Blackberry Ban- The Stalemate Continues.

There have been reports stating that RIM has given into the demands of the Saudi government and placed a local RIM server which would allow the security agencies to snoop on the conversations happening over BBM/PIN2PIN. This was easy to achieve considering that there is only a single encryption key involved and that the key was easily available.

It would be interesting to know how the demands of other governments would be met by RIM. Indian government has been demanding that it needs access to the emails being sent using the Blackberry Enterprise Servers. UAE government has concerns in the emails being sent out of the country.

The BES architecture uses multiple keys which are dynamically generated and managed between the device and the BES Server.  Let us see what happens when Alice sends an email to Bob who is a blackberry user in the same organization.

1.       Alice sends an email message to bob’s email address using her desktop email client.
2.       The email server receives the email and sends it to bob’s mailbox.
3.       The BES server receives the email from the Mail Server to be delivered to Bob’s BB Device.
4.       The BES server compresses and encrypts the message using multiple message keys.
5.       The message key is encrypted using the device transport key.
6.       The encrypted message and the encrypted device transport key are sent to the device thru the RIM relay Servers.
7.       The message gets delivered over the air (OTA) to the blackberry device thru the wireless connectivity provided by the ISP.
8.       The device decrypts the message keys with the transport key.
9.       The device applies the message keys to the encrypted message and displays it to Bob.

So it’s the device transport keys which the governments are expecting RIM to provide them so that they could intercept and decrypt the emails passing thru their ISP networks.

So how is this Device Transport Key generated and maintained? The following details are from security documentation published by RIM.

“The BlackBerry® Enterprise Server and BlackBerry device negotiate to select the strongest algorithm that they both support (either AES or Triple DES) and use that algorithm to generate a device transport key during an over the air activation of the device.”

“By default, the BlackBerry® Enterprise Server and BlackBerry device generate subsequent device transport keys every 30 days. The BlackBerry Enterprise Server and BlackBerry device generate the device transport key using existing long-term public keys and the ECMQV key exchange algorithm to negotiate a device transport key. This method is designed so that a potentially malicious user is unable to calculate the device transport key. The BlackBerry Enterprise Server and BlackBerry device discard the key pair after they generate the device transport key.”

RIM seems to have made sure with this architecture that there is no way a third party (including itself) will ever get access to the device transport keys.

So there is a device transport key unique to every device and it changes every 30 days.  In a country with a million blackberry users even if half of them were BES enabled, the ISP would require quite a large infrastructure to hold and manage these keys and probably a super computer to apply the corresponding device transport keys to decrypt the message keys and then apply the message keys to the encrypted message and then decrypt and store them.  All this to intercept communication between terrorists!!   As mentioned in my previous post, after all the media attention and the government demands for interception the Osama’s and Obama’s would never use a blackberry to do any serious communication.

The question remains on how RIM would get hold of these keys. It has to either alter the device configuration to send the device transport keys to a local server, or it has to modify the BES Server architecture to upload the device transport keys to the local server in the country. Both of which are difficult to achieve as it involves a software upgrade either on millions of devices or on thousands of servers.

What every government is demanding is a copy of the device transport key of every device connected to a BES Server in the country. Let’s say that I work in India and my company’s blackberry server is in Timbuktu. The Indian government would not have the keys to see my communication!!  Wouldn’t this be the typical case of a terrorist? Assuming that the typical terrorist is a foreigner he would be using a blackberry device supported by an ISP of another country to which my local government doesn’t have keys. I wonder how many terrorists have a registered office and a datacenter to host a blackberry enterprise server!

If the RIM documentations about the architecture are to be believed there is no foolproof technical solution to address the concerns of these government entities. It’s hard to believe that the RIM technical team hasn’t been able to communicate the same to the government agencies and close the issue. So how will the stalemate end? Will blackberry be banned in these countries or will it be a face saving exercise of placing a local server in every country which would just display lines of encrypted text on the screens?  If that is the case RIM will add another product line to its portfolio:-Face Saving Relay Servers in different colors. The countries will get to choose from a Red, Orange or a BLACK BOX.

Osama & Obama have lost trust in their Blackberry Devices

As mentioned in my previous article, Blackberry Messenger uses the same encryption key on all devices. This would mean that if one could intercept the PIN message sent to another device it could be decrypted and read.  

RIM does give its customers an option to replace the default encryption key on the devices with a company specific key. This would limit the BBM communication to company devices only which have the same key.  It should also be noted that it is only the message body which is encrypted and not the header which will still carry the source and destination device PIN identifiers in clear text.

The Blackberry Messenger communication is a PIN 2 PIN (device to device) message which passes only thru the RIM Relay Servers.  The BES Server or the local ISP is not party to this communication and this is where the concerns raised by many national security bodies are coming from. They have no way of intercepting the Blackberry Messenger Communication.  The solution these governments have demanded is a local RIM Relay server thru which all PIN to PIN communication should flow so that they could intercept and decrypt it on a demand basis or even real time basis.

It is easy to comprehend here that once the messages are routed thru a local proxy server the global encryption key could be used to decrypt the message and make the content available to the local security agencies.  What I fail to understand is that as the devices were communicating to the RIM relay using the internet connectivity provided by the local ISP why couldn’t the ISP transparently proxy/mirror all communication to the RIM Server and use the Global Encryption key to decrypt it themselves. What action was required by RIM to enable the local ISP get access to these messages? There are no encryption keys which RIM is going to provide for doing this as this key is available on blackberry devices.

The solution seems quite simple to implement, but given that RIM operates in 175 countries and most governments having expressed their concerns on this issue would RIM be forced to run individual servers in each of these countries? Who would own and operate these servers? Where these servers would be placed physically?  In countries where there are multiple ISP’s providing Blackberry Services, would a separate server have to be placed at each ISP’s datacenter? So is this a really practical solution?

It is difficult to understand why was this issue given so much exposure and media attention? Was the concern only in the way the data was routed or was it the encryption technology that is being used or was it the unfortunate combination which is unique to RIM’s implementation which has put blackberries in this turmoil?

I doubt if any terrorist who is seriously concerned about secure communication will ever use a blackberry device after having read all these articles of how RIM has struck deals with different governments. Are there more reasons why these countries are demanding a local server?  Are there more demands which are not known to the media? The secret shroud around this issue certainly makes one curious on what is actually transpiring between RIM and the different Government entities!

In fact the conflicting statements made by RIM actually make even the diehard crackberry loose the trust in the device and the secure architecture which they have been preaching all these years. According to RIM the whole solution is so secure that no one even RIM could not intercept the messages flowing thru their servers. If that is the truth then what is it that they are negotiating with the different governments? I am sure they are not considering changing the underlying architecture on which it operates.

I am sure both Osama and Obama would seriously consider sending any confidential message using their blackberry devices. Yes they certainly would continue to use Facebook on blackberryJ.

Product: Windows Server Update Services 3.0 SP2 -- Removal failed.

WSUS wouldnt let me uninstall it and would just fail and write "Product: Windows Server Update Services 3.0 SP2 -- Removal failed." to the Application Event Log.

A lot of people seem to have posted this issue, but none of the forums had a proper resolution to it. There were few analysis of the causes of the issue available though. Some belived that it was a problem with the ACL on the SQL/ Windows Internal DB, installation directory and suggested that DB be uninstalled manually by running "msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe" ont he command prompt. It didnt work for me though.

Another analysis of the issue was that WSUS was installed with Windows Internal Database and somehow the registry was missing this information. The trick suggested was to modify the value of "wYukonInstalled" from 1 to 0 in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup] registry location. Choose to leave the Database on the uninstallation options. This worked and I was able to uninstall WSUS. The Windows Internal Database can be deleted from the default installation path "C:\WINDOWS\SYSMSI\SSEE".

Myth - BBM is Secure

I felt secure communicating on the BBM... Till some time back!!

It was probably the fact that the BBM messages do not travel over the internet was making me feel 'secure' about it, or was it the fact that BBM only works on a BlackBerry Devices and my belief that BlackBerry devices are secure by design. Not Sure...but somehow I thought it was the safest IM App avaiable.

I fired my browser and landed on Google. I couldn’t find many articles about the security of messages communicated over BBM. I couldn’t even find any notes on the BBM architecture. I will just summarize what I was able to understand from many different pages.

Blackberry Messenger is a skin on top of the basic PIN to PIN messaging which has been there on these devices for long. A “PIN” is a hardware address, similar to a MAC address, and is unique to every BlackBerry device. A “PIN” however is not an authentication password nor is it a user identifier. It is the method by which the BlackBerry device is identified to the RIM relay for the purpose of finding the device within the global wireless service providers’ networks.

Alice sends a message to Bob. The target address for this message would be the PIN of Bob's Blackberry Device. The message is received by her service provider which sends the message to the RIM Relay Server. The RIM relay identifies Bob’s BlackBerry device by its PIN and forwards the message directly to Bob’s wireless service provider. These messages do not travel thru the internet or the Blackberry Enterprise Server and hence are faster than email communication. It is ideal for communication in Emergencies, or when your Emails Server/BES etc are not functional. I am sure this raises the question about compliance, auditing, content security etc. These messages bypass all the onion skins of security and land on the devices directly. Unless specifically configured on the BES thru an IT Policy, these messages are not logged on the BES. This has prompted certain enterprises to disable PIN to PIN messages on their corporate BB devices.

Now, one would assume that since RIM has been serious about security, they would have made the transmission secure by encrypting it. Well they did! All PIN to PIN messages are encrypted with Triple DES. Excellent!! Not exactly all RIM devices are loaded with a common peer-to-peer (same) encryption key which is used for encrypting the PIN to PIN messages. This would mean that every blackberry device can decrypt any PIN message that it receives because every BlackBerry device stores the same peer-to-peer encryption key. RIM advises users in one of the security guides to “consider PIN messages as scrambled, not encrypted”. It would mean that if I were to sniff the traffic coming to your device I could potentially decrypt the PIN messages and see them. The probability of such a threat actually happening is very rare but technically possible.

As I mentioned earlier the PIN is a number burnt on to the device and is permanent. This highlights another potential vulnerability. Bob's device is wiped and assigned to Dave. The device would still retain the same PIN and will continue to receive PIN messages addressed to that PIN. Alice would be unaware of the fact that her messages intended to Bob are being delivered to Dave.

Let us consider another situation. Chuck steals Bob’s device. Chuck could actually impersonate Bob and elicit information from Alice. Alice would think that she is communicating with Bob and unsuspectingly share information. She is in fact communicating with the PIN of Bob’s device which is now with Chuck.

If PIN can be spoofed it could be another potential threat to the security of messages exchanged using P2P. I was not able to find any information on how to do it. The forums seems to suggest that it’s not possible.

Lesson learnt:

Be careful when sharing sensitive information over BBM/PIN Messages because:-

• PIN-to-PIN messages are encrypted using an encryption key which is accessible to everyone.
• The messages you send are to an address which is tied to a device and not a person.
• Big Boss might be watching. If PIN-to-PIN messages are configured to be logged on the BES server, all BBM/PIN Messages would be logged in Clear Text Log files on the BES Server.

 I still love my Blackberry :)