It is abundantly clear that John Chen, the whiz kid charged with turning BlackBerry (NASDAQ:BBRY) around, is attempting to leverage the company's reputation for providing secure enterprise class messaging in order to recapture the minds and hearts of corporate America:
BlackBerry's end-to-end security model is built on a foundation of secure hardware interacting with secure software. Security is reinforced at every level of the device from CPU to boot ROM, to OS and file system, and applications. The root of trust that BlackBerry builds for its customers remains unbroken throughout the chain, and is unlike other security models that rely on the interaction of components from multiple vendors.
However, rarely a week goes by that one author or another doesn't call the validity of this assertion into question. Not only that, but some media outlets are openly critical of BlackBerry, suggesting that competing messaging platforms, such as Threema, are significantly more secure. If Chen's claim is in fact a fallacy, BlackBerry will have lost their last competitive edge and be doomed to obscurity.
On almost a weekly basis, sensational headlines elude to there being yet another reason to distrust BlackBerry security. However, if you read beyond the headlines, most are unfounded and in fact are simply a rehash of the same old issues.
- Various covert government agencies can and are monitoring BBM messages.
- In 2010, BlackBerry provided the governments in India and Saudi Arabia with encryption information allowing them to bypass BBM security.
- BlackBerry's encryption algorithm is fundamentally flawed; a 'backdoor' exists allowing anyone to decrypt BBM and BES.
- BB10 provides no better security than iOS, as demonstrated by the recent flaw found in the Android Emulator that allows 'malicious apps' to access confidential information on the device.
If the shear number of negatively slanted articles wasn't bad enough, authors in Germany openly condemn BBM as insecure, stating that BBM is no better than WhatsApp.
BBM Security Model
Before discussing specific concerns, it is important to understand BBM security in a historical context. In the early days, BBM messages were thought to be completely secure for the simple reason that the messages, rather than traveling on a public network, traveled on BlackBerry's proprietary infrastructure.
As time passed, concern clients raised that, as messages weren't encrypted, various parties, including BlackBerry themselves, could still snoop. Blackberry responded, providing firms, by means of BES, with the ability to securely encrypt messages. In early 2010 encryption was extended to all BBM messages. However, two important facts need to be keep in mind:
- Only the body is encrypted; the header, including sender & receiver PINs, subject line, status (sent, received, read), along with time stamps, is sent as plain text.
- A single encryption key is used for all but 'BES secured messages' and that key is known by BlackBerry, hence these messages can be decrypted by BlackBerry.
When BlackBerry extended encryption to all BBM messages, rather than adding a 'new' layer of security, conceptually, they created a huge virtual 'BES' server to 'manage' those messages not already 'managed' by a private BES server. Some may criticize this approach, however it demonstrates the basic philosophy behind BlackBerry's approach to security - simplicity. The more complicated your approach, the more opportunities for holes to be overlooked.
One problem for BlackBerry is that even 'reputable' sources often fail to distinguish between public messaging and BES secured messaging.
The Washington Post, in a recent article "The NSA has killed the best argument for still using a BlackBerry", initially reported that not only had the NSA cracked BBM security, but that BlackBerry had provided them with the encryption keys necessary to decode BBM messages to various governments. As it turned out, not only were these facts only partially correct, the original article even failed to differentiate between BES secured and non secured messaging leading to a correction being later added.
Given probable charge, few would argue BlackBerry should stand in the way of local law enforcement obtaining the information required to apprehend those who use BBM for illegal activity. For example, who would argue with BlackBerry provided information contained in messages, if that evidence was needed in order to take down a child pornography ring? That said, adequate safeguards need to be in place care to ensure privacy rights are not abused.
When BlackBerry began encrypting all BBM messages in 2010, they advised the public that they would still cooperate with local law enforcement and provide requested information, but only once proper legal channels were followed (In the U.S., this entails obtaining a court warrant). More recently, and perhaps more disturbingly, BlackBerry admitted that they provide, governments which have requested it, BBM header information for messages sent by or to individuals within the country's borders.
However, BlackBerry has also made it absolutely clear that they have NEVER provided the contents of BES secured messages to anyone. In fact, they have gone so far as to claim this would be impossible, as they do not have access to the necessary encryption keys (these are generated by each individual BES server).
BBM and India
It is rarely reported the extents to which BlackBerry goes to ensure the security of their messaging infrastructure.
In 2010, when India demanded that BlackBerry provide their encryption keys or face being banned, BlackBerry refused. Instead, and at great expense, BlackBerry devised a different method to provide the enhanced monitoring demanded. In conjunction with local ISPs, dedicated 'bridge' servers were set up to handle local BBM traffic. On these servers, non BES secured messages are decoded and then recoded (similar to the classic 'Man in the Middle Attack' strategy used by hackers). Since only 'local' BBM messages pass through these servers, the integrity of the rest of the messages flowing through BlackBerry's data center in India is maintained. As these new servers were set up by BlackBerry, they avoided the 'need' to provide specific encryption keys to India.
NSA and GCHQ Access
In a previous article, it was reported that the British Government (GCHQ) had monitored BlackBerry messages, sent by key foreign government officials, during a G8 conference in London. At that time, details were vague, but in recent articles, on 'Spiegel.de', more details have come on regarding the extent of the breach.
- By 2009, GCHQ and the NSA were able to successfully capture and read unsecured Blackberry messages (timing which corresponds to when GCHQ reportedly listened in on confidential G20 summit communications). This was accomplished by means of new technology developed for GCHQ which made it possible to tap directly into fiber optic trunks without being noticed - something which previously was believed to be impossible.
- In response, BlackBerry changed the format of messages (i.e. encrypted the body of messages). The NSA reported that as of 2010 the difficulty of deciphering messages increased significantly.
- In leaked 2012 documents, the NSA stated they were once again able to 'capture and process' messages adequately for the information to be used to prosecute a target, however the documents go on to state that in the case of BES secured messages this requires "sustained" effort by NSA's Tailored Access Operations Division (TAOD).
For those unfamiliar with NSA's TAOD, this department is essentially a team of elite hackers (not encryption specialists). The admission that a sustained effort is required by this department, suggests that the only way to 'hack' BES messages may in fact be to 'hack' and then monitor the actual BES server managing the messages, rather than a case of cracking the encryption.
That said, don't kid yourself, if you're a 'non business' BBM subscriber, the government likely can monitor your messages. Your messages may be more private than if you used WhatsApp, but if you want 'secure' messaging your going to have to set up your own BES server.
Various articles 'attack' BlackBerry for the fact that they use Dual Elliptic Curve Cryptography (DECC) to secure messages and that a theoretical vulnerability exists which can be exploited. The basis of this attack is that it has been shown that the NSA ensured certain parameters were used when development the public implementation of ECC (SP 800-90A), such that they would be able to easily decode encrypted messages:
Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.
Without going into tremendous detail, the problem with DECC is that it is possible, by setting certain parameters to specific known values, and tolerating enough round off error in the verification algorithm, to have a system which generates keys, which, anyone who knows these parameters, can crack once they obtain a single decoded message. This is the case with SP800-90A, the NSA know these parameters and hence in effect have a 'master key'.
Although BlackBerry supports the use of SP800-90A encryption, neither BES or BBM use this algorithm by default. Rather, by default, BlackBerry uses their own key generation algorithm. Whether BlackBerry, when developing their key generation algorithm, selected appropriate constants and/or made the key verification algorithm sufficiently loose to provide a backdoor is unknown. But, when comparing alternatives, theoretically it is possible to engineer a 'backdoor' into every leading key generation algorithm, so other vendors solutions expose users to this same risk.
This controversy would likely never have occurred if Certicom and the NSA had been honest and admitted that although SP800-90A DEC provides extremely strong encryption, the NSA hold a master key.
Secure Workspace NOT So Secure
BlackBerry Balance is 'marketed' as a method for corporations to securely manage mobile devices, while still allowing employees the freedom to make the devices their own. Yet, with the latest release of BB10, it has been reported that 'malicious programmers' can take advantage of a 'vulnerability' in the Android emulator to gain access to confidential information on the device. The assertion by critics being that the 'veil of secrecy' had been pierced which undermines the very viability of Blackberry Balance.
By means of BES, it was suppose to be possible to set the access Android applications had to the address books as 'No Access', 'Personal Address Book Only' or 'Both Address Books'. The problem is that this setting is currently ignored, so Android apps always have full access to both address books. BlackBerry has acknowledged the problem and claim it has been corrected - the challenge is that BlackBerry has no way to push the fix out to customers, and ISPs refuse to do so until the next major update.
When looking at this problem from a 'security' perspective, it is important to remember that the only data that this problem allows Android apps to access is contact information - nothing else. Moreover, for those for whom this is a problem, there are a number of ways to mitigate the risks. First, corporations can, by setting the applicable BES rule, prevent the installation of Android applications until the problem is resolved. Second, Android security can be set to prevent the installation of any application which requests access to the address book.
However, this occurrence should not be completely overlooked by investors. The many layoffs at BlackBerry has included most of their former 'product testing' division. The fact that this 'programming error' slipped by during final QA suggests that perhaps BlackBerry has cut staffing in this area too much. Only time will tell.
After looking in depth at reported security issues facing BlackBerry, BlackBerry's reputation would appear to be well deserved. As reported elsewhere, despite the U.S. President's desire to use an iPhone, for security reasons, he STILL has no choice but use a BlackBerry:
If the people responsible for security give you a nod and a wink that maybe an iPhone *isn't* the most sensible device in the world for an American president to rely upon for his privacy and security, I guess they must have their reasons, right?
As Chen has pointed out, for a corporation, 'security' involves more than just the contents of messages. Rather, it includes how easy it is to lock down the device, restrict who the device can be used to contact, what applications can be installed, and what information can be shared. Although this level of control is possible with other devices, it must be 'added on', by installing third party solutions, such as MobileIron. BlackBerry is still the ONLY single vendor solution available.
However, often when it comes to security perception matters more than reality and perception is often driven by the media... media that often seem out to destroy BlackBerry. With many WhatsApp subscribers in Germany jumping ship, stating security and privacy concerns, one would think BBM would receive a boost. But that's not happening... instead, the masses are moving to a Swiss based new comer, Threema.
The answer may be that the media in Germany keep playing up a comparison between BBM and Threema, by WARENTEST, a German consumer advocacy organization. A comparison which, based on a number of poor assumptions, proclaimed that BBM is no more secure than WhatsApp, and that Threema is the current technological leader in secure messaging.
Chen has been extremely effective at addressing many corporate concerns, however monetizing BBM is all about getting the average person to 'trust' that BBM is secure. This won't happen as long as the media is against BlackBerry - Rather, newcomers like Threema, will ultimately displace BBM, undermining BlackBerry's attempts to continue to monetize their messaging platform.
Disclosure: I am long BBRY. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.