Police in two countries have claimed that they can read encrypted data from BlackBerry devices that are being marketed as having “military-grade security.”
The story originally broke when Dutch website Misdaadnieuws (Crime News) published documents from the Netherlands Forensic Institute (NFI), a Dutch law enforcement agency, stating that police were able to access deleted messages and read encrypted emails on so-called BlackBerry PGP devices.
A representative from NFI confirmed that “we are capable of obtaining encrypted data from BlackBerry PGP devices,” according to a report from Motherboard.
On Tuesday, Motherboard further reported on a similar result by the Royal Canadian Mounted Police (RCMP).
The PGP stands for Pretty Good Privacy, a program for encrypting and authenticating data that is often used to encrypt email.
PGP BlackBerry devices, however, are not sold by BlackBerry, but by resellers like GhostPGP, which customizes BlackBerry devices with PGP encryption.
GhostPGP says on its website that it has been offering “military-grade encryption solutions on the BlackBerry device for more than 15 years without a single breach in security,” and a company spokesman told Motherboard that its services are “not affected” and had not been compromised.
Nevertheless, NFI and the RCMP said they have been able to decrypt messages from PGP BlackBerrys, although they won’t say exactly how.
Motherboard reported that NFI may have used a method known as “chip-off,” by extracting memory chips from the device and pulling the data off them to attack it off-line, without any limits on how many password guesses are allowed, or how quickly those guesses can be tried.
Whatever technique the Dutch police used, it required physical access to the device, according to Motherboard.
And it’s not 100% effective – NFI had been able to decrypt only 279 out of 325 encrypted emails in the criminal case described by the Dutch crime news website.
In a statement to the BBC, BlackBerry said it could not comment without knowing any details about the device or “the nature of the communications that are said to have been decrypted.”
BlackBerry and backdoors
Perhaps ironically, the Netherlands has come out against backdoors, with a new policy that says the government will not seek restrictions on the development or use of encryption within the country.
For BlackBerry, this story raises uncomfortable questions for the company, such as, “Are law enforcement agencies exploiting a zero-day security vulnerability?”
Alternatively, “Is there an intentional backdoor that law enforcement has discovered?”
BlackBerry has faced questions before about whether it was providing backdoors for intelligence and law enforcement agencies, including reports that the UK intelligence agency GCHQ had compromised BlackBerry devices to spy on world leaders at the G20 summit in 2009.
Unlike stalwart backdoor opponents Apple and Google, BlackBerry has taken a more conciliatory tone when talking about government access and encryption.
Last month, BlackBerry CEO John Chen said in a provocative blog post that “our privacy commitment does not extend to criminals,” and indicated that it was a company’s duty, “within legal and ethical boundaries,” to help law enforcement.
Also last month, BlackBerry announced it would be pulling its operations out of Pakistan because the government of that country had ordered BlackBerry to shut down unless it provided access to its BES servers.
However, BlackBerry announced on 31 December 2015 that it had reached an agreement with Pakistan to remain in the country, after Pakistan “accept[ed] BlackBerry’s position.”
BlackBerry says its position on backdoors has always been “no backdoors.”
Although it’s reaffirmed that position many times, the questions about BlackBerry’s backdoor policy haven’t gone away.