Blackberries insecure?

Dave Korn dave.korn at artimi.com
Thu Jun 21 10:24:43 EDT 2007


On 21 June 2007 04:41, Steven M. Bellovin wrote:

> According to the AP (which is quoting Le Monde), "French government
> defense experts have advised officials in France's corridors of power
> to stop using BlackBerry, reportedly to avoid snooping by U.S.
> intelligence agencies."
> 
> That's a bit puzzling.  My understanding is that email is encrypted
> from the organization's (Exchange?) server to the receiving Blackberry,
> and that it's not in the clear while in transit or on RIM's servers.
> In fact, I found this text on Blackberry's site:
> 
> 	Private encryption keys are generated in a secure, two-way
> 	authenticated environment and are assigned to each BlackBerry
> 	device user. Each secret key is stored only in the user's secure
> 	regenerated by the user wirelessly.
> 
> 	Data sent to the BlackBerry device is encrypted by the
> 	BlackBerry Enterprise Server using the private key retrieved
> 	from the user's mailbox. The encrypted information travels
> 	securely across the network to the device where it is decrypted
> 	with the key stored there.
> 
> 	Data remains encrypted in transit and is never decrypted outside
> 	of the corporate firewall.
> 
> Of course, we all know there are ways that keys can be leaked.

  And work factors reduced.  And corporations who want to do business in the
US  have been known to secretly collaborate with the US.gov before to sabotage
encryption features on exported devices (e.g. Lotus, Crypto AG, Microsoft,
Netscape).  So there's no reason to take the assurances on the blackberry
website at face value, and if you're a government or other .org that really
takes security /proper/ seriously, you've got to account for the very real
risk.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list