This site may earn affiliate commissions from the links on this page. Terms of apply.

For years, security has been BlackBerry née RIM'southward breadstuff and butter. It was the visitor's major selling point in the early smartphone era, when businesses flocked to BlackBerry, and it's been a major selling bespeak for both BB10 and the new Android-based Priv. A new report casts doubtfulness on merely how secure many BlackBerry devices actually are, with potentially significant consequences for the company.

Motherboard has published a report on the Netherlands Forensic Institute, in which that organization claims to have the ability to suspension PGP-encrypted BlackBerry devices. The NFI handles forensic investigation into criminal cases, and as such, would be responsible for profitable police cases and discovering what data might be held on a device.

News of the organization'south abilities beginning bankrupt in concluding December, when documents surfaced that alleged the NFI worked with a private company, Cellebrite, to develop the software in question. PGP-encrypted BlackBerry devices are sold by a number of vendors, ordinarily with claims that using PGP offers an boosted safeguard against threats.

PGP (Pretty Good Privacy) is a data encryption method that tin can be used to cryptographically sign emails, documents, or entire disk partitions. The diagram below shows how PGP functions:

PGP

Image courtesy of Wikipedia

Nigh of the BlackBerry vendors that offer a PGP-encrypted device appear to guarantee at to the lowest degree 256-bit AES encryption. So how is Cellebrite breaking into devices? Some clues to the company'south methods were disclosed in a forensic presentation in June 2014.

If a BlackBerry device isn't paired to a BlackBerry Enterprise Server (BES), it may be possible to attack information technology using bit-off (literally removing fries from the device for forensic analysis) or through a JTAG debugging connection on older devices. Devices that are attached to a "friendly" BES server can likewise be hacked by using the BES to reset the device'south credentials remotely.

If a device is fastened to an unfriendly BES, it'southward essentially incommunicable to cleft. From the looks of the report, withal, the Dutch police are withal performing a chip-off attack against devices and using a Cellebrite UFED Physical Analyzer to read the retentiveness chips themselves.

As to whether this is a serious problem for BlackBerry, I'm inclined to think it isn't. One of the rules of security is that a sufficiently determined attacker with concrete access to the underlying hardware can almost always dial through any security scheme, given sufficient time and resource. Most encryption methods focus on making the corporeality of time required to crack a device extremely loftier, but they don't offering total protection — and removing the memory chips from a product and plugging them into a separate programming device is almost as hardcore as it gets.

This news does indicate, still, that a BlackBerry Enterprise Server offers meaning protections that just using PGP does not — provided the server is "unfriendly" and non-cooperative with legal requests to unlock the device.