- Thank you for the info. Very interesting links too.
Now I am wondering if just BBM messages on Android (no BES/BIS) and/or BBM attachments can be seen/read by a snoopy IT administration when using a company wifi? Is it possible?
Or is the SIP-TLS secure against a snoopy IT watching over a WiFi?
Posted via the Android CrackBerry App!
A periodic request for a page at blackberry.net port 80 that returns an HTML page that says "Your BlackBerry is logged on to the Wi-Fi network" that you see when you connect to a hotspot.
The rest of the traffic is to a host in na.blackberry.net port 443 and is encrypted. This is probably SIP. As Ventz points out, depending on SSL/TLS weaknesses and CA deployment on the device this could be subject to a MiM attack. At least BB10 is checking certificate chains. I run a personal IMAP server and use a certificate issued by CACert.Org. Their root CA is not loaded in my device which gives me grief each time I set up that account.
A few months ago Micheal Clewly posted something in his channel about BBM going towards mainstream SSL/TLS encryption so this makes the whole global 3DES key a bit of a red herring. If the bearer SIP channel is protected by robust encryption, as I believe it is (this is debated elsewhere), then messages are protected between the handset and the BlackBerry servers. SSL Labs gives the server an A- rating. So as others have pointed out your messages may be accessed by any organization that could compel or convince BlackBerry to turn them over. If you want robust end-to-end encryption there is the BES option. Or you could try to run Android versions of Threema or Text Secure.02-26-14 09:05 AMLike 2 - I've just been doing some network traffic analysis of my DA-C on my home Wi-Fi network. I'm not home to manipulate it into sending BBM messages but I see two types of traffic between the device and the BlackBerry infrastructure:
A periodic request for a page at blackberry.net port 80 that returns an HTML page that says "Your BlackBerry is logged on to the Wi-Fi network" that you see when you connect to a hotspot.
The rest of the traffic is to a host in na.blackberry.net port 443 and is encrypted. This is probably SIP. As Ventz points out, depending on SSL/TLS weaknesses and CA deployment on the device this could be subject to a MiM attack. At least BB10 is checking certificate chains. I run a personal IMAP server and use a certificate issued by CACert.Org. Their root CA is not loaded in my device which gives me grief each time I set up that account.
A few months ago Micheal Clewly posted something in his channel about BBM going towards mainstream SSL/TLS encryption so this makes the whole global 3DES key a bit of a red herring. If the bearer SIP channel is protected by robust encryption, as I believe it is (this is debated elsewhere), then messages are protected between the handset and the BlackBerry servers. SSL Labs gives the server an A- rating. So as others have pointed out your messages may be accessed by any organization that could compel or convince BlackBerry to turn them over. If you want robust end-to-end encryption there is the BES option. Or you could try to run Android versions of Threema or Text Secure.02-27-14 11:32 AMLike 0 - OmnitechDragon SlayerOne of the biggest problems with BlackBerry is that the company has a horrible track record of poor or nonexistent communications with customers. Case in point, how they took so long to clear the air on the security of BBM as deployed in BlackBerry 10.
There is a company document just produced this month (according to the PDF timestamp) that goes into great detail clarifying what the data-in-transit security situation is with BBM.
In short: it's at least as good, and in most cases probably better than what the majority of the competition is doing.
Specifically, the only time that it relies on the old technique of 3-DES with a "global key" is if one of the devices is a legacy BBOS device communicating over carrier network only. In other words, not over the public internet or WiFi.
So TLS is the minimum encryption used end-to-end if the endpoints are either BB10 or Android/iOS. If both endpoints are BB10, then apparently it uses the 3-DES "scrambling" technique on top of end-to-end TLS.
BB10 also internally uses certificate-pinning - unlike Apple and others - so this gives them a leg up there as well.
BBM Security Note
As for the competition, here's some of the main ones, from another post of mine today:
WhatsApp
- Sent all traffic unencrypted until 2012-08 [1]
- When they added encryption in 2012-08, they did it poorly, leaving mobile numbers vulnerable and worse, using easily-guessed encryption keys [1]
- Serious flaws in WhatsApp encryption persisted up until at least 2013-10 [2]
- WhatsApp chat logs are readable by any other app on the device [3]
- In fact, Dutch and Canadian authorities concluded in 2013 that WhatsApp violated their countries privacy laws by insecurely storing non-user contact details [4]
- Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” [5]
Apple iMessage
Among other things, does not implement (as BBM does) "certificate pinning" - allowing attackers to spoof legitimate iMessage servers. (source)
Viber
Sends shared files and location data unencrypted, stores data on Amazon cloud servers unencrypted and accessible to anyone (source 1, source 2)
LINE Messenger
Messages and data are sent completely unencrypted over carrier networks (source)
WeChat
Plagued by a variety of technical security vulnerabilities, in addition to being subject to widespread surveillance by Chinese authorities (source)
.05-24-14 09:31 PMLike 3 -
- Hi,
Due to the missing end-to-end encryption without BES (as in my case), can someone recommend an alternative? On Android I have used Threema and Textsecure, but both not available natively on BB10 (notifications basically work, but only if the app is up & running and not very reliably). Myenigma seems to be BB<10 only {besides other operating systems}, BBM is non-encrypted, but could be coupled with PGP (I guess this may not be so convenient at all) ..
Open Source is a feature, but the moment I take what I can get. I am myself new to BB10 development, so that is no quick option either.
Thanks in advance!
Best,
Patrick06-25-14 04:46 AMLike 0 - 01-06-15 10:43 PMLike 0
- Forum
- BBM Central
- General BBM Chat
Specific Encryption Algorithms used for BBM
« Invite to channel sharing beautiful photos about your BlackBerry
|
BBM message with email link, curious »
Similar Threads
-
Stickers and BBM Shop coming to BBM
By ad19 in forum General BlackBerry News, Discussion & RumorsReplies: 20Last Post: 02-21-14, 06:47 PM -
Download snap perfect link for snap
By MANIBHINDER in forum General BlackBerry News, Discussion & RumorsReplies: 2Last Post: 02-21-14, 12:40 PM -
BlackBerry introduces BBM Stickers - Coming Soon
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 02-21-14, 12:00 PM -
BBM Voice Chat to Android/IOS
By Senri Shiki in forum BlackBerry Bold SeriesReplies: 3Last Post: 02-21-14, 11:50 AM
LINK TO POST COPIED TO CLIPBOARD