[Superdupont 2_0]

Is BBM Protected Less Secure Than iMessage? - DHabkirk

Posted via CB10

I like the sentence "As Apple handles most of the encryption and also the key exchange, they can easily add one more public key to �device� list, which would allow sniffing."

perhaps EFF will feel some heat later in phase 2 !

PS: But still appreciate they started this scorecard.

[anon62607]

I like the sentence "As Apple handles most of the encryption and also the key exchange, they can easily add one more public key to �device� list, which would allow sniffing."

perhaps EFF will feel some heat later in phase 2 !

PS: But still appreciate they started this scorecard.

the entire scorecard is based on the premise that the companies or providers of the software are doing what they claim to be doing. Even if apple did not add a key, they control the underlying operating system and hardware. Apple is in a position to (with some effort) intercept the plaintext of any message generated by any chat program if they wanted to - even BlackBerry Messenger - running on iOS.

I don't think it's likely that they would add message keys as, for one, it would be fairly easy to discover. as a message is encrypted on the device itself, and a copy of each message is encrypted and sent for each recipient device, you could for example send a 1MB photo and verify that only 5 MB are transmitted if your target has 5 devices.

even in the situation that the NSA has surreptitiously placed an agent at Apple and got that agent positioned such that they had access to apples servers, it wouldn't do any good as the messages themselves cannot be decrypted by apple.

the same situation would not protect blackberry messenger (with the consumer version, not protected).

it's not really about trusting blackberry or apple, both companies can be compelled by legal order to assist law enforcement and both will do so to the limit of their technical ability when compelled to. Apple is trying to make it a point for it to be beyond their own technical ability to assist, and they are doing so with their baseline messenger.

Blackberry has not taken quite as an aggressive role yet with their baseline messenger.

Both blackberry and apple are of exceptional competence with regard to cryptography and security, and both could do more than they are now, but it is important for people to realize where the weakness of each platform is in security.

Baseline BBM is not as safe as many people on crackberry seem to think it is and even with certificate pinning and what have you we don't know what the internal network architecture at blackberry looks like. frequently companies that do use SSL also load balance, for example, and terminate the SSL / TLS connection at something like an F5 on the front end and after the load balancer everything is in the clear. anyone able to listen in behind the F5 would have access to the unencrypted data. even given the analysis we have seen so far we don't really have a clear picture of the security of BlackBerry Messenger. If that were the case , for example, the NSA could attack the load balancer rather than having to attack the actual relay servers.

I do think basic privacy these days does require end to end encryption, secure key exchange, authentication and perfect forward secrecy.

[Tre Lawrence]

I'm learning quite a bit. Thanks to those contributing.

[jefbeard911]

This was first posted by bbjdog but it wasn't the original source. I though some may want to see the original post on Inside Blackberry.

http://bizblog.blackberry.com/2014/1...you-can-trust/

Note the multiple mentions of enterprise messaging security and BlackBerry Protected while the "consumer grade" BBM is hardly mentioned.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[Superdupont 2_0]

Blackberry has not taken quite as an aggressive role yet with their baseline messenger.

BB 10 users can have video-chats (how many messengers can do that actually?), and then BBM went successfully cross-platform including features like "voice call" (iMessage cross-platform?) and all that for free and without any security fiasco.

Baseline BBM is not as safe as many people on crackberry seem to think it is and even with certificate pinning...

You seem to know something more specific or are you speculating?

I can do that to:

Is iMessage safer even without certificate pinning?
Aren't all providers directing the traffic over their servers and therefore in a perfect MITM position?
Can Apple read your end-to-end encrypted iMessages, once you did a back-up into iCloud?
Are Your Apple iMessages Really Safe From Prying Eyes?

All rethorical questions at this point. Quote from the EFF:
"the results in the scorecard below should not be read as endorsements of individual tools or guarantees of their security; they are merely indications that the projects are on the right track"

This is only phase 1 and mostly about some basic Good Practice.

I do think basic privacy these days does require end to end encryption, secure key exchange, authentication and perfect forward secrecy.

The most interesting question is:
Do you think that BBM Protected meets the EFF criterions for Contact Identity Verification and Forward Secrecy?
Yes or No?

I believe BBM Protected does meet these criterions and that EFF is making false statements.

And if EFF has just started phase 1 with false statements, how reliable will be phases 2,3 or 4?

[jefbeard911]

Regardless of whether or not BlackBerry Protected is a good platform security-wise I still think important to note that the "consumer-grade BBM, which most of us use, seems to have a lot of questions surrounding it. So much so that BlackBerry doesn't even defend it much in their latest post on Inside Blackberry (most likely issued to counter EFFS claims).

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[Bluenoser63]

This was first posted by bbjdog but it wasn't the original source. I though some may want to see the original post on Inside Blackberry.

BBM: Security You Can Trust | | Inside BlackBerry for Business Blog

Note the multiple mentions of enterprise messaging security and BlackBerry Protected while the "consumer grade" BBM is hardly mentioned.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

Yes. But two points on the blog post point to the fact that the

BBM publishes its security design and audits its code

which disputes two points that EFF says that BBM doesn't do.

[bbjdog]

This was first posted by bbjdog but it wasn't the original source. I though some may want to see the original post on Inside Blackberry.

BBM: Security You Can Trust | | Inside BlackBerry for Business Blog

Note the multiple mentions of enterprise messaging security and BlackBerry Protected while the "consumer grade" BBM is hardly mentioned.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

The original link i supplied had all the sublinks to Blackberry.
Here is the BBM info for the clan.

BBM: Security You Can Trust | | Inside BlackBerry for Business Blog

http://docs.blackberry.com/en/admin/...urity_Note.pdf

[agentfat2004]

"even in the situation that the NSA has surreptitiously placed an agent at Apple and got that agent positioned such that they had access to apples servers, it wouldn't do any good as the messages themselves cannot be decrypted by apple. " This is not entirely true based on my understanding of what apple is doing. In order to allow multiple devices to communicate apple has an IDS server which is where they store the keys for all the devices where the messages need to go. They could simply add another device on that list and all of your messages would go there. I don't have an iphone and am not sure if you can confirm how many devices you have listed on IDS, but apple design still allows for a MITM, it would'nt let them see your previous message history but your future history could be watched.
You are correct about consumer grade BBM. I don't think people understand how bad it is as it relates to a security/privacy perspective. I would be willing to pay for BBM Protected like features without the need for BES. I do think that blackberry somewhat meets the you can verify your contact requirement based on their key exchange protocol, but i think EFF was trying to take that to mean on a continuous basis. This is where BBM protected could work out something(but i guess you can say this is no longer neccessary because you verified who was holding the keys).

I think the lack of perfect forward secrey may have been a business decision(I would like it for regular bbm though). In general BBM Protected is targetted at regulated industries where they don't want you to have deniable conversations and where they organization may want your bbm chat history logged. In theory they could just relog the message to the BES infrastructure, but this may have been extra work that added little business value. Blackberry should upgrade the strength of consumer grade BBM, but my guess is upgrading consumer grade BBM security may likely put limits on what software they are allowed to export which may impact sales. The good news is if the competition is doing it, it may be just enough that blackberry is allowed to do it to.

[anon62607]

I will try to respond a little more when at a desktop, but I think the scorecard should have been approached from a different way - not feature by feature protection but who you are likely protected from given specific adversaries. if you are trying to protect messages from being intercepted from the local coffee shop wifi sniffer, that's one thing. If the adversary is a rival multinational corporation that's another - they have vast resources but cannot compel legal action. next up would be law enforcement followed by national-level intelligence agencies, perhaps followed by bored employees at whichever message provider you use. With that escalating set of adversaries, which is safer? baseline (consumer) BBM or iMessage? What action would a national level intelligence agency need to take to bulk-intercept all messages from one or another provider?

I believe that imessage is safer from bulk intercept than BlackBerry Messenger consumer is. but that probably needs a longer discussion

[Superdupont 2_0]

I don't think people understand how bad it is as it relates to a security/privacy perspective. I would be willing to pay for BBM Protected like features without the need for BES.

I can't follow you in this particular point.

1) Security
The regular Crackberrian with a BB 10 device has two layers of encryption: TLS + 3DES

BBM Protected | eBBM Secure Messaging & Encrypted Chat | BlackBerry - US
http://docs.blackberry.com/en/admin/...urity_Note.pdf

We know from the paper on the Android app that cert pinning is used (assuming this is also true for all other platforms).
We simply don't know whether FS is used or not, do you?
But even if not: How likely is it that BBRY will lose both encryption keys?

I am no crypto guru, but I can't imagine that this traffic could be decrypted without the help from BBRY.

2) Privacy: The day BBRY operators start to exchange nude pics from bbm customers, would be the day the stock value implodes to zero. However, as elsewhere mentioned in this thread, the Terms&Conditions are not very privacy friendly.

I do think that blackberry somewhat meets the you can verify your contact requirement based on their key exchange protocol, but i think EFF was trying to take that to mean on a continuous basis. This is where BBM protected could work out something(but i guess you can say this is no longer neccessary because you verified who was holding the keys).

May I repeat: "The recipient responds to the invitation and provides the highest version of BBM Protected that the recipient supports, proof that they know the secret password, and the recipient's long-lived public encryption and signing keys"

My understanding is that if your BES-admin would issue new keys for any reason, you have to repeat the whole procedure described on page 13 of the whitepaper

I think the lack of perfect forward secrey may have been a business decision(I would like it for regular bbm though).

The lack?
Quote: "Each message uses a new random symmetric key for message encryption. "

Okay, this applies for BBM Protected, I simply don't know what regular bbm is using.

Blackberry should upgrade the strength of consumer grade BBM, but my guess is upgrading consumer grade BBM security may likely put limits on what software they are allowed to export which may impact sales.

The main problem is that BB 10 is not full of holes (compared to Android and iOS).
If they give us true end-to-end-encryption, there is probably no way to return... I must admit I have mixed feelings here for now.
So far the Snowden revelations did not prove mass surveillance by the industry (though I am tempted to exclude Google from this statement). As long as I can trust that BBRY follows the laws, I don't care about end-to-end encryption, but that's only me.

The good news is if the competition is doing it, it may be just enough that blackberry is allowed to do it to.

I fully agree, may I add:
Thanks to Devs like PGUI and QtHelex end-to-end endcryption is already available for regular bbm... so if your life depends on a message you as a consumer can have the 3rd encryption layer.

[Superdupont 2_0]

[...] next up would be law enforcement followed by national-level intelligence agencies, perhaps followed by bored employees at whichever message provider you use. With that escalating set of adversaries, which is safer? baseline (consumer) BBM or iMessage? What action would a national level intelligence agency need to take to bulk-intercept all messages from one or another provider?

I believe that imessage is safer from bulk intercept than BlackBerry Messenger consumer is [...]

Assuming there are security breaches at Apple and BBRY and keys got in the wrong hands, then in a nutshell:
iMessage is safer from bulk interception (imho).

But, let's say your only mistake is being a top-politician (= there is no warrant, no crime, and BBRY protects your rights), then the certificate pinning will make you less vulnerable to a tailored attack (imho).

[Superdupont 2_0]

BBM TERMS OF SERVICE


(k) Storing of Messages. The contents of messages that have been delivered by the Services are not maintained or archived by us in the normal course of business. BBM messages are sent via data services to servers operated by or on behalf of us, and routed to the recipient(s), if the recipient(s) are online. Once a message has been delivered, it no longer resides on our servers. If the recipient(s) are not online, the undelivered message is held in servers operated by or on behalf of us until it can be delivered for up to thirty (30) days, after which the undelivered message will be deleted from our servers. The contents of any delivered messages reside directly on the sender's and recipient's devices unless deleted by those users, or by auto-delete features of the software used by such users.
Notwithstanding the above, we may retain transactional details associated with the messages and devices (for example, date and time stamp information associated with successfully delivered messages and the devices involved in the messages), as well as any other information that we are legally compelled to collect.

[anon62607]

BB 10 users can have video-chats (how many messengers can do that actually?), and then BBM went successfully cross-platform including features like "voice call" (iMessage cross-platform?) and all that for free and without any security fiasco.



You seem to know something more specific or are you speculating?

I can do that to:

iMessage is quite specific in not wanting to be cross platform, and that is something of an advantage for BBM - though the implementations of BBM on other platforms are kind of hit and miss. The Windows Phone variant is quite bad.

Is iMessage safer even without certificate pinning?
Aren't all providers directing the traffic over their servers and therefore in a perfect MITM position?
Can Apple read your end-to-end encrypted iMessages, once you did a back-up into iCloud?
Are Your Apple iMessages Really Safe From Prying Eyes?

That article is from 2013. Now, all iCloud backups are encrypted and retrieving and decrypting them requires your icloud password at minimum, and (I believe) secondary authentication from another device.

Do you think that BBM Protected meets the EFF criterions for Contact Identity Verification and Forward Secrecy?
Yes or No?

I believe BBM Protected does meet these criterions and that EFF is making false statements.

And if EFF has just started phase 1 with false statements, how reliable will be phases 2,3 or 4?

So let's see:

Two acceptable solutions are:

An interface for users to view the fingerprint (hash) of their correspondent's public keys as well as their own, which users can verify manually or out-of-band.
A key exchange protocol with a short-authentication-string comparison, such as the Socialist Millionaire's protocol.



I can't really answer that, I don't use BBM protected. I can say consumer BBM does not provide for any of that, but you can probably help out with BBM protected's answers: when I want to start talking to a contact in BBM protected, what can I do in BBM protected in terms of the interface to view the fingerprint of the public key of the person I'm talking to?

[anon62607]

Assuming there are security breaches at Apple and BBRY and keys got in the wrong hands, then in a nutshell:
iMessage is safer from bulk interception (imho).

But, let's say your only mistake is being a top-politician (= there is no warrant, no crime, and BBRY protects your rights), then the certificate pinning will make you less vulnerable to a tailored attack (imho).

I don't quite follow. If you have good authentication and encryption, it doesn't matter what the transport is and if it is secure. Post the ciphertext on twitter if you want and let the person you are talking to subscribe to your feed. You're effectively doing one better than certificate pinning of the server, you're certificate pinning of your subject.

As I mentioned before, at any rate we don't know if the certificate is being pinned to some front end which does actually terminate the TLS and forward it internally to whatever is handling the relay.

[anon62607]

I can't follow you in this particular point.

1) Security
The regular Crackberrian with a BB 10 device has two layers of encryption: TLS + 3DES

BBM Protected | eBBM Secure Messaging & Encrypted Chat | BlackBerry - US
http://docs.blackberry.com/en/admin/...urity_Note.pdf

This is the problem. Blackberry uses the language:

• A Triple DES 168-bit BBM scrambling key encrypts messages on the sender’s smartphone, and is used to authenticate and decrypt messages on the recipient’s phone.

Which is what they have previously used to refer to the "scrambling" by using 3DES to "encrypt" the message to a single, common-to-every-blackberry-in-the-world key. Blackberry has previously warned to not view this protection as encryption but rather as scrambling, the government of canada has warned to not rely on this as protection. It is most certainly well known to every intelligence agency in the world and russian hacker forum. In addition, it does nothing to protect the messages as they pass through blackberry as it is within blackberry's technical capability to intercept and decrypt those messages.

[anon62607]

"even in the situation that the NSA has surreptitiously placed an agent at Apple and got that agent positioned such that they had access to apples servers, it wouldn't do any good as the messages themselves cannot be decrypted by apple. " This is not entirely true based on my understanding of what apple is doing. In order to allow multiple devices to communicate apple has an IDS server which is where they store the keys for all the devices where the messages need to go. They could simply add another device on that list and all of your messages would go there. I don't have an iphone and am not sure if you can confirm how many devices you have listed on IDS, but apple design still allows for a MITM, it would'nt let them see your previous message history but your future history could be watched.

Apple have to add it on a per-recipient basis. They can't add a general "device" to catch all of your outbound messages, when you want to send a message to someone, your device looks up their device list in the IDS server, then encrypts a copy of the message to each target device and uploads it. Those messages sit on Apple's servers waiting to be retrieved by each device or until they expire (in 7 days). There is no easy way to determine which keys you are encrypting your message to as it is done on a conversation by conversation basis and there is no way to inspect a given contact for how many devices that contact has or the signatures of the keys of those contact devices.

If you suspects all messages from you were being intercepted, you could perform a test in which you send a message to a subject that you know has only a single device and make the message an easy to measure, large length (say, 1MB). Measure the amount of data used by the message - if it's 2 MB, you know your message is being delivered to two devices and so on. That is by no means something you should have to rely on though, but it does increase the chances that Apple would not do something like that because it is theoretically possible that they could be caught.

You are correct about consumer grade BBM. I don't think people understand how bad it is as it relates to a security/privacy perspective. I would be willing to pay for BBM Protected like features without the need for BES. I do think that blackberry somewhat meets the you can verify your contact requirement based on their key exchange protocol, but i think EFF was trying to take that to mean on a continuous basis. This is where BBM protected could work out something(but i guess you can say this is no longer necessary because you verified who was holding the keys).

I do actually think BBM Protected is pretty good - but it is not the best solution, and neither is iMessage. As I said before, iMessage is pretty nice as it is very easy to use and available to all users of iOS devices and the security is quite good. If you had your choice between using regular BBM and iMessage the choice should be iMessage for every-day security, where "every-day" means protecting incidental non-sensitive conversations.

People in a corporate environment do have IT people to brief them on the risks and security levels of the different messengers and they're more likely to be using BBM Protected anyway, but the good thing about the EFF scorecard is letting the more consumer-level BBM customers that the messenger they use (regular BBM) is not "very safe". It is safe enough from anyone not able to deliver a court order to blackberry or national intelligence agencies, it is probably not particularly safe from bulk intercept by national level intelligence agencies, though.

It's not a bad thing for people to be aware of that.

[Superdupont 2_0]

Two acceptable solutions are:

An interface for users to view the fingerprint (hash) of their correspondent's public keys as well as their own, which users can verify manually or out-of-band.
[I]A key exchange protocol with a short-authentication-string comparison, such as the Socialist Millionaire's protocol.[/I


I can't really answer that, I don't use BBM protected. I can say consumer BBM does not provide for any of that, but you can probably help out with BBM protected's answers: when I want to start talking to a contact in BBM protected, what can I do in BBM protected in terms of the interface to view the fingerprint of the public key of the person I'm talking to?

According to the whitepaper (from page 10 onwards) there is a key exchange protocol in place (as required by the criterion) in combination with a out-of-band shared secret (as required by the criterion).

BlackBerry was perhaps a bit too creative here, but if there is a problem with this criterion of EFF, the EFF should change the wording.
This set-up of BBM Protected is providing exactly the security level for the verification process, that is required by the criterion.
If EFF would doubt that, I could start and say: Why should you believe in anything that is displayed in an app (e.g. Threema)?
Or let's make it more academical: If it is not displayed in your app, does it really exists?
To some little extend we have to trust protocols of the provider/developer.


Hmm, hmm, no word from you about Forward Secrecy?
According to page 10 of the whitepaper "The pairwise key is derived from the BBM chat initiator’s private encryption key and the recipient’s public encryption key, using One-Pass ECDH." and the marketing phrase on their website says "Each message uses a new random symmetric key for message encryption."

[Superdupont 2_0]

I don't quite follow. If you have good authentication and encryption, it doesn't matter what the transport is and if it is secure.

I would like to underline once:
I totally agree with you in most points. And here is a perfect example. Out of context, your statement is totally true.

But when we compare iMessage with BBM:
Do you think that iMessage is providing "good authentication"?
The public keys are managed by Apple and there is no certificate pinning, so how authentic can the message become?

For a successful MITM attack on iMessage you probably need also some luck (not only skills), but if the attack is successful:

"Second surprise was actually bigger: we saw our AppleID and password going through this SSL communication. Yes, the clear text password."

Taken from : iMessage Privacy

[Superdupont 2_0]

Please let me re-arrange that, we maybe find a compromise

• A Triple DES 168-bit BBM scrambling key encrypts messages on the sender’s smartphone, and is used to authenticate and decrypt messages on the recipient’s phone.

Blackberry has previously warned to not view this protection as encryption but rather as scrambling, the government of canada has warned to not rely on this as protection.

In agree, but I think the reason, why they called it "scrambling" was simply, because...

... it is within blackberry's technical capability to intercept and decrypt those messages.

I do not believe that, at this moment, the 3DES Key

... is known by every intelligence agency in the world and russian hacker forum..

I did however already posted a link that indicates BlackBerry was probably helping the Canadian LEA in fighting the mafia and that would be consistent what is said about BIS traffic in this article here: U.S. and U.K. spies crack BlackBerry BES encryption, report says | Computerworld


Mass Surveillance however, would be a violation of the Terms&Conditions which I cited before, and there is no evidence from the Snowden leaks for that.
I think even in countries like India, Saudi-Arabia, etc etc ...we actually do not know which data are handed out under which conditions.
And that India (if I remember correctly?) requested that the servers must be located in India, is rather providing more security not less (from an Indian viewpoint; Microsoft is currently in a battle, as the US jurisdiction is forcing them to hand out data, which are stored on European servers for a reason).

[anon62607]

I did however already posted a link that indicates BlackBerry was probably helping the Canadian LEA in fighting the mafia and that would be consistent what is said about BIS traffic in this article here: U.S. and U.K. spies crack BlackBerry BES encryption, report says | Computerworld

I suspect that is actually a compromise of the BES server itself that they're able to do that rather than a weakness in the encryption. I don't think they can mass collect BES data, though the compromise is probably on the verge of push-to-deploy automated.

[anon62607]

I do not believe that, at this moment, the 3DES Key {has been compromised}

It would be pretty difficult to believe that it isn't fairly widely known. All that needs to be done is extract the key from any blackberry device and that is well within the technical ability of almost any agency or even university.

A very well-funded agency, could for example fabricate their own CPU, lift the blackberry CPU from the surface of the board and replace it with their own, and have the CPU itself dump out the data it processes and recover the key that way. It only needs to be done once.

(the global key can be replaced by a BES, but by default - and what most consumers use - it isn't. Also if the key is changed that device can no longer communicate PIN-to-PIN or BBM to any other except those that also use the same key,etc)

I doubt that it even needs to be that sophisticated though.

[Superdupont 2_0]

All that needs to be done is extract the key from any blackberry device and that is well within the technical ability of almost any agency or even university.

There are papers out there about forensic analysis of BBOS and BB10, but afaik nobody demonstrated the extraction of the 3DES-Key (or any other encryption key, stored on a BB).

But still I agree, Apples approach with individual, unique keys on the coprocessor is better.
And, yes, BBM Protected is there for a reason.


For the moment, I would prefer little steps and focus on the scorecard of EFF:
Is the rating for BBM Protected fair and correct?
I don't think so.

[agentfat2004]

Please read fully what i said. Yes, BBM Protected allows you to verify the contact during key exchange, but it provides no mechanism for you to verify a contact after key exchange. I am not a security guru and this may not be necessary but just pointing out that this form of verification is missing.

[agentfat2004]

I do actually think BBM Protected is pretty good - but it is not the best solution, and neither is iMessage. As I said before, iMessage is pretty nice as it is very easy to use and available to all users of iOS devices and the security is quite good. If you had your choice between using regular BBM and iMessage the choice should be iMessage for every-day security, where "every-day" means protecting incidental non-sensitive conversations

.

BBM Protected is pretty good, but its not as good as the free alternative available on other platforms. Actually I spent another day going over their design and they actually did a pretty solid job when you consider expected security practices. I don't think perfect forward secrecy has a business advantage, and so I don't see blackberry implementing it anytime soon. I code a little and was looking at maybe porting TextSecure to BB10 as a native app, but security is hard, and I am by no means a guru, plus i am not a fan of UI coding. Maybe some of us in the crackberry community can help port this over. It would be really nice to have