[Richard Buckley]

Thank you for the info. Very interesting links too.

Now I am wondering if just BBM messages on Android (no BES/BIS) and/or BBM attachments can be seen/read by a snoopy IT administration when using a company wifi? Is it possible?

Or is the SIP-TLS secure against a snoopy IT watching over a WiFi?

Posted via the Android CrackBerry App!

I've just been doing some network traffic analysis of my DA-C on my home Wi-Fi network. I'm not home to manipulate it into sending BBM messages but I see two types of traffic between the device and the BlackBerry infrastructure:

A periodic request for a page at blackberry.net port 80 that returns an HTML page that says "Your BlackBerry is logged on to the Wi-Fi network" that you see when you connect to a hotspot.

The rest of the traffic is to a host in na.blackberry.net port 443 and is encrypted. This is probably SIP. As Ventz points out, depending on SSL/TLS weaknesses and CA deployment on the device this could be subject to a MiM attack. At least BB10 is checking certificate chains. I run a personal IMAP server and use a certificate issued by CACert.Org. Their root CA is not loaded in my device which gives me grief each time I set up that account.

A few months ago Micheal Clewly posted something in his channel about BBM going towards mainstream SSL/TLS encryption so this makes the whole global 3DES key a bit of a red herring. If the bearer SIP channel is protected by robust encryption, as I believe it is (this is debated elsewhere), then messages are protected between the handset and the BlackBerry servers. SSL Labs gives the server an A- rating. So as others have pointed out your messages may be accessed by any organization that could compel or convince BlackBerry to turn them over. If you want robust end-to-end encryption there is the BES option. Or you could try to run Android versions of Threema or Text Secure.

[gdarmy]

I've just been doing some network traffic analysis of my DA-C on my home Wi-Fi network. I'm not home to manipulate it into sending BBM messages but I see two types of traffic between the device and the BlackBerry infrastructure:

A periodic request for a page at blackberry.net port 80 that returns an HTML page that says "Your BlackBerry is logged on to the Wi-Fi network" that you see when you connect to a hotspot.

The rest of the traffic is to a host in na.blackberry.net port 443 and is encrypted. This is probably SIP. As Ventz points out, depending on SSL/TLS weaknesses and CA deployment on the device this could be subject to a MiM attack. At least BB10 is checking certificate chains. I run a personal IMAP server and use a certificate issued by CACert.Org. Their root CA is not loaded in my device which gives me grief each time I set up that account.

A few months ago Micheal Clewly posted something in his channel about BBM going towards mainstream SSL/TLS encryption so this makes the whole global 3DES key a bit of a red herring. If the bearer SIP channel is protected by robust encryption, as I believe it is (this is debated elsewhere), then messages are protected between the handset and the BlackBerry servers. SSL Labs gives the server an A- rating. So as others have pointed out your messages may be accessed by any organization that could compel or convince BlackBerry to turn them over. If you want robust end-to-end encryption there is the BES option. Or you could try to run Android versions of Threema or Text Secure.

Thank you for this great information. I enjoy using BBM for almost all nonsensitive information with colleagues and friends and promote/advocate the BBM app. I think BBM app continues to show tremendous opportunities and growth for individuals and organizations wanting a stable secure, elegant IM. However, I totally agree with you, for more sensitive information sharing I definitely use Textsecure.

[Omnitech]

One of the biggest problems with BlackBerry is that the company has a horrible track record of poor or nonexistent communications with customers. Case in point, how they took so long to clear the air on the security of BBM as deployed in BlackBerry 10.

There is a company document just produced this month (according to the PDF timestamp) that goes into great detail clarifying what the data-in-transit security situation is with BBM.

In short: it's at least as good, and in most cases probably better than what the majority of the competition is doing.

Specifically, the only time that it relies on the old technique of 3-DES with a "global key" is if one of the devices is a legacy BBOS device communicating over carrier network only. In other words, not over the public internet or WiFi.

So TLS is the minimum encryption used end-to-end if the endpoints are either BB10 or Android/iOS. If both endpoints are BB10, then apparently it uses the 3-DES "scrambling" technique on top of end-to-end TLS.

BB10 also internally uses certificate-pinning - unlike Apple and others - so this gives them a leg up there as well.

BBM Security Note


As for the competition, here's some of the main ones, from another post of mine today:


WhatsApp

- Sent all traffic unencrypted until 2012-08 [1]
- When they added encryption in 2012-08, they did it poorly, leaving mobile numbers vulnerable and worse, using easily-guessed encryption keys [1]
- Serious flaws in WhatsApp encryption persisted up until at least 2013-10 [2]
- WhatsApp chat logs are readable by any other app on the device [3]
- In fact, Dutch and Canadian authorities concluded in 2013 that WhatsApp violated their countries privacy laws by insecurely storing non-user contact details [4]
- Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” [5]


Apple iMessage

Among other things, does not implement (as BBM does) "certificate pinning" - allowing attackers to spoof legitimate iMessage servers. (source)


Viber

Sends shared files and location data unencrypted, stores data on Amazon cloud servers unencrypted and accessible to anyone (source 1, source 2)


LINE Messenger

Messages and data are sent completely unencrypted over carrier networks (source)


WeChat

Plagued by a variety of technical security vulnerabilities, in addition to being subject to widespread surveillance by Chinese authorities (source)

.

[aiharkness]

Better late than never, I guess.

[Bang EL]

Ventz..how to enlarge picture crop area for bbm display picture on blackberry Z3 ?

Posted via CB10

[mcdot]

Hi,

Due to the missing end-to-end encryption without BES (as in my case), can someone recommend an alternative? On Android I have used Threema and Textsecure, but both not available natively on BB10 (notifications basically work, but only if the app is up & running and not very reliably). Myenigma seems to be BB<10 only {besides other operating systems}, BBM is non-encrypted, but could be coupled with PGP (I guess this may not be so convenient at all) ..

Open Source is a feature, but the moment I take what I can get. I am myself new to BB10 development, so that is no quick option either.

Thanks in advance!

Best,
Patrick

[cryptowaveuk]

BBMs are certainly not encrypted. Though there are companies that offer PGP encryption for BBMs