August 2010


India Blackberry Ban Imminent

India Blackberry Ban Imminent

BlackBerry has launched its latest smartphone - the Torch 9800 amidst the ongoing debate between RIM (Research in Motion - BlackBerry phone makers) and governments of countries (UAE, Saudi Arabia, India) over a possible ban on the use of BlackBerry smartphones in their territory.

The Indian government has taken a strict stand towards BlackBerry's usage in the country. On the 12th August the Press Information Bureau announced that India's Central Security Agencies had held a meeting with the Telecom department. The meeting asked the Telecom Department to convey to service providers that two BlackBerry services namely, BlackBerry Enterprise Service(BES) and BlackBerry Messenger Service (BMS) be made accessible to Law Enforcement Agencies by 31st August, 2010. If a technical solution is not provided by 31st August, 2010, the Government will review the position and take steps to block these two services from the network.

The problem with BlackBerry phones seems to have far reaching consequences. Officials of the Commonwealth Games (starting in Delhi city from 3-14 October this year) have held special emergency talks to find out an alternative communication mode (in place of BlackBerry) for the foreign officials and athletes, visiting the country.

Many news sources will have you believe that there will be a blanket ban on BlackBerry emails, but most likely only business users will be effected, as I will try to explain below,

There are two different set-ups for BlackBerry Email - one using BlackBerry's Internet & Email Service (BIS) targeted towards the personal phone user and the second being the BlackBerry Enterprise Server (BES) solution for the business user.

How BIS works:

On setup, the mobile phone user provides BlackBerry (RIM) with the email addresses, connection details & credentials for each email account he/she would like to receive on their mobile phone. BlackBerry currently allows up to 10 sets of Email credentials.

BlackBerry uses the details provided to login and establish a connection on the user's behalf to their Email server's mailbox. BlackBerry monitors the mailboxes, and when it sees new Email, it retrieves (pulls) a copy and then pushes it to the BlackBerry handheld device over the wireless network.

India Blackberry Ban Imminent

Figure 1 - BlackBerry Internet Service (BIS)

Encryption is used on data travelling between each entity. The wireless network will typically use one of GSM's family of A5 stream ciphers and if configured, BlackBerry will use a SSL session over the Internet to the E-mail server.

Although Encryption is used, it is under the control of the Network operators. BlackBerry applies compression and optimisation making Email little more secure than SMS messaging. BlackBerry's official line is: "Email messages and instant messages that are sent between the BlackBerry Internet Service and your BlackBerry device use the security features of the wireless network. Messages that are sent between your messaging server and the BlackBerry Internet Service are automatically encrypted if the server supports SSL encryption".

How BES works:

First you must have a BlackBerry phone from the carrier on a business plan. The carrier will often lock-out the BES setup icon from a phone on a personal plan.

In this scenario the BlackBerry mobile phone user will often receive his/her phone from their company. The user is provided an activation password by the companies IT department. The next step is to launch the enterprise activation program on the BlackBerry phone and provide the activation password. The password is used to ensure the phone user is authentic and then the Enterprise Server and BlackBerry device negotiate a device transport key using following the Diffie-Hellman key agreement protocol.

India Blackberry Ban Imminent

Figure 2 - BlackBerry Enterprise Server Setup (BES)

The device transport key is held on both the device and server, used to encrypt subsequent communication traffic (Application, Email & Messaging and Voice using additional BlackBerry Mobile Voice Server) using either Triple DES or AES encryption algorithms.

One final note worth mentioning regarding the BES solution is that it is possible to pay to have your BES server hosted by a 3rd party.

Telecom service providers like Airtel, Vodafone, RCom, the Tatas and the government-run BSNL and MTNL offer BlackBerry services in India. The possible ban on BlackBerry phones by the Indian Home Ministry, would see an estimated 1.1 million users having their email and chat services switched off.

Reports have suggested that the Indian government have demanded RIM on setting up a local server in its territory or to provide a master decryption key. If RIM's documentation regarding the BES solution is to be believed then there is no master key. Keys are generated uniquely per- user per-company. Also RIM's servers just route the encrypted payloads, so a local server will be of no use either.

The Indian government fears anti-national elements could misuse BlackBerry devices, as they did during the 2008 Mumbai terrorist attack, when a Pakistani-based terrorist group - Lashkar-e-Taiba, used BlackBerries with GPS and anonymous e-mail accounts, to carry on their dreadful attacks in Mumbai city killing 166 people, including Indians and foreigners. A seniour Indian officer in the country's elite Black Cat commando unit (or The National Security Guard, India's counter-terrorism unit) stated, at least 5 BlackBerry mobile phones were recovered from the attack sites.

BlackBerry is considering offering metadata of an email or SMS sent through the devices like Internet Protocol address of BlackBerry Enterprise Service and PIN and International Mobile Equipment Identity of the BlackBerry mobile. However India's security agencies actually want an uninterrupted access to BlackBerry messaging services rather than receiving metadata from the BlackBerry authorities.

However, the final fate of BlackBerry's (and so of its over 1 million users) encrypted email and messaging services in India will be decided in last-minute talks by end of August, ahead of an August 31 deadline. Indian telecommunication officials said that according to RIM, the only way an email could be captured is when it temporarily stores itself in a server in a decrypted form before it gets delivered. Only time will tell what kind of solution RIM comes up with that will be accepted by India.

In many countries, the debate over the BlackBerry ban has resulted in a considerable cut in the smartphone's sale. For instance in India, the sales of the smartphone have been adversely affected, and a few grey market dealers in Mumbai (the industrial city of India) have stopped ordering fresh stocks of BlackBerry models until RIM sorts out the issue with the government. Other cell phone brands like Nokia, Samsung and Apple are benefitting from the decline in the BlackBerry trade.

If the BlackBerry BES solution is banned, this may have knock-on consequences on other communication services using encryption such as Skype, WebEx and Live meeting.

News update: BlackBerry phonemaker RIM is granted 2 more months' time (deadline was set on August 31st) by India to consider setting up a server on its land to help security agencies monitor Blackberry's encrypted data. Till then, the gadget maker can continue its services, the Indian home ministry said.

By Suparna Sen, Smartcard & Identity News





Whitepapers

20/09/2019 Headlines

Police Seize $15K Crypto Thief After He Mistakenly Disclosed Identity

Connecticut police caught a man who had stolen over $15,000 worth of digital currency in a mobile phone theft after he mistakenly sent an apology email to a det.....Read More

Report Exposes Lack of Sufficient Data Security Amongst Employees

The Insider Data Breach Survey 2019 found that 95% of IT leaders acknowledged that insider threats were a serious concern within their business while 55% of emp.....Read More

Data of 90K Mastercard Priceless Specials Members Shared Online

A database containing sensitive information of about 90,000 German Mastercard "Priceless Specials" loyalty program members shared online following a breach disc.....Read More

Phishing Targeting Executives Now the Number One Cause of Cyber Security Insurance Claims

Spear-phishing has overtaken ransomware as the number one driver of cyber security insurance claims, according to AIG.

Phishing, also known as business e.....Read More

Could Your Kid Be The Next GBP 20 Million Cybersecurity Superhero?

Back in 2017, the U.K. government issued a tender to run a GBP 20 million Cyber Schools Programme as part of the National Cyber Security Strategy 2016-2021 crea.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication