According to the BBC, the United Arab Emirates (UAE) has described RIM’s device as a threat posing “serious social, judicial and national security repercussions” due to the country’s inability to successfully eavesdrop on users, and the fact that transmitted data is stored offshore.
The same concerns have also been expressed by India, Kuwait and Saudi Arabia, with market analysts contributing the timing of these comments to yesterday’s decline in RIMM shares.
Does the BlackBerry really pose a threat to national security? Are BlackBerry Enterprise Server users susceptible to remote surveillance of their communications? What is the UAE missing, and what should BlackBerry users keep in mind on their way to preserve the integrity security features offered by RIM’s device?
Let’s find out.
Does the BlackBerry really pose a threat to national security?
Like any other networked device storing data offshore - it does as it prevents local law enforcement from eavesdropping on users under the country’s legal framework. However, if these countries label the device a national security threat, the list could go on forever and would eventually include, Skype and Zfone for instance.
Then why are these Middle East countries so picky? It’s because, although they’re not capable of eavesdropping on Zfone calls/video calls as well, they know that the real business conversations take place using BlackBerries and not Zfones on a mass scale.
Go through related posts:
- China’s ’secure’ OS Kylin - a threat to U.S offensive cyber capabilities?
- Does Microsoft’s sharing of source code with China and Russia pose a security risk?
- Should a targeted country strike back at the cyber attackers?
When discussing UAE’s obsession with RIM’s device, it’s worth emphasizing on the fact that the country unsuccessfully attempted to install spyware application on the devices of Etisalat users in 2009, pitching it as a “performance-enhancement patch”. Instead, the SS8 Interceptor drained the batteries of the users who installed to the point where they became suspicious about its true nature.
However, this clear abuse of legal authority for social engineering purposes on a wide scale, serves best the BlackBerry user. How come? Having to rely on 3rd party spyware applications as the country’s unable to eavesdrop on the communications, basically puts the ball in the end user’s court.
Although the encryption of BlackBerries cannot be cracked — with India confirming that it can intercept BlackBerry-to-Non-BlackBerry device data — just like any other device, the BlackBerry is susceptible to numerous client-side vulnerabilities which could allow a malicious attacker access to data that would have been otherwise irretrievable by attempting to decrypt the data. Ensuring that a user’s device is free of these flaws, and taking basic precautions for protecting against them, partly puts the use in control.
The “target the user, not the encryption protocol” tactic, has been in use for years. For instance, instead of targeting Skype’s encryption protocols, for years law enforcement has been targeting the end user (SEE: Source code for Skype eavesdropping trojan in the wild). This little publicized fact, combined with the growing market for commercial mobile spying applications across multiple mobile OS platforms, results in a situation where the encryption protocol in use, becomes irrelevant to a certain extend.
Moreover, the multitude of third-party voice/SMS encryption/PKI solutions that a BlackBerry use can take advantage of, further undermine any decryption attempts. If the user truly wants to make his or her calls/emails secure beyond the end-to-end encryption offered by RIM — BlackBerry Enterprise Server users have their backs covered — they are free to do so using different commercial solutions as well.
The bottom line - are BlackBerries a threat to the national security of any country? They are, but only to the country that’s attempting to decrypt the data itself, instead of targeting the weakest link - in this case the user who now more than ever has to be aware that he’s become the primary target, not the encryption protocol itself.
