[ISN] RIM's double-edged encryption sword

From: InfoSec News (alerts@private)
Date: Wed May 28 2008 - 00:14:39 PDT


http://www.reportonbusiness.com/servlet/story/RTGAM.20080527.wrim28/BNStory/Business/home

By Matt Hartley
Globe and Mail
May 27, 2008 

As Research In Motion Ltd. charts its path toward global domination of 
the smart phone market, the company continues to discover its biggest 
strategic advantage is often a source of headaches when dealing with 
foreign governments.

It was RIM's data encryption technology that helped the BlackBerry 
become the preferred communication medium for the business world in 
North America. But misperceptions about security infrastructure have put 
the Waterloo, Ont.-based company on the defensive again this week.

Those same security measures that act as a selling feature have 
officials in some governments worried that terrorists are using the 
devices to communicate, while others don't like the idea of their 
nation's data being routed abroad through RIM's Canadian Network 
Operating Centres (NOCs).

After Indian officials raised those concerns recently and threatened to 
shut down BlackBerry service in that country, RIM moved to quiet the 
storm by firing off a letter to customers that attempted to clarify the 
company's policy.

The controversy has left RIM officials trying to allay security concerns 
of foreign governments on one hand, while making it clear to 
shareholders and customers in other countries that it is not bending to 
local pressures and altering its basic infrastructure.

“RIM respects the needs of governments to balance regulatory 
requirements alongside the corporate security and individual privacy 
needs of its citizens and RIM will not disclose confidential discussions 
that take place with any government,” the company said in the letter.

RIM said it recognized customers might be “curious about the discussions 
that occurred between RIM and the Indian government regarding the 
encryption in BlackBerry products,” and that it wished to “assure 
customers” about the company's security policies.

With more than one-third of its revenue now coming from markets outside 
of North America, RIM faces a mine field of security controversies that 
is becoming increasingly treacherous.

The company is known for being tight-lipped about its security practices 
and for withholding details about how its network operates, something 
the company has admitted sometimes leads to speculation and 
misinformation.

In March, India's Ministry of Telecommunications reportedly demanded 
that RIM install servers in India and provide the government with a 
“master key” to help security agencies intercept and decrypt BlackBerry 
messages in an effort to crack down on terrorism.

Similar complaints surfaced last June, when security forces in France 
advised Paris officials not to use their BlackBerrys to send sensitive 
information, fearing the data could be intercepted in foreign 
territories.

“The problem seems to be that these countries don't like the fact that 
the e-mail goes through the RIM NOC,” said Jack Gold, president of J. 
Gold Associates, a wireless consulting firm in Boston. “The NOC is not 
in India, so their e-mails are actually leaving the country and then 
coming back. France had that problem as well.”

RIM declined to comment on the nature of its discussions with the Indian 
government, but in a recent statement prepared for customers, the 
company outlined how it would be impossible to provide any government 
with such a master key or “back door.”

Messages sent from BlackBerry devices are difficult to monitor because 
the data is encrypted before it is transmitted. Large companies can add 
an extra level of encryption to messages by purchasing a BlackBerry 
Enterprise Server (BES), which sits in their IT department and 
communicates directly with RIM's NOCs. The BES adds a second layer of 
encryption that can be decoded only by using an encryption key that only 
the company possesses. Not even RIM has access to that information.

“The reality is that RIM's BES service is unbreakable,” said Canaccord 
Adams analyst Peter Misek. “The [U.S. National Security Agency] can't 
break it; no one can break it. “RIM won't give out back doors because 
then all these governments will want to have this special ability.”

U.S. government officials initially expressed concerns about the 
security of the BlackBerry network once the device became a staple in 
Washington power circles. However, the U.S. government is now one of the 
biggest BlackBerry customers in the world; the Federal Bureau of 
Investigation purchased almost 20,000 devices for field agents in April.

BlackBerrys bought directly from a telecommunication provider by small 
companies or by individuals operate on the BlackBerry Internet Service 
(BIS). Messages sent from these devices are routed through the telecom 
company's server which links directly to the NOC.

“The BIS encryption isn't as strong, and if enough horsepower is thrown 
at it, it could potentially be cracked,” Mr. Misek said.

Analysts say in some jurisdictions – such as China and Russia – where 
governments wish to monitor BlackBerry transmissions, RIM has likely 
opted to limit the distribution of BES networks in favour of the BIS 
variety in order to gain access to those countries' mobile markets. RIM 
said it does not discuss the details of discussions it holds with 
governments and carriers around the world.

“I'm sure the RIM folks did have to do some funny stuff which they 
didn't want to make public to allay the fears of the Chinese 
marketplace,” Mr. Gold said. “It's the same issue [the Chinese] have 
with Yahoo and Google's search engines … China is very fussy about what 
they allow on their networks.”

RIM's security features are the biggest reason why most analysts predict 
that Cupertino- Calif.-based Apple Inc.'s iPhone will struggle to become 
a serious competitor to the BlackBerry for business customers.

“RIM security is head and shoulders above the iPhone,” Mr. Gold said. 
“There really isn't any security on the iPhone right now.”



_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 28 2008 - 00:26:32 PDT