For years, security has been BlackBerry née RIM’s bread and butter. It was the company’s major selling
point in the early smartphone era, when businesses flocked to BlackBerry, and it’s been a major selling
point for both BB10 and the new Android-based Priv. A new report casts doubt on just how secure many
BlackBerry devices actually are, with potentially significant consequences for the company.
Motherboard has published a report on the Netherlands Forensic Institute, in which that organization
claims to have the ability to break PGP-encrypted BlackBerry devices. The NFI handles forensic investigation
into criminal cases, and as such, would be responsible for assisting police cases and discovering what
data might be held on a device.
News of the organization’s abilities first broke in last December, when documents surfaced that
alleged the NFI worked with a private company, Cellebrite, to develop the software in question.
PGP-encrypted BlackBerry devices are sold by a number of vendors, usually with claims that using
PGP offers an additional safeguard against threats.
PGP (Pretty Good Privacy) is a data encryption method that can be used to cryptographically sign emails,
documents, or entire disk partitions. The diagram below shows how PGP functions:
Most of the BlackBerry vendors that offer a PGP-encrypted device appear to guarantee at least 256-bit AES
encryption. So how is Cellebrite breaking into devices? Some clues to the company’s methods were disclosed
in a forensic presentation in June 2014.
If a BlackBerry device isn’t paired to a BlackBerry Enterprise Server (BES),
it may be possible to attack it using chip-off (literally removing chips from the device for
forensic analysis) or through a JTAG debugging connection on older devices.
Devices that are attached to a “friendly” BES server can also be hacked by using the BES to reset
the device’s credentials remotely.
If a device is attached to an unfriendly BES, it’s essentially impossible to crack. From the looks of
the report, however, the Dutch police are still performing a chip-off attack against devices and using a
Cellebrite UFED Physical Analyzer to read the memory chips themselves.
As to whether this is a serious problem for BlackBerry, I’m inclined to think it isn’t.
One of the rules of security is that a sufficiently determined attacker with physical access to the
underlying hardware can almost always punch through any security scheme, given sufficient time and
resources. Most encryption methods focus on making the amount of time required to crack a device
extremely high, but they don’t offer total protection — and removing the memory chips from a product
and plugging them into a separate programming device is about as hardcore as it gets.
This news does indicate, however, that a BlackBerry Enterprise Server offers significant protections that
just using PGP does not — provided the server is “unfriendly” and non-cooperative with legal requests to
unlock the device.