Ottawa aware of BlackBerry security flaw since 2011

The vulnerability of BlackBerry’s PIN-to-PIN messaging service is not a deadly new flaw, as news reports Wednesday of the discovery of cyber-security memo issued to federal departments earlier this year about it would suggest.

Security issues associated with the messaging service were in fact already known to Communications Security Establishment Canada way back in 2011.
PIN-to-PIN diagram from CSEC memo
The CSEC, which is the country’s national cryptologic agency responsible for foreign signals intelligence and electronic information and communication security, issued a security advisory to federal employees about BlackBerry’s PIN-to-PIN messaging service in March of that year.

BlackBerry devices are issued a unique eight-digit PIN independent of the users account or email address. If a BlackBerry user shares this PIN with other BlackBerry device users they can exchange messages even in the event of a BlackBerry network outage or power outage that disrupts email and text messaging.

The scare — according to the British-based online news service The Register — began yesterday when news leaked out that Public Safety Canada, the agency that oversees national security, issued a memo warning federal employees who communicate using PIN-to-PIN. The memo said the service is not “suitable for exchanging sensitive messages,” because information exchanged through the service could be inadvertently read by other BlackBerry users.

RELATED CONTENT

Update on Canadian wireless public safety network
Report: Canada’s cyber-security falling short

“Although the PIN-to-PIN messages are encrypted the key used is a global cryptographic key that is common to every BlackBerry device all over the world,” the memo said. “Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.”

It now appears that memo could be an update or rehash of the one sent by CSEC over two years ago.

Here’s an excerpt of that March 2011 memo:

PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging sensitive messages. Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic “key” that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed.Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the “BlackBerry Solution Security Technical Overview” [1] document published by RIM specifically advises users to “consider PIN messages as scrambled, not encrypted”.

The CSEC, however, said PIN-to-PIN messaging is typically faster than normal email because it passes through fewer servers so it would be useful in emergency communication situations where departmental email servers are down but wireless service providers and BlackBerry relay are still available.

Read CSEC memo hereRead the whole story here

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now