Pixel Envy

Written by Nick Heer.

The RCMP Has the Master Encryption Key for Every BlackBerry

Jordan Pearson and Justin Ling, Vice:

BlackBerry (formerly RIM) encrypts all messages sent between consumer phones, known as PIN-to-PIN or BBM messages, using a single “global encryption key” that’s loaded onto every handset during manufacturing. With this one key, any and all messages sent between consumer BlackBerry phones can be decrypted and read. In contrast, Business Enterprise Servers allow corporations to use their own encryption key, which not even BlackBerry can access. […]

According to more than 3,000 pages of court documents pertaining to the case that resulted from Project Clemenza, obtained by VICE Canada, the RCMP maintains a server in Ottawa that “simulates a mobile device that receives a message intended for [the rightful recipient].” In an affidavit, RCMP sergeant Patrick Boismenu states that the server “performs the decryption of the message using the appropriate decryption key.” The RCMP calls this the “BlackBerry interception and processing system.”

All BlackBerry devices share an encryption key? Amateur hour.

BlackBerry CEO John Chen in a 2015 corporate blog post:

We reject the notion that tech companies should refuse reasonable, lawful access requests. Just as individual citizens bear responsibility to help thwart crime when they can safely do so, so do corporations have a responsibility to do what they can, within legal and ethical boundaries, to help law enforcement in its mission to protect us.

However, it is also true that corporations must reject attempts by federal agencies to overstep. BlackBerry has refused to place backdoors in its devices and software. We have never allowed government access to our servers and never will.

While it isn’t an outright lie that BlackBerry has never allowed government access to their servers, they did turn over their encryption key to a federal agency who used it to create an interception method.

Also, how can BlackBerry promise to comply with a court order if enterprise customers are allowed to use their own encryption keys? One answer: they can’t, and Chen hoped that this blog post wouldn’t blow up in his face. Another: they can, they haven’t disclosed a true backdoor but it doesn’t seem unlikely with this Vice story, and Chen is still hoping that this blog post won’t blow up in his face.