By now you’ve probably heard of the purported deal between BlackBerry and the Saudi Arabia government requiring a method to access messages traveling through the BlackBerry network in that country. Details of the deal are still sketchy, but it seems to be enough to keep the government ban on BlackBerry services from happening. While many are happy the ban has been avoided, others, including myself, are worried about the long term implications of this decision.
BlackBerry has made security its’ primary selling point for many years and has done quite well as a result. With clients including many of the Fortune 500 companies and government’s the world over, you have to know that this is something it’s clients take seriously too. The real question here is, “What kind of security risk will these companies have to face as a result of this agreement?”
As I’ve said, the details of the agreement are somewhat sketchy, and from what I understand of the BlackBerry infrastructure, I have to think that this agreement isn’t as far-reaching as it might seem. Reports don’t seem to focus on email messages, but instead on the BlackBerry Messenger service.
Email messages are encrypted end-to-end so that only the server inside the company data center and the handheld have keys to decrypt it. BlackBerry Messenger however does not do this. By necessity, it can’t! In order to route messages to another user’s device, it must be decrypted in the middle and routed to the other user.
Assuming this is true, the security implications aren’t as great as people might think. BlackBerry Messenger was always an add-on product and isn’t the main reason people buy a BlackBerry. Furthermore, it was never promised to be secure. However, the precedence being set is not good. It’s obvious that soon, every nation will be demanding similar treatment. Not only can this apply to BlackBerry, but this example can be applied to nearly every software product that allows encrypted communication, including Skype and hundreds of other products.
But this is also the Achilles heel of the deal. Now that it’s clear that BlackBerry Messenger isn’t secure, it won’t be long before the masses change habits and start using another product that is secure. If that one gets popular enough that the government decides to strong-arm a similar deal, the people will just change again. The bottom line here is that this is just another step in the eternal cat-and-mouse game they have been playing since the start of time. The real victim here is the BlackBerry Messenger platform.