How secure is BBM? Not very.

by Volker Weber

Time for a bit of b/s detection around BBM. First, the party line.

BBM lets you chat and share with a speed, control and privacy you can’t get on other instant messenger apps.

How is this privacy enabled? There are two layers of encryption:

  1. The smartphone communicates with the BlackBerry infrastructure via TLS.
  2. Messages are scrambled with a Triple DES 168-bit key.

TLS ensures transport security. However, when the message comes out at the server end, it becomes readable. Notice the word scramble instead of encrypt. All BBM messages are scrambled with the same key. Yes, you read this correctly. The same key. As a BES administrator you can create a different key, by which you create an island, where all your users can communicate with each other, but not with anyone else outside your organization*.

This is where BBM Protected comes into play. It offers a third level of encryption:

Messages between BBM Protected users are encrypted using a PGP like model. The sender and recipient have unique public / private encryption and signing keys. These keys are generated on the device, by the FIPS 140-2 certified cryptographic library, and are controlled by the enterprise. BBM and BlackBerry are not involved in brokering the key exchanges so at no time are they stored within the BlackBerry infrastructure. Plus, each message uses a new random symmetric key for message encryption. Even if one message in a conversation were somehow compromised, the remaining messages would remain protected.

Translated into plain engineering terms: BBM Protected uses a public key infrastructure. For each message a new symmetric cipher key is created and encrypted with the public key of the receiver. The message itself is encrypted with the symmetric cipher key. Then both the keys and the cipher text are transmitted over the existing two security layers of the BBM infrastructure. Assuming your BES is secure, this will protect the privacy of your messages.

Why is the symmetric key necessary? Two reasons: first, BBM can send large volumes of data, where the asymmetric encryption is too slow. And second, you can encrypt the message for multiple recipients once and then just encrypt the cipher key for all recipients individually. This will also provide an audit trail, if you encrypt the cipher key for your audit archive.

Management summary: BBM Protected may be secure. BBM probably is not.

ad *) There is a requirement in regulated industries such as finance to provide an audit trail for all communications. Easy for email on your own servers, not so easy for messaging provided by a vendor. Therefore there is an option to provide that audit trail for BBM. The BES administrator can log all BBM messages to log file or send to an email address.

Comments

the link you provided regarding BBM logging is only available on BES 5 (and therefore legacy devices). With BB10 OS the BBM always run in the personal perimeter which means it cannot be audited at the moment. However, this is going to change with BBM Protected which then is able to run in the work perimeter, too.

I never understood how many enterprises are tolerating IM´s without ANY security measurements or even SMS. BBM might not be "secure" but the basic security it delivers out of the box (for about a decade now!) is much better than what is integrated in 95% of the other IM´s. The key that is used to scramble the BBM´s is not public knowledge and even if it would be it´s still provides the TLS-layer from the device to the BlackBerry NOC which makes it unlikely that that someone reads a BBM message just by using any packet capture software in an internet cafe (hello WhatsApp! ;)

Anyway, for secure corporate IM it is recommended to use the Enterprise Messenger through BES5/BES10 which allows to connect to a Sametime or Lync environment, this also integrates Desktop users. In this case the enterprise has control over the encryption keys.
I

Bastian Anthon, 2014-06-13 09:48

Public knowledge or not, the same key for all users is not secure. And messengers with public key encryption are indeed available today, but not widely used.

Volker Weber, 2014-06-13 10:31

Recent comments

Ingo Seifert on Glückwunsch @herr_lampe at 20:16
Volker Weber on Futura Steps at 17:59
Ray Bilyk on Futura Steps at 17:57
Volker Weber on Futura Steps at 17:45
Ray Bilyk on Futura Steps at 17:32
Felix Binsack on Perfect Service at 13:39
Hanno Zulla on Samsung Considering Shake-Up in Management :: WSJ at 12:07
Hubert Stettner on Glückwunsch @herr_lampe at 12:02
Ingo Seifert on Grandmas Smoking Weed for the First Time at 11:28
Oluf Lorenzen on IBM Verse :: It could be worse at 13:37
Andrew Magerman on Verse: Die Neuerfindung der E-Mail, according to IBM at 10:48
Harald Gärttner on Verse: Die Neuerfindung der E-Mail, according to IBM at 00:22
Ian Bradbury on Verse: Die Neuerfindung der E-Mail, according to IBM at 00:00
Ian Bradbury on Brands and social media at 23:46
Frank Mueller on Ausflug nach Köln at 20:27
Hubert Stettner on Nigel Stanford :: CYMATICS :: Science vs. Music Nigel Stanford:: CYMATICS :: Science vs. Music at 13:27
Stephan Perthes on Nigel Stanford :: CYMATICS :: Science vs. Music Nigel Stanford:: CYMATICS :: Science vs. Music at 13:20
Ingo Seifert on Verse: Die Neuerfindung der E-Mail, according to IBM at 12:16
Volker Weber on Verse: Die Neuerfindung der E-Mail, according to IBM at 10:35
Christian Henseler on Verse: Die Neuerfindung der E-Mail, according to IBM at 10:13
Ingo Seifert on Verse: Die Neuerfindung der E-Mail, according to IBM at 08:00
Michael Jäckel on Nix klappt. Nur die Tür. at 22:53
Michael Sampson on Use and Adoption of IBM Connections: State of the Market 4Q2014 at 21:13
Christian Henseler on Verse: Die Neuerfindung der E-Mail, according to IBM at 19:41
Ingo Seifert on Ausflug nach Köln at 17:09

Ceci n'est pas un blog

vowe.net is a personal website published by Volker Weber a.k.a. vowe. I am an author, consultant and systems architect based in Darmstadt, Germany.

rss Click here to subscribe

Hello

About me
Contact
Publications
Certificates
Amazon Wish List
Frequently Asked Questions
Follow @vowe on Twitter

Local time is 01:20

visitors.gif

Tip jar

Archives

As most of my articles roll off the front page rather quickly, I am making an archive of previous posts available here. You can also use the handy search box at the top of the page if you are looking for something particular.

Last 30 days
More archives

Mobile tag for this page

© 1992-2014 Volker Weber.
All Rights Reserved.

Impressum