Why BlackBerry's security sucks

Corporate failure, technical failure, ethical failure

The fall of BlackBerry to Android and iOS has been a well-cited example of failure to adapt in business circles. What’s less well documented is its decline in security as well. BlackBerry still clings to the perception that it’s a secure product, when in reality it has become worse than virtually all of its competitors. BlackBerry as a company right now survives mostly as a patent troll, by suing companies for ‘infringing’ on old patents it purchased. It no longer innovates, and all of it’s recent smartphones have been a financial failure. They no longer even makes their own operating system or hardware, instead contracting it out to third-parties who try to use the BlackBerry name to dupe consumers into buying off-brand Android phones. A legion of unscrupulous resellers have taken advantage of its perception of security to sell unwanted inventory to paranoid but ignorant consumers. In truth, these resellers are either purposefully misleading their customers for profit or willfully ignorant of the reality.

In this article we will be showing how BlackBerry encourages their employees to hand over user data without due legal process, develops products with extremely poor technical security and holds incredible conflicts of interest with their government interest holders. In short, there is virtually no reason to trust that BlackBerry as a product or as a company has any ability to protect their users, beyond the facade of using it as a desperate marketing gimmick.

Enthusiastic betrayal

John Chen, CEO of BlackBerry The reality is that BlackBerry hasn’t cared about their users’ security for a long time. In fact it actively opposes strong encryption. This disdain for protecting their users comes from the very top of their executive team. BlackBerry CEO John Chen repeatedly criticized Apple in 2015 for not building backdoors into their product when they famously fought FBI court orders. Chen, when referring to his customer’s data and government authorities said “if you have the data, you should give it to them”.

While Chen is eager to flaunt how they pulled out of Pakistan in response to a demand they provide the government encryption keys, he fails to note how he has repeatedly done the opposite for more authoritarian countries, including Saudia Arabia and India. After publicly proclaiming they haven’t provided anything to India, they later quietly conceded that they actually provided them the ability to intercept any BBM communications after multiple reports from Indian media surfaced contradicting them.

It’s no secret that most of BlackBerry’s biggest remaining customers are governments and law enforcement around the world. This means that BlackBerry has to heed to their whims in order to keep the beaureaucrats happy or risk financial ruin. However, what most people don’t know is that a specialized unit inside the company has been enthusiastically helping intercept messages to aid hundreds of police investigations in dozens of countries. One employee inside this ‘Public Safety and Operations’ team was quoted by the CBC as saying “they are making the mistake thinking it’s untouchable and nobody can see it … not aware there is a group in Canada that can access it, decrypt it and send it to law enforcement”.

It’s important to note that not only is this betrayal of their users’ disturbing, but entirely extra-legal. BlackBerry is sidestepping the Canadian government’s treaty process for handling international law enforcement requests (a process that can take months) and instead choosing to directly engage in investigations themselves. Another anonymous source described how the process has been streamlined to help deal with a “flood” of requests. Unlike many other companies which regularly publish their transparency reports, BlackBerry has refused to reveal how many requests it receives each year. So not only is BlackBerry actively subverting their user’s privacy, but they are ironically also trying to hide this fact from the public to help their own reputation. With a corporate culture keen to actively exploit their user’s privacy interests, its unclear how far the company has gone to actually betray their users. Perhaps in secret, the company is developing an active backdoor for their law enforcement and military overlords, to streamline the process even further.

Technical failure

When BlackBerry released the Priv, it was announced as ‘the forefront of Android security’, however closer inspection from security experts revealed it fell far short. Copperhead Security, a Toronto security firm, reviewed the kernel source code and was extremely displeased by this misrepresentation. James Donaldson, Copperhead’s CEO explained that the changes seemed to revolve around incomplete patching of some grsecurity features, most of which have been already added to Android. He concluded “BlackBerry made their own changes to the kernel […] but none of these appears to be useful”. Copperhead’s CTO Daniel Micay added on twitter “There’s still no substance at all behind any of their privacy and security claims”. Not only do these BlackBerry-Android phones seem to lack basic understanding of Linux Kernel security, but their promised updates have been atrocious. Every new version of Android offers significant security improvements over the last, especially with the release of Android Nougat and Oreo. It’s common for failing Android vendors to abandon their devices, which are then stuck into using old insecure versions of Android. BlackBerry seems to exemplify this, the Priv (released November 2015) is still stuck on Android Marshmallow (released October 2015), two major versions behind what is available for other flagship phones. This means they are missing many critical security features like media server separation, which caused the infamous stagefright vulnerability that affected hundreds of millions of smartphones.

The only software left that hasn’t been actively inspected is their old legacy OS, BlackBerry 7 and 10. This isn’t because it’s impenetrable, but because BlackBerry is trying to cloak their OS to deter legitimate researchers from seeing what’s wrong. Because they refuse to opensource virtually any of their components, BlackBerry is hiding their vulnerabilities behind threats of legal action if any researchers try to reverse-engineer their software. Hackers without any fear of legal reprucussions, like governments and criminals, however are free to exploit this in secret. Despite their attempts at obfuscation, there have been many vulnerabilities found in their mobile devices and servers so far in 2017 alone. If their track record so far is any indication, the security architecture on BB7 and BB10 is sure to be equally as horrific as their attempts on Android. In any event, since it’s been confirmed there will be no more BlackBerry 10 devices so it seems extremely risky to bet your future on a legacy OS with abhorrent maintenance.

In contrast to other vendors, like Apple and Google (which offer rewards up to $1 million USD), BlackBerry offers no rewards for reporting security vulnerabilities. This policy encourages researchers to sell the vulnerability on the black market, where it can be used by criminals to hack devices instead of getting fixed by the company. Because BlackBerry doesn’t have a large user base, offers no rewards and obfuscates it’s code, legitimate researchers aren’t interested in auditing it and therefore fewer vulnerabilities will become public. However private attackers that are interested in actually hacking a target won’t be concerned by this, giving off the illusion of security to users when in fact it is considerably less secure than it appears. When vulnerabilities are publicly revealed, they are notoriously slow at providing fixes, leaving devices vulnerable to attack against critical vulnerabilities. When fixes are finally available, they have to wait even longer for carriers to release them to user’s devices, which can take months.

Even long-term BlackBerry supporters have been abandoning them in droves, especially business executives and government leaders. Hillary Clinton was repeatedly reprimanded for using a BlackBerry by US government experts who warned “a BlackBerry is highly vulnerable in any setting” . In fact, it has been revealed the NSA even has a specialized group dedicated to hacking BlackBerries and that both the NSA and CIA have repeatedly developed secret attack programs targeting BlackBerry OS.

Insecure, centralized encryption

BlackBerry proponents to their early adoption of enterprise security and end-to-end encryption such as PGP as proof of their commitment to security. However on closer look it’s easy to see that their BES (BlackBerry enterprise server) uses weak encryption and because it’s highly-centralized is an easy targets to compromise an entire network.

The connections to their server are done over IPSec, one of the most insecure VPN connections possible. Numerous vulnerabilities have been discovered in IPSec, including famously by the NSA which allowed mass-exploitation of these types of connections. Their server connection was also widely reported as being insecure for nearly 3 years following the POODLE attack which BlackBerry still hasn’t fixed. Their phones blindly trust their PGP keyserver, which sends PGP keys over the internet unencrypted from a centralized source. This means that not only could the server operator send a fake key they created to the phone and use that to intercept, decrypt and read all their messages, but any hacker capable of intercepting your connection could do the same. This is obvious whenever a client of a BlackBerry reseller loses their phone and their email address is replaced. All the customer has to think is… if they could replace your phone and PGP key when you DO lose a phone, what’s stopping them from replacing your key when you DON’T lose a phone?

Sometimes blackberry resellers like to proclaim how their PGP keys are generated on the phone, not the server so this somehow protects them. However the exact same key replacement attacks can be done in the exact same way because the phone blindly trusts their centralized keyserver whenever it needs to download PGP keys for someone it’s sending emails to. This is ignoring the fact that PGP is now over 15 years old and has numerous security problems, including that many BlackBerrys still use 1024-bit and 2048-bit RSA keys, which are considered insecure for modern cryptosystems.

While Armadillo Phone offers a PGP Email app, we discourage customers from using it except when absolutely necessary, and prefer them to use our highly-audited zero-trust instant messaging client. Our PGP Email app also allows users to independently verify PGP keys instead of blindly trusting them, downloads PGP keys over an encrypted connection, and has several significant security improvements.

A bad berry spoils the bunch

In short, BlackBerry’s current staff not only seems to be technically incompetent, but void of moral integrity. They actively betray their users to advance their profits and masquerade as a security juggernaut when in reality their internal architecture is a jumbled mess. This is a systemic disregard for safety at the benefit of their bottom line. On top of this, even their most prized products turn out to be irrelevant and dressed up as ‘secure’ purely as a marketing gimmick. They’re coasting off the momentum of a company that peaked 15 years ago and has struggled on as a limp dinosaur.

So the real question is, why would you ever trust them to protect you?

If you need a real high-security business smartphone, check out Armadillo Phone and protect yourself today!