BlackBerry Messenger a Major Threat to National Security
In view of the recent breaches in our national security through various bombings and explosion, it is important that we look at some issues that can easily become a tool in the hands of terror networks to enhance their operations. The essence of this write-up is to create the necessary alert to the dangers these devices pose to national security.
In its statement, the company explained that data on its BlackBerry Enterprise Server network is encrypted so that no one, not even RIM, can access it. RIM added that it would be unable to “accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
The BlackBerry for enterprise service on which the ban is sought.
.
.
At the heart of the blackberry service is the BlackBerry internet service server as shown in the diagram above as BlackBerry Infrasctructure.
The problem with this server with most National security apparatus is that this server is hosted outside their Domain and therefore they cannot have access to it in any way.
For the case of Nigeria, this server is hosted somewhere in Northern France and that is the case for most African countries. Therefore the Nigerian security apparatus do not have access to this server neither do all the wireless service providers (MTN, GLO, Airtel Etisalat etc).
The implication is that communication within this service cannot be monitored with the exception of voice calls only.
The main communication service within the blackberry network that is of real threat to our national security is the:
E-mail Services :
Generally speaking, e-mails can be intercepted for security checks within countries when a packet is suspected to contain information of interest. The mechanism used here is what we call “Man in the middle” in data communication parlance. The principle is simple and is described thus:
DEFINITION
The man-in-the-middle attack (often abbreviated MITM), bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).
A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other—it is an attack on mutual authentication. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.
Name Origin: The name "Man-in-the-Middle" is derived from the basketball scenario where two players intend to pass a ball to each other while one player between them tries to seize it. MITM attacks are sometimes referred to as "bucket brigade attacks" or "fire brigade attacks." Those names are derived from the fire brigade operation of dousing off the fire by passing buckets from one person to another between the water source and the fire.
The problem with blackberry e-mail service is that that this mails are so scrambled with special security codes that they cannot be unscrambled except if RIM the markers of Blackberry devices allows access to the security algorithms and codes.
We cannot enforce this on them as their platform is outside the domain and jurisdiction of our legal boundaries.
This services and loopholes has been exploited by terror networks around the globe for their communications.
BlackBerry Messenger
The BB messenger as it is popularly called is the medium of choice for communication amongst terror networks around the globe and will easily lends itself to terror organization like Boko Haram in Nigeria.
The problem with this PIN to PIN messaging system is that it cannot be intercepted because it is well secured beyond the reach of security organizations.
All that the GSM networks do in Nigeria is simply to provide a channel for this communication between BB users. The actual routing mechanism is the BIS server situated in France owned by Research In Motion and cannot be accessed by our security apparatus.
This makes it a very easy tool for terror networks in their communication.
Giving that the BB users in Nigeria now approaches 700,000, it has become important that this community of users be effectively monitored and profiled for National security.
What Other Nations in this same dilemma did
RIM vs. Saudi Arabian Government:
RIM vs. Saudi Arabian Government:
The government of United Arab Emirates (UAE), has announced that it would suspend Blackberry mobile services like e-mail and text messaging beginning in October affecting 500K users and potentially paving the way for other Gulf states to follow suit. Nokia and Apple smart phones will were however supposed continue to operate as usual.
According to recent developments, Saudi Arabia's telecommunications watchdog has announced that it would allow BlackBerry Messenger (BBM) service to continue operation citing "positive developments" with the Research in Motion management.
In the case of Saudi Arabia, the government says it only wants access to RIM's consumer-focused BlackBerry Messenger service unlike other countries like Indonesia, Bahrain and India that are seeking access to encrypted emails which RIM routes through its own secure servers which have no master key.
RIM Vs. Indian Government
UAE, Saudi Arabia, India and Pakistan have all voiced similar concerns over wanting to be able to monitor Blackberry’s encrypted text messaging for national security reasons.
BlackBerry has a higher level of encryption that doesn’t allow monitoring of enterprise email (email run for companies) and messenger services. According to DoT in India (Department of Telecomm) guidelines, “Individuals/groups/organizations are permitted to use encryption up to 40 bit key length without having to obtain permission from the licensor. If encryption equipment higher than this limit is deployed then shall do so with prior written permission of the licensor and deposit the decryption key, split into two parts, with the licensor.” In case of BlackBerry, the level of encryption is much higher and very complex. The government has not given permission to any operator to start services without setting up server
A solution to the national security problem, as proposed by the Department of Telecommunication, was that RIM can shift the servers for the Indian network to India or create copies of data sent over Indian networks, archive it for six months, and give access to those copies to the Indian Government. However, once again, RIM could not grant this request as it was either unfeasible for the company or it compromised their customers’ privacy and security.
To resolve matters, the National Security Advisor had been asked to offer a possible solution to this problem. After several meetings with the Indian government, RIM proposed that it could share the IP address of BlackBerry Enterprise Servers (BES) and the PIN (Personal Identity Number) and IMEI (International Mobile Equipment Identity) numbers of BlackBerry mobiles, a senior government official familiar with the discussions said, but added these were not sufficient. So finally, to end this face-off, RIM has agreed to provide manual access to the BlackBerry Messenger service from September 1 which would be upgraded to automatic access from November. RIM officials are also expected to explain how the Black Berry Enterprise Server operates to the security experts.”
USA
RIM and US Security Issues:
The BlackBerry encryption is so advanced that even the United States government allows many military and law enforcement employees to send confidential messages by BlackBerry, but it also makes surveillance correspondingly difficult.
The encrypted data seems like a double-edged sword now as RIM management is now having clashes with officials elsewhere in recent years. A point to note is that RIM has been offering country specific solutions to its encryption message issues and has not come out openly in public domain over the exact deals reached with various governments worldwide including the US and China.
According to various reports however, U.S. authorities can seek a court order to tap BlackBerry traffic, giving them access to messages sent over the network. Officials with Research in Motion declined to talk about how they provide such access. It is possible that the government provides such requests directly to RIM's customers. Moreover unconfirmed reports say that US National Security Agency reportedly has the technology to crack encrypted mail in a few hours - with or without help from RIM.
If RIM denies their requests, its BlackBerry Messenger service and/or smart phones could be banned from these countries.
What we can Do In Nigeria
With a vibrant youthful population and the ever increasing incentives of operators in Nigeria, The BlackBerry Messenger has become a medium of choice in communication amongst them.
As at this writing, there are close to 700,000 users of the BB service in Nigeria when you take all the networks together. This means that we can ignore this trend as we did in the past.
We can do the following:
· As the Network operators to provide profiles of all the BB users to government
· Restrict new subscription except with security clearance
· Ask RIM the makers of Blackberry to provide access to this BBM to Nigerian security operatives or have the BBM expunged from BB service in Nigeria
· Suspend the BB service in the event of RIM’s inability to provide satisfactory technical solution to solve this security problems.
I will be available to provide further details if needed.
Henry O Ohakwe
Core Network Consultant
I am in fact grateful to the owner of this web site who has shared this great paragraph at here.
ReplyDeleteBlackberry Encryption