When i saw this I figured I needed to wait to talk about it until the REAL story came out. Almost all media outlets(new and old) now use sensational headlines based on either old data or not data at all for clickbaiting. This “story” is no different.
The headline screams dutch police have cracked Blackberry. What they failed to mention in any detail is this against a Blackberry 9720 and attacked third party PGP software. BBOS itself then wasn’t attacked but the third party encryption software. If this third party software was not updated(and it most likely wasn’t) then that is where the vulnerability is..NOT the operating system itself. Blackberry is still secure folks…much more secure than Apple or Android.
Here’s the text from the Market Ticker’s story:
This is not “new news.” It has been circulating around for a while; I became aware of it quite a bit ago, but declined to write on it originally as it was a big fat nothingburger. I’ll get into why in a minute, but there are a bunch of screaming idiots who just will not stop when it comes to privacy and security issues, nor when it comes to taking cheap (and unearned) shots at firms, whether it be Google or BlackBerry. (As an aside these same idiots also cheer crapfaces like Apple who make similarly-worthless claims on the other side of the issue!)
A Dutch police unit has confirmed to the BBC that it can decrypt messages on Blackberry’s most secure smartphones.
It did not go into details about how it does this but said that its methods allow police to read messages.
Troubled phonemaker Blackberry has prided itself on providing customers with one of the safest methods of communication.
First, this is in relationship to older (BBOS7) handsets.
Second, the handsets in question were being sold by vendors who had added their own code to the handset, which obviously leads one to question whether the problem even has anything at all to do with BlackBerry itself.
Third, apparently this “secure” service includes the use of a custom (run by them) BES server. As I’ve pointed out repeatedly when you use someone else’s certificate and “secure” transport facilities you are trusting them; if they are not trustworthy and give away the keys to the store you’re screwed and you won’t even know it happened until it’s too late.
It is extremely likely that the “compromise” involves one or more of the following:
1. Arm-twisting. If the firm that did the “modification and resale” can be shown to have intentionally marketed to a “criminal element” then you simply threaten to prosecute the firm’s officers unless they turn over the keys. That was easy.
2. A foolish (or technically incompetent) choice by the modifier. There’s a lot of bad code out there. Some because people don’t understand yet put themselves out as “experts”, some due to simple errors (humans commit mistakes), some due to use of deliberately-poisoned code (either through subterfuge or foolish trust) or similar. Compromise of someone in the chain of trust for the BES server, by the way, counts.
3. A heretofore undisclosed vulnerability in the base code. The least-likely, but possible scenario. Again, these are older handsets; it’s certainly possible there’s a weakness in the code somewhere. But I’ll put my money on #1 or #2.
In any event since these are handsets being resold after being modified with someone else’s “enhancement” it’s very unlikely that this is actually about BlackBerry at all.
But it does make for good clickbait — and bashing — material, even if it’s flat-out false.
PS: If you’re a serious crook — serious enough that governments come after you in this sort of fashion — you really need to rethink trusting some third-party company that claims they have something “better” or “more-secure.” Insisting on strict proof might be a good idea, given that governments tend to have resources available to them that the ordinary thug or jackass (of which you are) does not.
The post Blackberry was NOT hacked appeared first on Emmanuel Technology Consulting.
