BlackBerry is refuting recent media claims that its encryption was “cracked” in police investigations where data was recovered from encrypted devices.
Police in the Netherlands and Canada reported that they had managed to access data from BlackBerrys in recent investigations, prompting BlackBerry’s unsigned blog post stating that its devices are “secure as they have always been.”
The company also firmly denied that BlackBerrys have backdoors for law enforcement access.
The “cracked” reports first emerged after Dutch website Misdaadnieuws published documents from a criminal case claiming that the Netherlands Forensic Institute (NFI), a Dutch law enforcement agency, was able to access encrypted data from a BlackBerry PGP device.
Motherboard picked up the story and got confirmation from NFI and the Royal Canadian Mounted Police that they had recovered supposedly-encrypted data from BlackBerry PGP devices, although neither law enforcement agency would say how.
BlackBerry said in the blog post that it had no details about the types of device the reports were referring to, or how they were configured or protected, and suggested numerous ways other than “cracking” that the police might have used:
If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.
BlackBerry also said “there are no backdoors in any BlackBerry devices,” and it doesn’t store and can’t share device passwords with law enforcement:
Furthermore, there are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else. In other words, provided that users follow recommended practices, BlackBerry devices remain as secure and private as they have always been.
Politicians and law enforcement officials in several countries, including the US and UK, have called for backdoor access to encrypted data, particularly on smartphones.
The demands for backdoors have only grown louder since the terrorist attacks in Paris in November and in the US city of San Bernardino a few weeks later.
Technology companies such as Apple, Google and Microsoft have long stated that backdoors are a bad idea – a position that the governments of the Netherlands and France have now come around to endorse.
BlackBerry has gone on record against backdoors many times, including just last month, when it nearly pulled its operations out of Pakistan until the government of that country relented in its demands for access to BlackBerry’s servers.
Nevertheless, BlackBerry CEO John Chen said in a 15 December blog post that his company’s “privacy commitment does not extend to criminals,” and BlackBerry would work with law enforcement wherever possible “within legal and ethical boundaries.”
SOPHOS STATEMENT ON ENCRYPTION
Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.
Image of BlackBerry logo courtesy of Pieter Beens / Shutterstock.com.
John Quig
Blackberry encrypts all traffic from the device to the BES, the BES to the central servers in Canada (not inside the central servers) out to the next BES server and then to device. The weak link is at the central servers sitting in Canada.
Paul Ducklin
In both the RCMP and the Dutch cases above, it seems as though the data recovery was “standalone only” – no server connections were required or used and the cops had physical access to the device.
jejaffe
see paragraph [58] In the Van Van Vu case 6/22/2015 – where it says 3 of the Blackberries (nothing about servers) were analyzed by the RCMP and “the contents were decrypted”. Sounds cracked to me. Jonathan @NC3mobi
Paul Ducklin
It also suggests, IIRC, that not all the emails were recovered (neither in the CA nor the NL case)…which sounds short of a cryptographic crack to me.
jejaffe
Paul – I reread the cases and ask – is it possible that the PGP application was cracked and Blackberry (which does not make the application) is being unjustly smeared in an easy bid for name recognition and a savings of column inches?
It is easier to write “Blackberry Cracked” than “The third party PGP application commonly used in Blackberry phones was cracked.” The language in the Canadian case says the messages were extracted, but there are no details.
Cyber 6
Why would RCMP or NFI want to brag about hacking Blackberry? They often don’t talk about an ongoing investigation nor discuss the methods. This cracking story sounds too fishy to be true.
Paul Ducklin
To be precise, the cops said they’d recovered messages that were generally assumed to be unrecoverable. So there was no “bragging about hacking BlackBerry” and no “cracking story,” which was really the point that the article was trying to make. (And why BlackBerry took exception to some of the coverage it was given.)
Mike Lamonte
The method both agencies used is as the Dutch NFI called it very simple. they removed the cashmemory from the device and copied this data and then used a decryption program ( chip off method ) . Im not very technical but i have read this in a Dutch article. This means that the RAM wasnt incrypted. They also state that not all devices could be read, because some devices where actually configurated right.
Myntex
The reason the messages were able to be de-crypted was due to extremely negligent PGP hosting policies. They were storing all the private encryption keys on their servers along with a record of all the messages. These are two EXTREMELY bad things to do when hosting PGP Encryption.
This wasn’t a case of anything being hacked, this would be equivalent to saying your PC got hacked when you left a Post-It note on your monitor with your password on it.
Reputable PGP Service providers do not store their users messages, or more importantly their private keys on their servers.
This was a case of neglect, not a case of anyone being hacked.
Anonymous
Can someone (police agencies) track (spy on) your phone calls, texts, and emails from your Blackberry?
Mussab
So its only possible to obtain certain info.ifyour pgp service provider,is not doing their job wright to began with when storing surtain information