One popular feature of Research In Motion’s BlackBerry communication devices is PIN messaging – a communication protocol involving fewer steps and servers than email.
Interestingly, the Communication Security Establishment (Canada’s codebreakers) has guidance online about the security of BlackBerries in general and PIN messages specifically. They draw particular attention to the very limited protection generated by the encryption system used for PIN messages:
PIN-to-PIN is not suitable for exchanging sensitive messages. Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic “key” that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the “BlackBerry Solution Security Technical Overview” document published by RIM specifically advises users to “consider PIN messages as scrambled, not encrypted”.
The document identifies other vulnerabilities, such as the potential bypassing of spam filtering and the risk that a BlackBerry that has been passed along to a new user will receive a sensitive PIN not intended for them.
The document goes on to say: “Due to the aforementioned security issues, GC departments should refrain from using PIN-to-PIN messaging and the disabling of his functionality”.
While that is probably good advice, I doubt many departments will be sacrificing this popular feature. That is probably welcome news for anyone who is intercepting these messages. As mentioned before, British Embassies and High Commissions have been conducting signals intelligence interception against friendly countries since the second world war. No doubt, other embassies in Ottawa are actively monitoring traffic between BlackBerries.
The same may well be true for more sophisticated private companies, hoping to get some inside information on upcoming policies and regulations.