01-06-15 10:43 PM
32 12
tools
  1. ventz's Avatar
    Hi,

    I've been trying to find the specifics behind the encryption used to encrypt BBMs. Can someone point to any papers/concrete info?

    The only thing I have found so far is one site mentioning 3DES (which is not good if that's the case), and some vague assumptions on random sites which cannot possibly be correct.

    After all, there is a reason BlackBerry had DOD "Allowed to Operate".

    I would also be very surprised if all of the encryption used is not open. I read a while ago that they hold the patents for Eliptical curve cryptography, but again, looking for something concrete on BBM.

    Thanks.

    Posted via CB using a Q10
    02-21-14 12:03 PM
  2. neeeko's Avatar
    It's a weakened by NSA encryption type. It's like you're broadcasting your screen's content in a theater...nice right ? how do you feel now ?
    02-21-14 12:24 PM
  3. Dodger52's Avatar
    168-bit Triple DES

    http://docs.blackberry.com/en/admin/...1840226_11.jsp

    If the standard BBM encryption doesn't meet your standard, you Could always consider combining BBM with Pretty Good Privacy (PGP):

    http://appworld.blackberry.com/webst...ntent/47148895

    Posted via CB10
    zephyr613, schmeat, FijiBB and 2 others like this.
    02-21-14 12:28 PM
  4. aiharkness's Avatar
    In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.

    EDIT: I see the link in the post before this uses the word encryption. But note the statement about one global all devices key.
    ventz likes this.
    02-21-14 12:33 PM
  5. Andrew4life's Avatar
    In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.

    EDIT: I see the link in the post before this uses the word encryption. But note the statement about one global all devices key.
    Yes, for BES, you can set a custom encryption key that is used by your BES managed devices.


    Posted via CB10
    ventz likes this.
    02-21-14 12:45 PM
  6. ventz's Avatar
    In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.
    That was exactly my impression too, but I couldn't confirm it.

    :sigh:

    Great if you have your own BES, not so much for everyone else.

    I guess Whatsapp is still better for security for the general public.


    Posted via CB using a Q10
    02-21-14 01:10 PM
  7. Dodger52's Avatar
    That was exactly my impression too, but I couldn't confirm it.

    :sigh:

    Great if you have your own BES, not so much for everyone else.

    I guess Whatsapp is still better for security for the general public.


    Posted via CB using a Q10
    Untrue, Whatsapp is inherently unsafe the encryption in WhatsApp is flawed and there have been numerous security exploits discovered in WhatsApp and the latest exploits aren't even adressed by WhatsApp. BBM is actually one of the more secure programs available:
    http://blogs.mcafee.com/consumer/whatsapp-security-flaw

    https://blog.thijsalkema.de/blog/201...-s-encryption/


    Posted via CB10
    02-21-14 01:21 PM
  8. aiharkness's Avatar
    Guys, and ladies, too, regular BBM is private enough for almost all of us, and I'm fine with it. From what I understand I wouldn't want to use any of the other messaging apps, but I only know what I read. But here is the deal: If your life or freedom depends on it, don't use any of them, not even BBM. Keep proper perspective.
    02-21-14 02:35 PM
  9. ventz's Avatar
    The only serious Whatsapp problem is this one:
    Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” | Ars Technica

    The rest have actually been fixed at this point. For example, the first problem "discovered by the media" was blow out of proportions, and it was a theoretical attack that not a single person was able to execute.

    But either way, it seems like currently a private jabber server with SSL + OTR is the way to go for privacy.

    @aiharkness -- it's good enough for a coffee shop where some random guy is sniffing the traffic, and you care about a conversation satying private with your friend/significant other, but it's not good enough if it's something that truly needs to stay private. If you work in security and need a communication platform between your team (between all 3-4 major devices - Android, iOS, BB, Windows) -- currently, there is nothing on the market that's does it and "just works".

    I was going to make the argument at work that BBM is the way to go, but it looks like that's not a viable option.

    Whatsapp is also not a good solution. It's a tad better for personal conversations (security wise that is), but it's still crap. And now that FB owns it, who knows where it will go.
    02-21-14 08:54 PM
  10. ventz's Avatar
    BBM is actually one of the more secure programs available:
    This is only true with BES involved, from the papers provided.

    And BES is not involved for cross-platform communication - so where a team of people uses multiple platforms or (is on all BBs but doesn't use BES) the security is next to useless. Using a key that is the same, and is stored in some place which you don't exclusively control is only good against the random person snooping on your conversation in a public place (ex: coffee shop)

    The follow up to your link on thijsalkema is this:
    https://blog.thijsalkema.de/blog/201...-encryption-2/
    and the same as the author's first blog post, it doesn't actually provide any real or concrete information.
    It is full of assumptions, guesses, and "interpreted conclusions". If you read through them you will find that he was not able to use his method in a single case against the real client.

    If we are going only on facts and white papers:

    1a.) BBM on BES is bullet proof
    1b.) An alternative is a private (non open registration) Jabber server, with SSL/TLS, and where users use OTR.

    2.) Whatsapp is the second best option for public conversations (even w/ the cert pinning issue, still in #2 compared to alternatives).
    It seems like if you don't use whatapp on Wifi, or if you can verify that the Mobile station you are connected to is real, this is not an issue at all.

    3.) BBM (on BIS or OS10) - this is a bit like using "WPA" encryption on wireless -- it's "ok/good", but has issues, and really should be replaced by WPA2. For anyone that has a work-related security requirement, this is simply not acceptable.
    02-21-14 09:06 PM
  11. ventz's Avatar
    If the standard BBM encryption doesn't meet your standard, you Could always consider combining BBM with Pretty Good Privacy (PGP):
    PGpgp - BlackBerry World
    Now this is an excellent solution!

    Not sure about the dev's PGP implementation (i know a few different ones had issues on Android), but this is truly a good solution.

    Sadly a tad clunky - it would be nice if it was cleanly integrated , but hopefully with the recent events, things will get much much better security wise in the next year or two.
    02-21-14 09:13 PM
  12. Dodger52's Avatar
    Whatsapp is not secure at all and in terms of security Whatsapp can't compete with BBM

    Even more evidence:
    http://www.channelnewsasia.com/news/...e/1008754.html

    Posted via CB10
    02-22-14 10:25 AM
  13. mEntal8y's Avatar
    The only way someone is going to see your BBM messages is by looking at your screen, or if the government "nicely" asks Blackberry to make it available to them (as they did in Britain during the riots, and in India recently). I am guessing your not some famous terrorist..
    Dodger52 likes this.
    02-22-14 11:02 AM
  14. ventz's Avatar
    Whatsapp is not secure at all and in terms of security Whatsapp can't compete with BBM
    Again, only the case if BBM is on BES, using a changed encryption key, and with a policy to block msgs from other keys.

    If it's just using the one everyone downloads on their z10/z30/q10/q5, or iOS, or Android, then whatsapp is currently more secure.

    Posted via CB using a Q10
    02-22-14 12:49 PM
  15. Dodger52's Avatar
    Again, only the case if BBM is on BES, using a changed encryption key, and with a policy to block msgs from other keys.

    If it's just using the one everyone downloads on their z10/z30/q10/q5, or iOS, or Android, then whatsapp is currently more secure.

    Posted via CB using a Q10
    I am baffled by your ignorance, WhatsApp has been proven to be insecure time and time again.

    There custom 'encryption' method is flawed and exploits are discovered, again and again.

    As opposed to BBM-security which is time tested and secure.

    And yet you continue to claim that whatsapp is safer. Face the facts

    BBM is one of the most, if not the most secure messaging clint.

    Posted via CB10
    02-22-14 03:46 PM
  16. TheoRadu's Avatar
    The only serious Whatsapp problem is this one:
    Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love” | Ars Technica

    The rest have actually been fixed at this point. For example, the first problem "discovered by the media" was blow out of proportions, and it was a theoretical attack that not a single person was able to execute.

    But either way, it seems like currently a private jabber server with SSL + OTR is the way to go for privacy.

    @aiharkness -- it's good enough for a coffee shop where some random guy is sniffing the traffic, and you care about a conversation satying private with your friend/significant other, but it's not good enough if it's something that truly needs to stay private. If you work in security and need a communication platform between your team (between all 3-4 major devices - Android, iOS, BB, Windows) -- currently, there is nothing on the market that's does it and "just works".

    I was going to make the argument at work that BBM is the way to go, but it looks like that's not a viable option.

    Whatsapp is also not a good solution. It's a tad better for personal conversations (security wise that is), but it's still crap. And now that FB owns it, who knows where it will go.
    Actually, the first security issue with WhatsApp was huge. All messages were sent in plain text: http://www.androidpolice.com/2012/05...an-be-sniffed/

    Everyone was able to intercept messages on a Wi-Fi network with an Android app called WhatsApp Sniffer.

    I don't understand why you think WhatsApp is more secure than BBM. Clearly security is not a top priority for them if they released an app to tens of millions of people with zero encryption.
    02-22-14 04:20 PM
  17. gdarmy's Avatar
    I am baffled by your ignorance, WhatsApp has been proven to be insecure time and time again.

    There custom 'encryption' method is flawed and exploits are discovered, again and again.

    As opposed to BBM-security which is time tested and secure.

    And yet you continue to claim that whatsapp is safer. Face the facts

    BBM is one of the most, if not the most secure messaging clint.

    Posted via CB10

    BBM 2.0 on android and iOS is awesome. My concern/question is can BMM messages via these devices get intercepted on a Wi-Fi network?

    Are these messages and/or attachments secure from a snoopy IT administration?

    And is BBM more secure than SMS? In what sense?

    Posted via the Android CrackBerry App!
    02-22-14 08:24 PM
  18. ventz's Avatar
    @dodger -- look the first link that you posted.
    Either we are somehow completely miss-understanding each other, or every time you say BBM, you really mean BES.

    Drop whatsapp for a second, I am not advocating for it or against it. Let's just examine BBM.

    Let's say your message is is "hey there, what time is it?"

    BBM simply encrypts that using a GLOBALLY SHARED key that's SET statically on a server. You realize how bad that is right?
    Might as well be using using ROT13. Even BlackBerry tells you that:

    "encryption using the global PIN encryption key is sometimes referred to as 'scrambling'".

    That means if person "X" talking to person "Y" send that message, and person "A" talking to person "B" sent that message, they can both be decrypted by the same key. That is a massive fail.

    To put this in perspective, if anyone records the "encrypted" conversation, they can later decrypt it. --> this is not secure. Secure means NO ONE can decrypt it, but the person that it is meant for.

    BBM is one of the most, if not the most secure messaging cli�nt.
    This is not the case at all -- in fact, far from it. (Think about this -- the most secure messaging client uses a GLOBAL KEY?)
    I think you mean BES is one of the most secure platforms.
    BBM is simply a "mediocrely" secured client, which happens to sit on top of one of the best cryptographic systems.

    BES -- is secure. Anything over BES is secure -- email, chat, web, etc...
    BES has been tested over time.

    BBM's BIS OR *without BES* is NOT secure. -- and this is from the mouth of BlackBerry.

    Imagine if your SSL session on the internet was encrypted with a global key.
    This would be the end of the internet.

    The most secure messaging client currently on any platform is "ChatSecure" (https://guardianproject.info/apps/chatsecure/), and it utilizes XMMP. When combined with OTR, it is currently considered unbreakable - and that's from papers the NSA released about the algorithms which are the same ones used in TrueCrypt (AES256).

    An article summarizing issue with BBM: Is BBM Secure? (Blackberry Messenger) | Encrypted Mobile

    (start-quote)
    "The Achilles’ heel of BBM is that while PIN-to-PIN messages are encrypted using Triple DES, RIM adds a global cryptographic “key”, which is shared between every BlackBerry device manufactured. This automatically allows a situation (in theory, at least) where, if the messages can be intercepted at the cellular service provider’s network and the hacker party manages to spoof the intended recipient’s PIN, any BlackBerry device can be used to decrypt all PIN-to-PIN messages sent by any other BlackBerry device.While this has never happened as yet, or at least has not been brought to our attention, the scenario lies entirely within the realm of possibility.

    The same key, used by all BlackBerry devices to be able to decrypt PIN-to-PIN messages, can be used by RIM at their relay station to decrypt any user’s messages. Again, this is not to suggest that RIM is in the business of reading their users’ content. However, if legally put to the task, RIM can provide decrypted PIN-to-PIN messages in clear-text to law enforcement authorities."
    (/end-quote)
    02-23-14 09:48 PM
  19. ventz's Avatar
    In the strict meaning of the term, regular BBM is not encrypted. Back when this was big in the news, BlackBerry used the word scrambled. But the important point is there is one key for everyone and all devices, and from what I've read that key is no great secret nowadays. I'm sure BBM on BES is a different matter. Bottom line, don't consider BBM messages to be readable only by you and the recipient.

    EDIT: I see the link in the post before this uses the word encryption. But note the statement about one global all devices key.
    @aiharkness -- EXACTLY!

    "Secure" is IF AND ONLY IF the designated recipient can decrypt the information -- at the time of receive or at any later date/time.

    With BBM, if your messages are recorded (over wifi or mobile), both BlackBerry AND your ISP can decrypt every message ever sent.
    If you care about security, this means that the conversations might as well not be encrypted.
    02-23-14 09:57 PM
  20. Dodger52's Avatar
    @aiharkness -- EXACTLY!

    "Secure" is IF AND ONLY IF the designated recipient can decrypt the information -- at the time of receive or at any later date/time.

    With BBM, if your messages are recorded (over wifi or mobile), both BlackBerry AND your ISP can decrypt every message ever sent.
    If you care about security, this means that the conversations might as well not be encrypted.
    Untrue BBM-messages are well encrypted and for the ISP or a third party it is impossible to read the encrypted messages which are sent via secure SSL-tunnel.

    As for BlackBerry holding the encryption key, this is common for most encryption applications and thus for other messaging platforms. As long as a program doesn't allow you to create and implement private/public keys and distribute those keys only to those who you wan't to communicatie with, you will be dependent on the provider. But at least BBM encryption is secure as opposed to WhatsApp or Telegram

    It's clear you knowledge of encryption is abissmall and you are unwilling to learn, and /or
    take the advice from people who do know, so i will refrain from further discussing this with you here.


    Posted via CB10
    Last edited by Dodger52; 02-24-14 at 01:37 AM.
    02-24-14 01:19 AM
  21. ventz's Avatar
    Haha.

    Keep using whatever you think is secure, and when you are ready, post this thread in any well respected crypto community and see what you get back.
    02-24-14 10:38 AM
  22. gdarmy's Avatar
    Untrue BBM-messages are well encrypted and for the ISP or a third party it is impossible to read the encrypted messages which are sent via secure SSL-tunnel.

    As for BlackBerry holding the encryption key, this is common for most encryption applications and thus for other messaging platforms. As long as a program doesn't allow you to create and implement private/public keys and distribute those keys only to those who you wan't to communicatie with, you will be dependent on the provider. But at least BBM encryption is secure as opposed to WhatsApp or Telegram

    It's clear you knowledge of encryption is abissmall and you are unwilling to learn, and /or
    take the advice from people who do know, so i will refrain from further discussing this with you here.


    Posted via CB10

    If I am not mistaken, this is quite secure and very difficult for an ISP to unscramble a BBM message. Below is from BBM.com support page:

    The BBM for Android and iPhone application connects to the BBM Infrastructure using a SIP connection over a TLS transport to global.uci.blackberry.com on port 443.

    Posted via the Android CrackBerry App!
    02-24-14 12:48 PM
  23. ventz's Avatar
    Only if the end device is controlled by you, and not an organization/administrator.
    The reason for that is because otherwise they can push their own CA certificate, and you will never even know that they are MITM you.

    Companies do this all the time by the way. Depending on where you work (any financial, banking, govn't, etc..), the computer provided to you has the CA cert of their proxy, so that all SSL traffic is re-written. This plays a huge role when visiting sites like gmail (over https) or banking sites, etc.. From the end user perspective, you think are completely secure. One way to check is via certificate pinning (back to the security hole Whatsapp is facing now).

    I am not sure in regards to SIP - I believe the SIP part (voice specifically) over TLS is secure. I am not as familiar with SIP as I would like to be, but I think SRTP over TLS is completely secure (currently at least, and again, minus someone inserting a certificate on the endpoint).

    SIP is very similar to HTTP, and HTTP over SSL can be MITM'ed, so maybe there is some way that people are not aware of currently?

    @gdarmy - here is a pretty good description:
    http://mitmproxy.org/doc/howmitmproxy.html

    Also, here is another article about BBM being insecure (text part at least):
    Myth - BBM is Secure: Blackberry Messenger
    Last edited by ventz; 02-24-14 at 02:51 PM.
    02-24-14 02:34 PM
  24. gdarmy's Avatar
    Only if the end device is controlled by you, and not an organization/administrator.
    The reason for that is because otherwise they can push their own CA certificate, and you will never even know that they are MITM you.

    Companies do this all the time by the way. Depending on where you work (any financial, banking, govn't, etc..), the computer provided to you has the CA cert of their proxy, so that all SSL traffic is re-written. This plays a huge role when visiting sites like gmail (over https) or banking sites, etc.. From the end user perspective, you think are completely secure. One way to check is via certificate pinning (back to the security hole Whatsapp is facing now).

    I am not sure in regards to SIP - I believe the SIP part (voice specifically) over TLS is secure. I am not as familiar with SIP as I would like to be, but I think SRTP over TLS is completely secure (currently at least, and again, minus someone inserting a certificate on the endpoint).

    SIP is very similar to HTTP, and HTTP over SSL can be MITM'ed, so maybe there is some way that people are not aware of currently?

    @gdarmy - here is a pretty good description:
    http://mitmproxy.org/doc/howmitmproxy.html

    Also, here is another article about BBM being insecure (text part at least):
    Myth - BBM is Secure: Blackberry Messenger
    Thank you for the info. Very interesting links too.

    Now I am wondering if just BBM messages on Android (no BES/BIS) and/or BBM attachments can be seen/read by a snoopy IT administration when using a company wifi? Is it possible?

    Or is the SIP-TLS secure against a snoopy IT watching over a WiFi?

    Posted via the Android CrackBerry App!
    02-24-14 04:24 PM
  25. ventz's Avatar
    Thank you for the info. Very interesting links too.

    Now I am wondering if just BBM messages on Android (no BES/BIS) and/or BBM attachments can be seen/read by a snoopy IT administration when using a company wifi? Is it possible?

    Or is the SIP-TLS secure against a snoopy IT watching over a WiFi?
    Just on Wifi without BES, and without having something done to your device - you are fine from a local sysadmin.
    While it IS theoretically and technically possible, it is not likely/probable. (Unless they get their hands on that global decryption key, which is highly unlikely for a local sysadmin specifically).

    I think *not* being on BES is actually better against your local sysadmin (only in this case), otherwise it's a breeze for an admin to find and read anything on your device.

    There are varying degrees of security, and the next question is who you are trying to keep secure from. My general question which started this thread was in the ultimate form of security - anyone/anywhere/with any resources. When I think of "something being truly secure", it means it is impossible (*absolutely impossible*) for any organization of any size to compromise, no matter how much time and resource they throw at it.

    BBM is fine for that conversation you are having in a coffee shop/work over wifi with your family/spouse/kids. Pretty much any popular messenger is OK for that. The two scares here are:
    1.) not using encryption (first issue with whatsapp, and the old fb app, which were both fixed)
    2.) having the conversation stored on a central server - (this is an issue with gchat or whatsapp much more than bbm, since whatsapp is now owned by facebook).

    However, if you are using it it for work where your work involves some level of secure/classified data, than that's a different story. (it's a whole different story if you are even allowed to use something that's not centrally managed/monitored). For example, certain people I know use this technology to discuss security incidents, and thus, I was curious as to what level of encryption BBM conforms.
    02-24-14 06:58 PM
32 12

Similar Threads

  1. Stickers and BBM Shop coming to BBM
    By ad19 in forum News & Rumors
    Replies: 20
    Last Post: 02-21-14, 06:47 PM
  2. Download snap perfect link for snap
    By MANIBHINDER in forum General BlackBerry Discussion
    Replies: 2
    Last Post: 02-21-14, 12:40 PM
  3. BlackBerry introduces BBM Stickers - Coming Soon
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 0
    Last Post: 02-21-14, 12:00 PM
  4. BBM Voice Chat to Android/IOS
    By Senri Shiki in forum BlackBerry Bold 9780
    Replies: 3
    Last Post: 02-21-14, 11:50 AM
LINK TO POST COPIED TO CLIPBOARD