As mentioned in my previous article, Blackberry Messenger uses the same encryption key on all devices. This would mean that if one could intercept the PIN message sent to another device it could be decrypted and read.
RIM does give its customers an option to replace the default encryption key on the devices with a company specific key. This would limit the BBM communication to company devices only which have the same key. It should also be noted that it is only the message body which is encrypted and not the header which will still carry the source and destination device PIN identifiers in clear text.
The Blackberry Messenger communication is a PIN 2 PIN (device to device) message which passes only thru the RIM Relay Servers. The BES Server or the local ISP is not party to this communication and this is where the concerns raised by many national security bodies are coming from. They have no way of intercepting the Blackberry Messenger Communication. The solution these governments have demanded is a local RIM Relay server thru which all PIN to PIN communication should flow so that they could intercept and decrypt it on a demand basis or even real time basis.
It is easy to comprehend here that once the messages are routed thru a local proxy server the global encryption key could be used to decrypt the message and make the content available to the local security agencies. What I fail to understand is that as the devices were communicating to the RIM relay using the internet connectivity provided by the local ISP why couldn’t the ISP transparently proxy/mirror all communication to the RIM Server and use the Global Encryption key to decrypt it themselves. What action was required by RIM to enable the local ISP get access to these messages? There are no encryption keys which RIM is going to provide for doing this as this key is available on blackberry devices.
The solution seems quite simple to implement, but given that RIM operates in 175 countries and most governments having expressed their concerns on this issue would RIM be forced to run individual servers in each of these countries? Who would own and operate these servers? Where these servers would be placed physically? In countries where there are multiple ISP’s providing Blackberry Services, would a separate server have to be placed at each ISP’s datacenter? So is this a really practical solution?
It is difficult to understand why was this issue given so much exposure and media attention? Was the concern only in the way the data was routed or was it the encryption technology that is being used or was it the unfortunate combination which is unique to RIM’s implementation which has put blackberries in this turmoil?
I doubt if any terrorist who is seriously concerned about secure communication will ever use a blackberry device after having read all these articles of how RIM has struck deals with different governments. Are there more reasons why these countries are demanding a local server? Are there more demands which are not known to the media? The secret shroud around this issue certainly makes one curious on what is actually transpiring between RIM and the different Government entities!
In fact the conflicting statements made by RIM actually make even the diehard crackberry loose the trust in the device and the secure architecture which they have been preaching all these years. According to RIM the whole solution is so secure that no one even RIM could not intercept the messages flowing thru their servers. If that is the truth then what is it that they are negotiating with the different governments? I am sure they are not considering changing the underlying architecture on which it operates.
I am sure both Osama and Obama would seriously consider sending any confidential message using their blackberry devices. Yes they certainly would continue to use Facebook on blackberry
Cross posted from http://coolwizard.blogspot.com