Modernizing Authentication — What It Takes to Transform Secure Access
"The messages are 'the most vulnerable method of communicating on a BlackBerry,' a Public Safety Canada presentation says," Press writes. "The documents, released to Postmedia News under the access to information act, say PIN-to-PIN messaging isn’t 'suitable for exchanging sensitive messages' because protected or classified information could be inadvertently leaked, or a mobile user could inadvertently download malware or viruses that would compromise their phone."
"PSC stated, 'Although PIN-to-PIN messages are encrypted, the key used is a global cryptographic 'key' that is common to every BlackBerry device all over the world... Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device,'" StreetInsider.com reports.
"It should be noted that Public Safety Canada has failed to take into account the fact that organizations have the ability to change the encryption key to a unique one, ensuring that only BlackBerry devices using the same BES network can communicate with each other," writes BGR's Zach Epstein. "There are also several ways to encode BBM messages such as S/MIME, which adds another layer of security."
"What's not often pointed out is that Canada's government has known about this issue since March 2011, when this piece of advice from Communications Security Establishment Canada (CSEC) hit the web. ... The document is dated March 2011, which means Wednesday's "revelations" about PSC waking up to the potential horrors of PIN-to-PIN messaging are scary, but only inasmuch as they show the agency has taken nearly two years to heed advice from the CSEC," writes The Register's Simon Sharwood.