Canadian Police Have Had BlackBerry's Global Decryption Key Since 2010

Justin Ling and Jordan Pearson, reporting for Vice News: A high-level surveillance probe of Montreal's criminal underworld shows that Canada's federal policing agency has had a global encryption key for BlackBerry devices since 2010. The revelations are contained in a stack of court documents that were made public after members of a Montreal crime syndicate pleaded guilty to their role in a 2011 gangland murder. The documents shed light on the extent to which the smartphone manufacturer, as well as telecommunications giant Rogers, cooperated with investigators. According to technical reports by the Royal Canadian Mounted Police that were filed in court, law enforcement intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages in connection with the probe. The report doesn't disclose exactly where the key -- effectively a piece of code that could break the encryption on virtually any BlackBerry message sent from one device to another -- came from. But, as one police officer put it, it was a key that could unlock millions of doors. Government lawyers spent almost two years fighting in a Montreal courtroom to keep this information out of the public record. Motherboard has published another article in which it details how Canadian police intercept and read encrypted BlackBerry messages. "BlackBerry to Canadian court: Please don't reveal the fact that we backdoored our encryption," privacy and security activist Christopher Soghoian wittily summarizes the report. "Canadian gov: If you use Blackberry consumer encryption, you're a "dead chicken".

I thought this was common knowledge?

[guruevi]

Back in the day (and one of the many reasons RIM went down the tubes) was because they have global decryption keys for both BES and BIS. It's right there in the specifications and marketing of the Blackberry communications.

Re:I thought this was common knowledge?

[Carewolf]

No, they only had the keys for the consumer parts, which is the same problem all messaging services that doesn't allow you to run your own server has.

In theory you could secure BlackBerries but it always required an enterprise license and running your own servers with your own keys.

Re:I thought this was common knowledge?

[guruevi]

Read the spec. BES encryption keys (on your own server) get published to the Blackberry device the first time it connects (when it is by definition unaware of what your BES keys are) encrypted with the Blackberry Global Key. That is if there are no other back doors in the encryption (since the standard is closed source, you never really can be sure). They eventually (this was news about a decade ago) gave in to India and gave their government access to all systems in India, why do you think the US can't do something similar?

If your government (or anyone else for that matter) has or obtains the Global Key, they could read your server's key when it is pushed to the device given it has traveled through or been recorded by a government-friendly ISP/wireless provider. Given that the keys are created for servers, not per user, they only have to be able to obtain (or trick) 1 push communication to decrypt everything else.

Given that AT&T stores data at least from the 1980's onwards, it is likely that if a government wanted, they could retroactively obtain the data, decrypt the key and use that for any other data obtained through warrantless searches.

Big Whoop

[wkwilley2]

This effects at most like what.....3 people?