Australia is reporting that a BlackBerry device has been cracked after five years:
An encrypted BlackBerry device that was cracked five years after it was first seized by police is poised to be the key piece of evidence in one of the state’s longest-running drug importation investigations.
In April, new technology “capabilities” allowed authorities to probe the encrypted device….
No details about those capabilities.
Ross Snider • August 3, 2020 1:51 PM
@Anders
Does this article imply that the encryption key derived from a password – and that the password was “moneymoney1!”? If so, even with very paranoid security settings in the KDF, I would have expected that password to have been cracked very easily. Dark net password cracking rigs definitely would have cracked that and it wouldn’t cost all that much to do either…
Even hashcat/jtr on modest hardware could probably get that password, if someone with enough dedication was looking at it.
Could the new capability be their own cracking rig?
Clive Robinson • August 3, 2020 2:04 PM
@ Anders,
I liked the snipit in the article you link to that sails close to the wind of accusing RIM of collusion with the Canadian Mounties.
I don’t know if you know about the accusations that were made against RIM some years ago about the Pakistani Government and it’s religious courts demanding access to all Blackberry traffic that used Blackberries rather than corporate servers?
Or the fact that during the “Croyden Rights” in South East London a few years back the MET police had very very rapid access to messages sent from Blackberry encrypted phones. Way way faster than it would have been possible to crack any passwords etc.
It’s one of the reasons Londons petty criminals and gang youth almost overnight stopped using Blackberry Phones. It might also be one of the reasons EncroChat became popular with the more well resourced London criminals.
The moral which ever way you want to look at it is not to use what remains of the Blackberry phones, they might be proprietary but it sure looks like they are not secure in any way, and the reason for that would be down to RIM…
David • August 3, 2020 2:41 PM
Many years ago, I was working on deploying a BES infrastructure for a client to support 25K user devices. Many of the details are fuzzy to me now, but I remember that RIM refused to allow us dedicated network connections to their DCs in Canada and wouldn’t provide any 100% self-hosted solutions.
We had over 200 BES systems hosted in our data centers already and were seeking NOT to use internet connections.
We weren’t used to being told, “no” by vendors. I remember only a few getting away with it – RIM was one on that short list.
echo • August 3, 2020 3:31 PM
Cops read the the manual and discover an “on” button? Really, I wouldn’t get too excited about police and technology. They haven’t known one end of technology from another for as long as I can remember.
Anders • August 3, 2020 3:57 PM
@Ross Snider @Clive
I guess they got access through the lawful backdoor.
Canada and Australia is one of the The Five Eyes (FVEY).
en.wikipedia.org/wiki/BlackBerry#Security_agencies_access
Clive Robinson • August 3, 2020 5:41 PM
@ Anders,
The wikipedia page you point to contains atleast one provably factualy incorect statement…
Nagh not about Blackberry but about South West Trains. They do not have the rail franchise any more, it’s now a Chinese parent company running a subsiduary as South West Railways…
They do provide the Internet via WiFi on some of their trains, and it just so happens a lot of UK Politicians and very senior Civil Servents some of whom work in No10 and are involved with COBRA travel on their services[1]
[1] I know this because like many seniors they realy do not think the rules apply to them (no it’s not just US politicos that have this problem). They chat on mobile phones and to colleagues on the train very indiscreatly and some use laptops and forget that due to the way the carriage seats are arranged people can read over their shoulders very easily and do… On one occasion a senior female civil servent was chating to her friend on the way home to Norbiton Station[2]. It was a day when the UK had had it’s first Avian Bird Flu scare and she talked about the antics going on in COBRA and described it as being like a satirical version of the Python’s “dead Parrot sketch”… From that point on it was not difficult not only to work out who she was but shoulder surf some of the papers she read on the way home that realy should not have been seen in public…
[2] Norbiton station is on the “Kingston loop line” out of Waterloo Station,
https://en.m.wikipedia.org/wiki/Norbiton_railway_station
It was made famous by the BBC comedy program “The Fall and Rise of Reginald Perrin”,
https://en.m.wikipedia.org/wiki/The_Fall_and_Rise_of_Reginald_Perrin
In the programe we are given the impression that the station was very close to Teddington (also on the loop) but it’s not.
Apparently there are (laughable) plans to make Norbiton a major point on “Crossrail 2″…
https://consultations.tfl.gov.uk/crossrail2/october2015/user_uploads/sw5.pdf
echo • August 4, 2020 4:16 AM
@Clive
[1] I know this because like many seniors they realy do not think the rules apply to them (no it’s not just US politicos that have this problem). They chat on mobile phones and to colleagues on the train very indiscreatly and some use laptops and forget that due to the way the carriage seats are arranged people can read over their shoulders very easily and do… On one occasion a senior female civil servent was chating to her friend on the way home to Norbiton Station[2]. It was a day when the UK had had it’s first Avian Bird Flu scare and she talked about the antics going on in COBRA and described it as being like a satirical version of the Python’s “dead Parrot sketch”… From that point on it was not difficult not only to work out who she was but shoulder surf some of the papers she read on the way home that realy should not have been seen in public…
Lawyers are the same. I have material which has to be handled securely. By this I mean restricted access with all the usual security protections which require my sign off. It is an offence to simply look or attempt to look at the material. All of the above is for my protection not their protection as per statute and case law. (For the record it’s nothing funny or scandalous.)
Then you have lawyers and MPs and everyone and their cat and dog attempting to force blanket confidentiality waivers on you as a pre-condition. And yes they have breezily pressured for this even when I objected. Are objections or statements of “acting under duress” noted? No. I believe there is case law kicking about which says this must be noted. It’s a bit difficult to stay level and concentrate especially for material which needs people to pay attention when you’re having to deal with this nonsense. The material actually requires expertise and training to handle as they simply will not understand what they are holding in their hands and there are risk factors with it floating about for everyone to have a nose. Yes, I have multiple citations from accredited experts confirming this too.
Last but not least on a completely unrelated matter some tiling at home did not meet BSI standards and the tiles are no longer available and I had to temporarily fix them. I suspect some of the ceiling paintwork did not meet BSI standards either. There’s a few other things which aren’t up to scratch either.
An enthusiastic amateur with time on their hands can meet or exceed the standards of professionals working to a price. I have collected a range of commentary from various professionals and court cases where this is indeed true and also policy documents nobody shouts about or in some cases flat out ignore.
No this client/citizen does not appreciate some of the antics from the state sector or “professionals” and their staff. There is a lot of lazy and stupid and self-entitled arrogance and impatience and “do as we say not do as we do” about abd various BS and slights of hand. What makes me fume isn’t just their attitude but lack of respect. Do they really think nobody notices?
It’s all being logged (contemporaneous logs because they are firmer in law plus I have other case law surrounding this firming things up) and in some cases covertly recorded. Again, I have the law on this and know what I can and cannot do with the material so I do not attract a charge and the court won’t dismiss a case.
Petre Peter • August 4, 2020 6:51 AM
They are hoarding the vulnerability.
echo • August 4, 2020 7:25 AM
@Petre Peter
They are hoarding the vulnerability.
I’ve caught lawyers out (and others) hoarding material too. I have no idea why some people think they are the only people who know something which gives them an “edge” even if it’s just their pavlovian reptile brain doing the talking.
I’m sure there’s some academic papers people can tie together which explains this kind of individual and organsiational behaviour. I tend to think it’s more of an individual thing which turns into groupthink organsations simply amplify. There’s plenty of case law in the discrimination field and some case law around youth custody which covers withholding of security related material for reasons of unfounded paranoia and avoiding scrutiny of ego enhancing “methods”.
Ismar • August 4, 2020 9:57 PM
A couple of observations (before people go off on a tangent and start discussing completely unrelated things) :
David • August 5, 2020 8:13 AM
The Blackberry story was always security theatre and security by obscurity for most people. Not much hope unless you ran your own BES and a bit of help from RIM on how keys were generated and stored would go a long way to recovering keys.
There is no way the real key space was that large.
I know nothing about Blackberry… Was the whole thing because they did decent enough key management or was it that they did good isolation and code auditing to prevent trivial exploit chains? I’ve heard on and off over the years about Blackberry security being better and never got that cause it’s just a common SoC and memory management..
c1ue • August 5, 2020 1:04 PM
Blackberry/RIM has always been amenable to legitimate law enforcement access requests to BB messenger content. This has been going on for at least a decade, if not longer.
In fact, the genesis of the Brazil “Car Wash” investigation was BR law enforcement finally going to Canada to request BB messenger traffic for a known drug-ring money launderer – who turned out to be handling money for more than just this drug ring…
The article itself is written such that it is clear this particular extraction was directly from the hardware. Again, seems odd to have taken so long, but maybe some new capability was introduced into Cellebrite or they hired a real hacker to do a physical level intrusion on the device. But again, if the goal was the messenger traffic and there wasn’t a local server used, why not go to RIM?
echo • August 5, 2020 2:29 PM
I still think there’s nothing in the article to suggest the cops discovered no more than where the “on” button was. Everything else is known included going directly to RIM so I’m struggling to see where there is any “magic sauce”.
Cops can shave the truth and misdirect as much as anyone. New technology “capability” doesn’t have to be anything to do with the phone. They could be stretching and bending the truth a dozen different ways. It could simply be the involvement of a new agency who knew what they were doing got involved a policy change or a legislative change which unlocked an approach which already existed but they didn’t try before. I wouldn’t discount prosecatable levergage based on new information being applied for a deal and this being a cover story. Plus if they do have anything “new” that’s pretty much every Blackberry ever made compromised?
So I remain sceptical unless something genuinely new emerges.
@echo Blackberry and protocol-level attacks for TOR are the only places you see this nonsense… Before that with Apache-http a little..
uh, Mike • August 6, 2020 3:40 AM
Law enforcement agencies have an interest in our believing they can crack a phone.
I am skeptical that they do it as often as they say they do.
Clive Robinson • August 6, 2020 7:09 AM
@ uh, Mike,
I am skeptical that they do it as often as they say they do.
All LEO agencies are “resource bound” which means they have “value bars”. Thus a crime of low value does not clear a bar for anything other than basic “recording paperwork”. Whilst the value bar or hurdle is mostly by economic value, the law gives ways to assess other harms such as injury by economic value thus they get included. There are however other “value drivers” politics is the main one and this can be driven by the politicians,setting priorities or the likes of the MSM making comment.
Thus whilst a capability may be available and often is, it’s value barred in many cases from being used.
The LEO agencies however get their resources by “apparent performance” not “actual performance” that is they are a “defence organisation” and if they did their job perfectly there would be no crime thus by dint of the usuall human nature no funding either.
Thus LEO agencies have learnt to be “media wh0r3s” as a method of self defence, thus they will where ever possible try to “talk things up” as that helps keep the money coming in. Thus in some cases they will “over egg the pudding”. So talking about “new capabilities” etc is a form of advertising and as we should all know by now advertising is rarely based on actual truth, just an illusion of truth.
So yes,”new capabilities” could mean anything including having a new person put a backlog of phones in a box and use UPS etc to send them to Canada from Australia…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Anders • August 3, 2020 12:47 PM
Related.
http://www.smh.com.au/national/nsw/how-a-blackberry-password-cracked-one-of-australia-s-biggest-drug-hauls-20190809-p52fpe.html