The vulnerability of BlackBerry’s PIN-to-PIN messaging service is not a deadly new flaw, as news reports Wednesday of the discovery of cyber-security memo issued to federal departments earlier this year about it would suggest.
Security issues associated with the messaging service were in fact already known to Communications Security Establishment Canada way back in 2011.
PIN-to-PIN diagram from CSEC memo
The CSEC, which is the country’s national cryptologic agency responsible for foreign signals intelligence and electronic information and communication security, issued a security advisory to federal employees about BlackBerry’s PIN-to-PIN messaging service in March of that year.
BlackBerry devices are issued a unique eight-digit PIN independent of the users account or email address. If a BlackBerry user shares this PIN with other BlackBerry device users they can exchange messages even in the event of a BlackBerry network outage or power outage that disrupts email and text messaging.
The scare -- according to the British-based online news service The Register -- began yesterday when news leaked out that Public Safety Canada, the agency that oversees national security, issued a memo warning federal employees who communicate using PIN-to-PIN. The memo said the service is not “suitable for exchanging sensitive messages,” because information exchanged through the service could be inadvertently read by other BlackBerry users.
Update on Canadian wireless public safety network
Report: Canada’s cyber-security falling short
“Although the PIN-to-PIN messages are encrypted the key used is a global cryptographic key that is common to every BlackBerry device all over the world,” the memo said. “Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.”
It now appears that memo could be an update or rehash of the one sent by CSEC over two years ago.
Here’s an excerpt of that March 2011 memo:
PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging sensitive messages. Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic "key" that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed.
Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the "BlackBerry Solution Security Technical Overview"  document published by RIM specifically advises users to "consider PIN messages as scrambled, not encrypted".