Good Privacy (PGP) encryption on the BlackBerry, it exceeds the scope of this article.

However, it should be understood that if you are not using BES, you should not consider PIN-to-PIN messages as ‘secure’ and/or encrypted. The messages are only scrambled to the point where a normal third party cannot view them.

Now, coming down to the argument being presented in the current political fiasco, it’s understood that privacy advocates will come down hard on RIM to keep it from invading the privacy of the involved users. At the same time, we should also consider the Britain’s Regulation of Investigatory Powers Act, which carries stringent provisions for protecting user rights, and makes it nearly impossible, without long court battles, to get hold of the data.

Additionally, many people argue that it is entirely possible that BB chat exchanges can be created, distorted or even modified. This, while possible, remains a highly unlikely eventuality, as this would require alteration of data on the cellular service provider’s network, before being fed into the RIM relay station. As for this Memogate scandal, the Pakistani diplomat was staying in the US back then, therefore it would automatically imply a foreign government’s involvement.

If we take a closer look at events in the past, then this might not be the first time that demand for access to exclusive data has been put forward. RIM’s encrypted communications have caused grievances to oppressive regimes in the Middle East as well. Several countries of the region threatened to ban BlackBerry services altogether if RIM didn’t give them access to BB chat exchanges, primarily for “counter-terrorism purposes”. RIM did eventually agree to provide access – and that is probably what will happen in Pakistan’s case as well.

Abdullah Saad is the co-founder of Wccftech.com and is a freelance writer. He wrote this article for the February 2012 edition of Spider Magazine.


Do you have information you wish to share with Dawn.com? You can email our News Desk to share news tips, reports and general feedback. You can also email the Blog Desk if you have an opinion or narrative to share, or reach out to the Special Projects Desk to send us your Photos, or Videos.

Comments (6) (Closed)


IM
Feb 22, 2012 07:20pm
Blackberry is a dying technology. Only a matter of time. Thats all i gotta say. Android and iOS are killing it. Specially the new turn that iOS took in capturing the corporate sector, most of fortune 500 are with Apple. Some big clients of Blackberry, e.g. Haliburton are now switching from Blackberry to iPhone. Future of RIM is not looking good.
SSG
Feb 22, 2012 10:14pm
<> This is technically impossible. Lets leave decryption aside - virtual spoofing a handset would not only require the PIN of the device but IMEI, MEID (in case of a cdma handheld) and the TMSI /PTMSI assigned by the network. The later is assigned randomly upon authentication, integrity and ciphering protection in the network. And then decrypting a Triple DES msg with internal security keys taken by the OEM makes it a helluva task IMHO.
Umair Ali Rashid
Feb 24, 2012 02:04am
You apparently have never heard of device cloning.
t
Feb 24, 2012 10:55am
It is secure to an extent but note that the local telecom service provider can read the messages even if random people cannot. If you think NO ONE YOU KNOW can read what your write that is not true. I speak from personal experience.
Rashid
Feb 24, 2012 07:29pm
Haqqani is on the right as he came to country. It is propaganda only against Haqqani
bezza
Apr 23, 2012 12:49pm
Can anyone help me, i have a blackberry curve lilac, it keeps deleting bbm messages but only to one contact!! can you tell me why this happens, also is it possible when someone did upgrade for me that they have set it send them copies of everything i do on my phone to their blackberry torch?