Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Blackberry Canada Communications

Police Say They Can Crack BlackBerry PGP Encrypted Email (sophos.com) 117

schwit1 writes: Police in two countries have claimed that they can read encrypted data from BlackBerry devices that are being marketed as having "military-grade security." The story originally broke when Dutch website Misdaadnieuws (Crime News) published documents from the Netherlands Forensic Institute (NFI), a Dutch law enforcement agency, stating that police were able to access deleted messages and read encrypted emails on so-called BlackBerry PGP devices. A representative from NFI confirmed that "we are capable of obtaining encrypted data from BlackBerry PGP devices," according to a report from Motherboard. On Tuesday, the Royal Canadian Mounted Police (RCMP) also told Motherboard they can crack encrypted messages on PGP BlackBerrys.
This discussion has been archived. No new comments can be posted.

Police Say They Can Crack BlackBerry PGP Encrypted Email

Comments Filter:
  • by tysonedwards ( 969693 ) on Wednesday January 13, 2016 @09:50AM (#51293019)
    It's called "Pretty Good Privacy".
    • by LichtSpektren ( 4201985 ) on Wednesday January 13, 2016 @09:53AM (#51293053)
      PGP works great for Linux users. If I had to make a guess as to why it's not working so great for BB customers, I would just take a stab in the dark and say it's related to the fact that BB's CEO openly defends putting backdoors in phones and computers for "lawful access" by governments.
      • PGP works great for Linux users. If I had to make a guess as to why it's not working so great for BB customers, I would just take a stab in the dark and say it's related to the fact that BB's CEO openly defends putting backdoors in phones and computers for "lawful access" by governments.

        That makes it military grade in an unintended sense. If you're a general, you want the capability to monitor your drones and troops.

        • by TheCarp ( 96830 )

          "Military Grade" as in "Got a Grade of A by military intelligence for sale to the public"

          • Seriously, I thought military grade meant a device won't break accidentally. If you dropped a military grade laptop while hiking, expect it to still boot up, but not if you tossed it out of a fourth-floor window. So this could be military grade for most people who don't work in military intelligence and just want some pretty good privacy.
        • If you're a general, you already have the key and don't need (or want) backdoors in your radios.
      • PGP works great for Linux users. If I had to make a guess as to why it's not working so great for BB customers, I would just take a stab in the dark and say it's related to the fact that BB's CEO openly defends putting backdoors in phones and computers for "lawful access" by governments.

        The BB's CEO never said such a thing. He never ever talked about putting backdoors, he talked about sharing METADATA with authorities if justified and required.

        • Assuming the COO is authorized to represent the company's position: 'In a talk entitled "Securing Mobility, Protecting Privacy", BlackBerry Chief Operating Officer Marty Beard told delegates that the company is a strong believer in providing law enforcement agencies with methods to lawfully intercept communications.' http://businessinsights.bitdef... [bitdefender.com]

          I've never been too keen on the "with us or against us" rhetoric, but this is math, not politics: systems are either designed to be as secure as they can be, or

      • If the following assumptions are true then pgp is secure.
        1. A non vulnerable encryption algorithm with adequate strength is used.
        2. Private keys are only accessible on the reading device.

        You can buy expensive locks and security system for your home. If you cut a hole in the wall chances are the alarm isn't going to go off.

        Linux guys tend to put everything valuables in a safe hidden 2 feet underground with the sophisticated security system. Even then if police physically have access that's when the self dest

        • by HiThere ( 15173 )

          There's something in what you say, but when you say "Linux guys tend to put everything valuables in a safe hidden 2 feet underground with the sophisticated security system. Even then if police physically have access that's when the self destruct kicks in." you're really talking about the OpenBSD guys.

          • I thought that the OpenBSD guys used a battlefield nuke to wipe the contents of the safe on the second password error.
    • I believe PGP in this context is used for end-to-end security. If you intercept the message at one end, outside the encryption, then that isn't a PGP flaw. This sounds like the application on the device is not careful with plaintexts and keys in memory, and so the data and possibly the key can be recovered from a physical device. That is completely different from decrypting intercepted data. If, on the other hand, this BB contains a hardened chip that the key is never supposed to leave and they are able
  • by LichtSpektren ( 4201985 ) on Wednesday January 13, 2016 @09:51AM (#51293031)
    BlackBerry has an intense cadre of Internet shills that likely will be defending them within about a day or two. Just watch.

    For any sane person that cares about their privacy and safety, this should be the nail in the coffin for BB.
    • by Kardos ( 1348077 )

      Indeed. "We don't protect your privacy" is not a selling point in 2016.

      • by Thud457 ( 234763 )
        1. So this isn't just Blackberry handing over the keys to the BES server to law enforcement?
        2. Law enforcement says "don't use Blackberry because we cracked it". Stress on the "don't use Blackberry" part ?
        3. All serious jihadists use the Leapfrog Text & Learn these days.
        • by drew_kime ( 303965 ) on Wednesday January 13, 2016 @11:00AM (#51293419) Journal

          2. Law enforcement says "don't use Blackberry because we cracked it". Stress on the "don't use Blackberry" part ?

          That's what seems odd to me. Why would police disclose that they're able to do this? Isn't this the kind of capability you'd want to keep under wraps? Almost seems like they want people to avoid BB. I wonder why.

          • by ShanghaiBill ( 739463 ) on Wednesday January 13, 2016 @11:24AM (#51293571)

            Why would police disclose that they're able to do this?

            The police did not make an official statement about it. The information leaked out. The ability to decrypt was implied in a court document. It may have also been a cop or two bragging to a journalist "off the record".

            • Comment removed based on user account deletion
              • Also: This is Canada and Netherlands. Not two of the top countries in lying. (They do lie, but not as much as many others.)

                How do you know? You collected some kind of stats? How do you know they are not just better liars?

          • by AmiMoJo ( 196126 )

            They have no choice, it first came out in court documents that are a matter of public record. After that there is no point denying it. If they want to use it in court, they have to admit it.

          • by Agripa ( 139780 )

            That's what seems odd to me. Why would police disclose that they're able to do this? Isn't this the kind of capability you'd want to keep under wraps? Almost seems like they want people to avoid BB. I wonder why.

            I do not know the merits of their claim however the next best thing to breaking the encryption is to say you have broken the encryption so users move to a less secure system.

        • by HiThere ( 15173 )

          That's odd. I though all serious jihadists used coded messages sent in clear text over the gaming talk channels.

          (Actually, if I recall correctly, they tend to use unencrypted text and unencrypted phone messages. At least that's what reports have said appears to have happened in both Paris and New York.)

      • What I've observed is that users rarely pick a device for it's security. They pick it for MP of the camera, the name, the app availability, the screen size, the storage size... But never security. Just my personal experience.

        Security is an afterthought for most.

    • Tough statement to make on a story that is ridiculously vague......
      As an OS Blackberry is FAR SUPERIOR in security to both IOS and Android, but yeah, if someone physically has access or support from the Carrier/Manufacturer, you are screwed no matter what.
      This is a cheap shot at BB, nothing more, nor is the story even validated by ANYTHING
    • 'Just Watch' Apparently BB also has a legion of pathetic 'haters' who don't understand the QNX microkernel or what actual security is..............hating for hating's sake I guess?..............LOL
    • by hawleyg ( 803592 )
      What does BlackBerry need to defend here? This isn't about BlackBerry security - it's about the third party PGP apps that some have put around it according to TFA.

      Gosh, I must be a shill. Go find your tinfoil hat.
    • I'll take your Blackberry Internet Shills and I'll raise you Apple Internet Shills
  • Key is forensics. (Score:5, Interesting)

    by Anonymous Coward on Wednesday January 13, 2016 @09:57AM (#51293083)

    They aren't cracking PGP. This came from the forensics department. By far the most likely scenario is that they're able to recover either the key from memory/flash, or the unencrypted plaintext.

    Also, people still use Blackberrys?

  • Not necessarily (Score:5, Interesting)

    by nospam007 ( 722110 ) * on Wednesday January 13, 2016 @10:05AM (#51293125)

    Nobody said anything about 'cracking'.
    They were able to 'read' the messages after hitting the user with a wrench to get the password.

    • Nobody said anything about 'cracking'. They were able to 'read' the messages after hitting the user with a wrench to get the password.

      Well, if you want to be pedantic... What TFS literally says is "Police in two countries have claimed that they can read encrypted data from BlackBerry devices". I myself can also read encypted data--it reads like random white noise, but I can read it!

  • I doubt it (Score:5, Interesting)

    by ooloorie ( 4394035 ) on Wednesday January 13, 2016 @10:13AM (#51293165)
    They almost certainly can't "crack PGP"; they may, however, have found flaws in the way Blackberry uses PGP. Or perhaps they are simply referring to the fact that they can intercept data as it is being decrypted on the device.
    • Re:I doubt it (Score:4, Interesting)

      by Rinikusu ( 28164 ) on Wednesday January 13, 2016 @11:30AM (#51293619)

      It wouldn't surprise me if the app saves the plaintext somewhere on the filesystem, creates an encrypted copy for mailing, and then just does a soft delete. With SSD/Flash memory write algorithms, it could be a very long time before that gets overwritten.

      • Yeah I'd bet the code looks like this:
        save(msg, temp_file)
        encrypt(temp_file, encrypted)
        mail(encrypted)
        delete(temp_file)

        Retrieving the plaintext is therefore a matter of recovering the deleted temporary file.

        • You forgot the step of sending the encryption key to the mother ship. That only takes a small packet or two. In fact, encryption keys could be batched together and sent to the mother ship when the phone regularly interacts with the mother ship to check for updates, etc.
      • by wbr1 ( 2538558 )

        It wouldn't surprise me if the app saves the plaintext somewhere on the filesystem, creates an encrypted copy for mailing, and then just does a soft delete. With SSD/Flash memory write algorithms, it could be a very long time before that gets overwritten.

        Incorrect. At least with SSDs (also flash memory), you cannot overwrite an existing block, it has to be erased first. To make sure writes are speedy, the firmware normally actually clear blocks immediately or are queued for rapid deletion during idle time when a file is deleted. This is in contrast to a spinning disk where the entry in the file table is deleted but the blocks remain to be overwritten (or recovered) later.

        See: http://www.forensicmag.com/art... [forensicmag.com]

        • You are correct. However, you have no idea what the firmware behavior is. For example, if the SSD is 80% unused, does it need to clear blocks? What is the logic for determining "idle time"? Is the SSD file system aware? (i.e. - Does the OS have to trigger the trim, or does the drive have enough intelligence to do it without the OS?) Also, just for fun, remember that there are people who have phones that are 5+ years old, and may use antiquated techniques for determining their behavior.

          I have a recent

        • by Agripa ( 139780 )

          Since written pages are part of larger blocks which have to be erased all at once, a page with discarded data may exist without being erased until either all of the pages in the block are discarded and the block is erased or used pages are copied to a new block and the old block is erased. Individual pages cannot be erased.

      • Even with a "hard" delete, the data can likely still be there. Especially with SSD and flash, and their wear levelling algorithms, where a sector erased and written may not be the same sector that had data on it. In theory, a TRIM should blow that away, but it may be a while before the drive's garbage collector goes and erases those pages. It would be nice to have a "secure wipe these pages now" function in the command set.

        • It would be nice to have a "secure wipe these pages now" function in the command set.

          If there were, I'd be worried that it would be implemented as a "flag this data as sensitive, to be uploaded to [insert TLA or manufacturer corporate espionage department] at the earliest opportunity" command instead.

  • So-called?

    WTF with the scare phrase?

    • Maybe it's just because no-one knows what they're actually called - the summary later calls them "PGP BlackBerrys."

      • by Nutria ( 679911 )

        Maybe it's just because no-one knows what they're actually called

        Someone knows what they're officially called. In fact, I'd wager that lots of people know, and that it's damned easy to find out with 10 seconds of googling.

    • "So-called" is a literal translation of Dutch "zogenaamd". The Dutch version doesn't suggest that the speaker disagrees with whatever follows. The author meant to introduce a name that may not be familiar to the reader.
  • by Anonymous Coward

    What's funny is that no-one except the Government of Canada uses Blackberries (and of course, probably terrorists) ...

    so what the RCMP is saying here, is that they car crack the blackberries of their fellow co-workers.

    your tax dollars at work !

  • by Anonymous Coward

    This is a company that takes BB phones and puts their own encryption software/tools on it. This has nothing to do with BB from what I can see. How is any of this on Blackberry except for the speculation that it may or may not involve a backdoor mechanism, which is not proven and which BB has always denied.

  • Why? (Score:4, Insightful)

    by CimmerianX ( 2478270 ) on Wednesday January 13, 2016 @10:36AM (#51293273)

    I'm curious as to why any agency would announce that it could read these messages publicly? The bad guys now won't use this perhaps? It's akin to the national argument over Snowden revealing the collection of phone records and everyone screaming how the bad guys will now have this info and that put everyone at risk.

    • by mi ( 197448 )

      I'm curious as to why any agency would announce that it could read these messages publicly?

      To spread FUD and hurt the non-cooperating device-maker commercially:

      • — I'd like an iPhone.
      • — Sorry, company policy is to use Blackberry for all business communications.
      • — Ah, but police in two countries can crack it already, here is the link!
      • — Khm, Ok, maybe it is time to revise our policy — Apple and Android devices are so hip, I myself would like one...

      Whether they can actually recover t

  • And so can the US government, contrary to what they say. They have been able to crack PGP since 1996 when they dropped the case against Zimmerman. At the time encryption technology was considered a munition under the Munition Control Act of 1954. When they developed the ability to crack PGP the case against Zimmerman was moot. It's never been admitted by the government, but that could be the only reason for dropping a case they had pursued for years.
  • by JoeyRox ( 2711699 ) on Wednesday January 13, 2016 @10:50AM (#51293349)
    Some of it to coerce citizen behavior, like convincing people that the encryption on their phone's isn't effective so that they wont use it.
  • If they truly had that capability, I doubt, they would've advertised it. The announcement seems intended to scare people off using Blackberries — perhaps into some other devices, which the police actually has easier time with.

    "we are capable of obtaining encrypted data from BlackBerry PGP devices"

    Yep, just the sort of non-committal speak one would expect from the police. It sounds like they cracked it to a layman, but does not actually say so...

    And even if they can, actually, recover the text, from t

    • Comment removed based on user account deletion
      • by mi ( 197448 )

        As this is Canada and The Netherlands, I doubt that they would do something like that.

        And why do you doubt it? From police perspective, there wouldn't be anything wrong in it... Honest people, who "have nothing to hide", have nothing to fear, do they — while the crooks will be spooked...

  • by fahrbot-bot ( 874524 ) on Wednesday January 13, 2016 @10:57AM (#51293401)

    ... BlackBerry devices that are being marketed as having "military-grade security."

    To be fair, Blackberry / RIM never said whose military.

    • ... BlackBerry devices that are being marketed as having "military-grade security."

      To be fair, Blackberry / RIM never said whose military.

      Any time you encounter a product which claims "military grade" security, encryption, etc., run away. "Military grade" is a meaningless appellation, and the best case scenario is that the vendor has good security people who are frustrated by their inability to get product marketing to understand that. But that scenario is pretty unlikely. What's far more likely is that they're clueless and the product sucks.

  • They don't say how they did it. Did they guess the user's password? Was this a BES controlled device? What model? What version of software?

    As a BES admin, I'm not too concerned at this point.

  • I saw this summary somewhere a few days ago, and was like "whatever I don't use Blackberry and don't trust them anyway".

    Then it hits here, and immediately posts point out that these are third party modifications on Blackberries that are getting cracked. That seems an important detail- the clickbait headline had just meshed with my worldview, so I was assuming this was a problem with Blackberry based on the headline.

    Granted, I didn't read TFA when it was in summary before. But the fact that this really mea

    • by jofas ( 1081977 )
      Your line "whatever I don't use Blackberry and don't trust them anyway" precludes this article being important in either case.
  • by frovingslosh ( 582462 ) on Wednesday January 13, 2016 @11:34AM (#51293653)
    I'm no Blackberry fan. I would never trust the company and I sure don't use one. But I'm surprised that everyone just seems to accept the claim. I expect that if there were any secure device out there that several gub'mints would be actively telling people "oh, we can crack that", a message which comes across as "Don't use that if you want to keep your communications private" and ends up steering people to devices that the snoops really can crack. Maybe they can crack it, but if so why tell us about it? I don't have enough trust in any government to believe this blindly.
    • by jofas ( 1081977 )
      Does no one remember when BlackBerry caved to Iran's demand for the keys to decrypt BB devices deployed there? Happened about 5 years ago. BlackBerry is famous for cooperating with anyone who asks in matters of privacy.
    • But I'm surprised that everyone just seems to accept the claim. I expect that if there were any secure device out there that several gub'mints would be actively telling people "oh, we can crack that", a message which comes across as "Don't use that if you want to keep your communications private" and ends up steering people to devices that the snoops really can crack.

      Like the statement about Windows Mobile?

      I keep hearing that there are no apps for Windows Mobile. This was true 3 years ago but the retail stores are still sold on that idea and won't sell you the phone they have on their shelve. I don't blame them for not selling it as there's other reason to not buy a Windows Phone but they could at least use factual information.

  • If there is some point or another in which the key is present on the phone, then there is likely a way to use it. The key itself being probably a 3072 bit number itself can't be brute forced or even algorithmically weakened to something meaningful. The user however doesn't type a 3072 bit key each time. The private key is stored on the phone and encrypted with a 8-10 character password which is likely based on the 70 (or so) easily typed characters on the keyboard. So, it's only necessary to weaken the ciph
  • It may be true, but another reason to claim such success would be to scare people away from using something they can't crack.
  • by Prune ( 557140 ) on Wednesday January 13, 2016 @02:06PM (#51294787)
    30 seconds of search showed what I expected: http://gizmodo.com/dutch-polic... [gizmodo.com]

    break a series of encrypted emails held on Blackberrys modified by Canadian firm Phantom Secure

    Conclusion: (a) don't get phones modified by a shady third party with government connections, and (b) don't take Slashdot summaries at face value (but we never learn that one, do we)

  • The original Dutch article [misdaadnieuws.com] shows a letter [misdaadnieuws.com] from FIOD (Fiscal Information and Investigation Service) asking NFI (National Forensic Institute) to decrypt the contents of a Blackberry Curve 9320. NFI said the retrieve data from the phone using Cellebrite's UFED 4PC software [cellebrite.com] and then decrypted it using NFI's own method.

    The also say the receive a NFI report that describes the case [misdaadnieuws.com] where 279 out of 325 encrypted messages on a Blackberry 9720 could be decrypted.

news: gotcha

Working...