(AP) PARIS — BlackBerry handhelds have been called addictive, invasive, wonderful — and now, a threat to French state secrets.
That, at least, is the fear of French government defense experts, who have advised against their use by officials in France’s corridors of power, reportedly to avoid snooping by U.S. intelligence agencies.
“It’s not a question of trust,” French lawmaker Pierre Lasbordes told The Associated Press. “We are friends with the Americans, the Anglo-Saxons, but it’s economic war.”
Le Monde newspaper, which broke the story, described BlackBerry withdrawal among those who have given them up. “We feel that we are wasting huge amounts of time, having to relearn how to work in the old way,” the daily quoted a ministry office director as saying.
E-mails sent from “Le BlackBerry” pass through servers in the United States and Britain, and France fears that makes the system vulnerable to snooping by the U.S. National Security Agency, Le Monde reported. The company that makes BlackBerrys, however, denies such spying is possible.
Lasbordes, who was commissioned in 2005 by then-Prime Minister Dominique de Villepin to look into such issues, said he alerted the government to this “weakness” months ago. He said he met with BlackBerry maker Research In Motion Ltd. to discuss the problem in the course of preparing his report on the security of French information systems.
The Canadian company “admitted that there was a certain fragility in the protection of information when you use the e-mail system” and promised it would be resolved, said Lasbordes, adding: “That was more than a year ago.”
BlackBerrys pose “a problem with the protection of information” and “the risks of interception are real,” Alain Juillet, in charge of economic intelligence for the government, told Le Monde.
Research In Motion insisted that BlackBerry e-mails cannot be read by the NSA or other organizations. The e-mails are more heavily encrypted than online banking Web sites, Research In Motion said in a statement.
“No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution,” the company said.
The BlackBerry system has been accredited by security agencies in the United States, Australia, New Zealand, Austria and Canada, Research in Motion said, adding that a certification process is under way in the Netherlands and Germany.
In France, the circular on BlackBerries from the General Secretariat for National Defense applies in theory to all ministries, and “it’s up to everyone to be responsible,” Lasbordes said.
Another official in a major ministry who got rid of his BlackBerry following the order said authorities are looking at other types of hand-held computers to use instead.
The prime minister’s office would not confirm that it and the presidential palace were included in the circular, as Le Monde reported. But a spokesman, Severin Naudet, cited the General Secretariat for National Defense as saying that no type of hand-held computer is risk-free.
“It’s not a problem if you’re writing to your mother-in-law,” Lasbordes said. But “one can imagine a minister coming from a meeting of the G-8 or G-7, et cetera, or a meeting in Brussels, and he sends information to his colleagues. It goes via Canada and the United States and that’s it, game over.”
Suspicion goes both ways. At a Group of Eight summit in Germany this month, White House aides were instructed to leave their wireless e-mail devices behind, apparently for fear of Russian eavesdropping.
(Cross-posted at Military.com)
Yet Another reason why they Should be useing emoze to push emails to their devices!
emoze offers a free mobile email solution for thousands of mobile devices,
including pocket pc
I suspect RIM is, ummm, playing fast and loose with the truth.
The central server to blackberry communication may be nicely encrypted, but they probably have CALEA hooks or similar.
Worse, if the mail TO the central server is sent through SMTP, well, thats all in the clear. So yeah, NSA can have serious fun with that.
Of course the NSA reads Blackberry email. And of course this information is disseminated from NSA to Dept of Commerce to Boeing.
Keeping Boeing going is viewed as a vital national security interest.
this is all very valid paranoia. of course RIM is going to say it’s secure, but there’s really no telling what the agencies are capable of. there aren’t a lot of organizations other than the intelligence orgs that hire entire departments of people just to figure out how to bust encryption.
and yes, Boeing and Airbus are both considered vital to the national security of the US and France, respectively.
Australia’s DSD actually can certify Blackberrys for government use. So I don’t know what France is worried about. surely its a simple matter of getting their local Defence Disgnals Directorate to install a encryption tool?
Just because it is certified for government use doesn’t mean it should be used. Look at Diebold’s voting machines…
IMO such a critical piece of communication infrastructure should not cross national boarders if you care about your security. I think France is being very sensible here.
Especially since I need to look into it further, but is mail TO RIM just through SMTP?
If so, although the RIM Blackberry path may be perfectly secure, the Mail RIM path could easily be wide open. And the Blackberry -> Mail path is also wide open, becaues that goes back to SMTP at RIM before going onto the net.
And given the universal tradition (France is notoroious for this, so I’d expect them to expect it of others) of economic espionage as well as espionage on allies, the Crackberries seem very dangerous for national security of non-US countries because of the basic architecture which routes all traffic through the US/Canada for the servers.
“If so, although the RIM Blackberry path may be perfectly secure, the Mail RIM path could easily be wide open. And the Blackberry -> Mail path is also wide open, becaues that goes back to SMTP at RIM before going onto the net.“
The answer can be found here:
http://na.blackberry.com/eng/ataglance/security/features.jsp
Assuming a Blackberry Enterprise Server is involved — that, admittedly is not a piece of information given here — then the message is secured with end-to-end encrption:
“Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user’s mailbox. The encrypted information travels securely across the network to the smartphone where it is decrypted with the key stored there.
Data remains encrypted in transit and is never decrypted outside of the corporate firewall”
“War. War Never Changes.“
http://www.youtube.com/watch?v=_mcJAI6oRYY
My guess, is their bucking for a private, or maybe public, Cackberry network to be setup in France. Eh, I could be wrong though.
IT security is based upon randomness, complexity, and secrecy… that is, until somebody finds a decoder ring in a box of Cracker Jacks.
It’s all funny stuff, but C’est la vie.
face it folks, every keystroke, and every electronic means of communicating is “breakable”; hence, insecure.
period.
the only question is the amount of time needed to break encryption.
noting beat a “one time pad” made of wax. old, but absolute.
“IT security is based upon randomness, complexity, and secrecy… that is, until somebody finds a decoder ring in a box of Cracker Jacks.“
Incorrect. IT Security is based upon setting priviledges, enforcing those as well as policies, ongoing detection of compromise attempts, distribution and enforcement of secure practices and encryption of anything that is beyond control of the system or network adminstrator. If someone tries to base their security model on randomness, complexity, and secrecy, that someone should be fired.
”…the only question is the amount of time needed to break encryption.“
That’s true, and with current encryption standards, that time equals centuries to millenia. Not practical for real-time intelligence, and for all practical purposes, unbreakable within a human lifetime.
Look, everyone is hyperventilating over interception of Blackberry traffic, and everyone doing it doesn’t know a thing about IT security. The *real* security hole is the device itself. Why bother wasting time trying to decrypt an intercepted message when the timeframe for decryption is beyond my lifetime? Why not just steal the damn device? **THAT’S** the real security hole: The end user’s practices. That’s **ALWAYS** the real security hole. Not the infrastructure in-between.
The governments in question should worry about **that**, not about some obscure technical issue they don’t understand, and which can be addressed with products like PGP anyway.
A BES (Blackberry enterprise server) has encrypted end-to end communications to the Blackberry.
So mort larger organizations will have this.
The BES is inside the organizations network.
The Blackberry itself uses 128bit encryption on its traffic, and can optionally encrypt all data
on the blackberry with a different 128 bit key,
and will erase itself rather than allow repeated
password attempts.
The only weakness there is a hypothetical trapdoor to allow password recovery from inside a snatched blackberry.
Judging from the security policy Australia’s DSD promulgate which turns OFF content encryption, I guess that if such a thing exists only US agencies know about it.
The blackberry hardware has built-in anti-tamper and won’t run a doctored system image.
Organizations can impose security policies that enforce any or all of these features.