Security of BlackBerry PIN-to-PIN Messaging

ITSB-57B | March 2011

Purpose

The purpose of this Bulletin is to advise Government of Canada (GC) departments and agencies of the security vulnerabilities arising from the use of the BlackBerry PIN-to-PIN messaging service.

Background

The CSEC document entitled ITSPSR-18A "Smartphone Vulnerability Assessment" discusses security issues with smartphones. As explained in this document, the Research-In-Motion (RIM) BlackBerry device offers two types of communication:

  • Voice – a built-in cellular telephone allows the user to make voice calls. Security features available for voice calls depend on the cellular technology (i.e. GSM or CDMA) used in the particular BlackBerry model and features supported by the cellular carrier; no additional security for voice calls is provided by the BlackBerry; and
  • Data – the BlackBerry allows e-mail and other data transmissions (including PIN-to-PIN, Internet browsing, and other voice-data service messages) to be sent over the air. As for voice, security features for data transmissions depend on the cellular technology (e.g., Mobitex, GPRS/EDGE, 1xRTT, HSDPA, etc.) and features supported by the carrier/service provider for each particular model of BlackBerry device, but in the case of data, transmissions may also be further encrypted by the BlackBerry device for added security.

This Bulletin will focus on threats to the security of data transmissions related specifically to PIN-to-PIN communications on BlackBerry devices. GC clients interested in further details on other aspects of BlackBerry and smartphone security are advised to refer to ITSPSR-18A or to contact CSEC Client Services.

BlackBerry Internet Service (BIS) vs. BlackBerry Enterprise Server (BES)

BlackBerry devices sold through wireless service providers may be used with the consumer service (BlackBerry Internet Service (BIS), the service offered with most privately-owned devices) or with the enterprise service (BlackBerry Enterprise Server, commonly known as BES).

From a basic security perspective, the BES includes supplementary encryption and data protection for enterprise BlackBerry device users, whereas the BIS does not. From a connectivity perspective, the BES allows BlackBerry devices to be connected to departmental mail servers and to access internal services.

While there are several methods that may be used, CSEC recommends using the BES to comply with the data protection requirements of the Policy on Government Security (PGS). The rest of this Bulletin assumes that the BES is being used.

E-mail and PIN-to-PIN Messaging Differences

Figure 1 illustrates the components involved in sending or receiving e-mail messages on an enterprise BlackBerry device.

Figure 1 - Sending/Receiving E-mail on a BlackBerry device using a BES

Figure 1 – Sending/Receiving E-mail on a BlackBerry device using a BES

As shown in Figure 1, e-mail messages sent from a BlackBerry device are first AES-encrypted, and passed to the user's wireless service provider (a), which then forwards the message to one of the global relay servers operated by RIM (b). The RIM relay passes the message via Internet on to the departmental BlackBerry Enterprise Server (BES) of the originating user (c), which decrypts it and forwards it to the departmental mail server (d) for delivery to the destination user (so that an e-mail from an enterprise BlackBerry device actually appears to have originated from inside the departmental network (e). If the destination user is not in the same department as the originating user, the e-mail will travel through the Internet to the destination user's network for delivery (f). Further, if the destination user is also a BlackBerry device user, the destination office will have its own BES which will forward an encrypted copy of the e-mail over the Internet (g) to the RIM relay for delivery to the destination user's BlackBerry device (h).

BlackBerry PIN-to-PIN (sometimes referred to as Peer-to-Peer) messaging is similar to e-mail in that it allows BlackBerry device users to send messages to each other, but with important differences:

  • Only possible between BlackBerry devices.
  • Addressed to a "PIN" instead of an e-mail address. A "PIN" is a hardware address, similar to a computer network adapter's MAC address, and is unique to every BlackBerry device. A "PIN" is not an authentication password nor is it a user identifier. It is the method by which the BlackBerry device is identified to the RIM relay for the purpose of finding the device within the global wireless service providers' networks.

    If permitted by departmental policy, users who know the PINs of other users' BlackBerry device can use the PINs to directly exchange data messages with the other devices across the wireless network (outside the normal e-mail process), thus bypassing the internal departmental e-mail servers and security filters.

Figure 2 illustrates the process of sending or receiving PIN-to-PIN messages on a BlackBerry device.

Figure 2 - Sending/Receiving PIN-to-PIN Messages on a BlackBerry device

Figure 2 – Sending/Receiving PIN-to-PIN Messages on a BlackBerry device

In this case, a PIN-to-PIN message sent from a BlackBerry device is forwarded to the RIM relay (a) by the user's wireless service provider as in the case of e-mail. However, for a PIN-to-PIN message, instead of going back through departmental e-mail servers, the relay identifies the destination BlackBerry device by its PIN and forwards the message directly to the destination user's wireless service provider (which may or may not be the same provider as the originating user (b) for direct delivery to the destination device (c).

BES version 4.1 and later provides a solution whereby departments that permit the use of PIN-to-PIN messaging can configure the BES to force corporate BlackBerry devices to send copies of their PIN, SMS, or MMS transmissions to the BES. The departmental BES can then store those messages to help departments meet audit requirements.

PIN-to-PIN Security Issues

PIN-to-PIN messaging is typically faster than the normal e-mail process as the message passes through fewer servers and infrastructure components. For this reason, PIN-to-PIN messages are also useful for emergency communications in situations where the departmental e-mail servers are down, but the wireless service provider and RIM relay are still available. However, if the wireless carrier's cellular network (e.g., Rogers, Bell, etc.) is also down, then PIN-to-PIN messaging will also be unavailable. Unfortunately, PIN-to-PIN messaging suffers from several important security vulnerabilities that GC users should be aware of:

  1. PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging sensitive messages. Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic "key" that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the "BlackBerry Solution Security Technical Overview" [1] document published by RIM specifically advises users to "consider PIN messages as scrambled, not encrypted".
  2. PIN Address Vulnerability: A BlackBerry device that has been used for PIN messaging should not be recycled for re-use. The reason is that the hard-coded PIN cannot be erased or modified, and therefore the PIN does not follow a user to a new device. Even after memory wiping and reloading, the BlackBerry device still has the same PIN identity and will continue to receive PIN messages addressed to that PIN. This can expose unsuspecting users of BlackBerry devices to potential information compromise in the following ways:
    • A new owner of the recycled BlackBerry device could view PIN messages sent from a colleague of the previous owner who is unaware that the message is now going to the wrong recipient (recall that the PIN is a device ID, and not a user ID).
    • A message sent by the BlackBerry device's new owner contains a known PIN credential which might be mistakenly accepted as being from the previous owner (impersonation).
  3. Bypass of Virus/Malware Scanning and Spam Filtering mechanisms: As described previously, PIN-to-PIN messaging bypasses all corporate e-mail security filters, and thus users may become vulnerable to viruses and malware code as well as spam messages if their PIN becomes known to unauthorized third parties.

Recommendations

GC departments are advised to consider all the aforementioned security issues before allowing PIN-to-PIN messaging. Departments can disable PIN-to-PIN messaging with the appropriate BES IT Policy settings. For departments with specific requirements for PIN-to-PIN messaging (e.g. emergency communications), it is recommended that a clear policy on the use of PIN-to-PIN messaging be put in place, and that the following supplementary measures be considered to protect the privacy and confidentiality of PIN-to-PIN Messages:

  1. Using the S/MIME option which leverages GC PKI infrastructure and strong encryption to provide true end-to-end (user-to-user) encryption of messages (e-mail and PIN messages only). BlackBerry S/MIME encryption is approved by CSEC for the protection of up to Protected B information, and can mitigate some of the risk by ensuring that only authorized parties can read transmitted information. Note that using the BlackBerry S/MIME module requires that departments use the GC PKI infrastructure and train users in the use of digital PKI certificates.
  2. Setting an organization-specific PIN-to-PIN encryption key in the BES. This overrides the default global encryption key and limits the ability to decrypt PIN-to-PIN messages to departmental BlackBerry devices which are connected to the BES. However, this also prevents PIN-to-PIN communication with BlackBerry devices outside of the department, and may prevent emergency communications with outside organizations (e.g. first-responders) as the same global key is no longer shared. Consequently, use of this feature should be carefully considered.

Note that in both cases above, although the body of the message may be secure, the PIN itself is still transmitted in the clear (as it is used as an address and is needed to identify the originator and recipient of the message), and if the identity of an individual and assigned PIN are known, an adversary may be able to use this information for targeting purposes.

PIN number lists should be kept separate from phone/e-mail lists and never be disclosed or released to unauthorized individuals.

Because PINs are associated with the physical device and not a specific user, BlackBerry devices which have been used for PIN messaging, particularly those which have been used by senior GC personnel, should not be recycled, but destroyed instead.

The minimum destruction standard for BlackBerry devices must ensure that the printed circuit board inside the device has been broken into at least two parts. Note that only breaking the screen, keyboard and/or plastic housing is not sufficient to ensure that the BlackBerry devices cannot be recycled, as these components can be replaced.

References

  • [1] BlackBerry Enterprise Solution: Security Technical Overview, for BlackBerry Enterprise Server Version 4.1 Service Pack 5 and BlackBerry Device Software Version 4.5 , Document Part #17930884 Version 2, Research-In-Motion, 2008.

Contacts and Assistance

IT Security Client Services
Communications Security Establishment Canada
PO Box 9703, Terminal
Ottawa, ON K1G 3Z4

By email: itsclientservices@cse-cst.gc.ca
Telephone: 613-991-7654

Signature of Toni Moffa

Toni Moffa
Deputy Chief, IT Security