Reg Water Cooler – What's this about the Canadian Mounties hacking millions of BlackBerry messages or some crazy moose doodie like that?
It's been reported today that the Royal Canadian Mounted Police (aka Mounties, aka Poutine Po-Po) obtained a global decryption key for BlackBerry phones in 2010, and that they used the key to read intercepted messages between people's personal BlackBerries in criminal investigations. Specifically, officers got a copy of a skeleton key that can decrypt messages sent via BIS – the BlackBerry Internet Service.
That sounds like a big deal!
Well, only if you can't remember as far back as 2010, 2012 and 2014 when this was all over the news. Messages sent via BIS can be read by law enforcement if they ask BlackBerry (or RIM as it was called back then) for access to the skeleton key. Basically, BIS uses a shared key to encrypt and decrypt communications; this key is known to all handsets so they can scramble and unscramble messages between themselves. And the police are able to request that key through various surveillance laws, and therefore decrypt collected messages.
So can the police read my comms?
Only if you're on the consumer BIS platform. Police, and BlackBerry itself, do not have the keys for messages sent through BlackBerry Enterprise Server (BES) systems. If your organization is or was using BES to handle messages between devices, the communications are encrypted using a key known only within your org. And unless investigators get hold of that key, they can't decrypt intercepted messages via your BES setup. It's all explained here in this article from 2010.
Wait, isn't BES the part of BlackBerry that hasn't gone down the drain?
Yes, yes it is.
As BlackBerry has seen its market share fall under one per cent of all smartphones, the Enterprise Server side of the business has been the one bright spot, and many analysts believe that the only way BlackBerry will survive is by dumping its phone business and becoming a software-only outfit specializing in the secure BES platform.
So what were governments getting upset about over BlackBerry encryption a few years ago?
That was BES, not BIS which BlackBerry says is insecure. It hands over the shared BIS key to crimefighters if they lawfully need it. Certain governments have asked Blackberry to hand over the keys to BES systems, something the Canadian company has been unable to do because only those who operate the servers (and their users) have the private crypto keys.
What? Go over that again.
If you sent your messages via BIS, police are likely able to decrypt your communications, and they have been able to do so for years. It was no trouble for the cops in London, UK, to get the shared key to decrypt BIS messages sent during the 2011 riots. Indian authorities also got the key within hours of asking.
If you sent your messages via a BlackBerry Enterprise Server, however, the cops can't decrypt the data. Well, not unless they exploit some unknown vulnerability, or got BlackBerry to backdoor BES.
So that Vice article was right or wrong?
It was right in that it reaffirmed what we already knew. Police can read BlackBerry communications if the texts go through BIS, which has now been largely abandoned by world+dog. The BES tech that is still BlackBerry's (admittedly meager) bread and butter has not been compromised (as far as we know.) ®