How Canadian Police Intercept and Read Encrypted BlackBerry Messages

by Volker Weber

Imagine for a moment that everybody’s front door has the same key. Now imagine that the police have a copy of that key, and can saunter into your living room to poke around your belongings while you’re out, and without your knowledge.

By way of metaphor, this is exactly how the Royal Canadian Mounted Police, Canada’s federal police force, intercepted and decrypted “over one million” BlackBerry messages during an investigation into a mafia slaying, called “Project Clemenza," that ran between 2010 and 2012.

This is actually no big news to anybody who knows how BBM works. But it is going to bite BlackBerry, because they like to pride themselves as the master in security. The truth is that BBM is not more secure than SMS, because all messages are encrypted with the same key. And access to that key is what countries wanted from BlackBerry, when they demanded lawful inspection. They could read SMS just fine, but not BBM. Since you can easily run a man-in-the-middle attack once you have the key, it is exactly as insecure as SMS.

BlackBerry also has a product called BBM Protected which puts end-to-end encryption on top of BBM. But that's not free. It really does not matter much anymore since everybody and their grandma now uses WhatsApp which has end-to-end encryption to begin with. The only thing that is going to happen is that this case will damage BlackBerrys image. And it's their own fault since they always lumped insecure technology together with secure one under the same brand, pretending it was all secure.

More >

Comments

You nailed it.

Richard Kaufmann, 2016-04-15

Danke. Laut unseren Foren-Trollen sind wir von WhatsApp gekauft. :-)

Volker Weber, 2016-04-15

Exactly right.
Well, no one can claim that RIM/Blackberry was murdered.
It was pure, lengthy, suicide by thousands of small and large stabs.

Craig Wiseman, 2016-04-15

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe