Dutch investigators have claimed to be able to decrypt emails stored on PGP BlackBerry handsets using commercially available tools.
The Netherlands Forensic Institute (NFI) told Dutch blog Crime News last month that it managed to crack the PGP encryption on some devices in order to extract messages to help with criminal investigations.
It’s said to have used the UFED4PC version 4.0.0.220 product from Israeli forensics software vendor Cellebrite.
Deleted messages could be recovered and encrypted messages read, although not all of them—279 out of 329, to be precise.
There was another caveat: namely that they were only able to decrypt said messages with physical access to the device. However, the length of the password used for sending and opening PGP messages was “not relevant,” according to the report.
One of the devices in question is said to be the BlackBerry 9720.
The NFI was naturally tight-lipped over how it cracked the PGP encrypted BlackBerry devices, given that it doesn’t want to let criminals take defensive measures.
This week it emerged from court documents that the Royal Mounted Canadian Police (RMCP) can also decrypt PGP BlackBerrys.
It must be clarified, these devices aren’t sold by BlackBerry itself, but instead by third party vendors who claim the customization with PGP encryption ups their security “military grade.”
Infosecurity has yet to hear back from BlackBerry after requesting comment, but the Canadian firm sent the following to The Register:
"We are confident that BlackBerry provides the world's most secure communications platform to government, military and enterprise customers. However, we can't comment on this claim as we don't have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have any details on the nature of the communications that are claimed to have been decrypted."
Ironically, the revelations come just days after the Dutch government stated its support for strong encryption and opposition to any moves which might undermine the security of related services.
“This would have undesirable consequences for the security of information stored and communicated, and the integrity of ICT systems, which are increasingly of importance for the functioning of the society,” it claimed at the time.
F-Secure security advisor, Sean Sullivan, told Infosecurity that the decryption claims were “plausible” and not really at odds with the Dutch government’s position.
“The NFI claims are about being able to recover messages from a physical device, and it isn’t trivial to do—it takes some work. Messages in transit are secure and there is no evidence that communications on the wire are at risk,” he explained.
“So this ability to recover messages from a device in the physical possession of the NFI is about law enforcement investigations—and not about bulk surveillance—which is more the meaning of the government’s position on strong encryption.”
Photo © coronado