The Royal Canadian Mounted Police (RCMP) have been in possession of a global decryption key for BlackBerry phones since 2010, according to a new report from Vice News published yesterday.
The report suggests that the Canadian police used the master key to intercept and decrypt over 1 Million messages sent using its own encrypted and allegedly secure BlackBerry Messenger (BBM) service in a criminal investigation over the course of 2 years.
Single Encryption Key to Protect All Customers
The issue with Blackberry's security mechanism is that the company uses a single global encryption key to protect all its regular customers, though the corporate BlackBerry phones use their own encryption keys generated by corporate servers.
During a court trial of a 2011 murder case, the RCMP revealed that it successfully unlocked around 1 Million messages sent between BlackBerry devices using the "appropriate decryption key."
However, the important question here is: How did the RCMP obtain that global key?
Neither the RCMP nor the prosecutor disclosed exactly how the police obtained the appropriate decryption key that can decrypt messages sent through the BlackBerry Internet Service.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Moreover, the report itself don't have a satisfying answer. However, the most logical answer is that BlackBerry itself gave Canada's federal authorities the access they wanted.
But besides this, the most important question now is Whether or not the RCMP still has the key.
After the closure of "Project Clemenza," a RCMP investigation into a mafia-related murder, BlackBerry changed its global encryption key. But it is believed that the RCMP still has the ability to decrypt BBM messages.
Recently in the battle with the Federal Bureau of Investigation (FBI) over device encryption, Apple set an example for all tech companies by refusing to comply with law enforcement for creating a backdoor into the iPhone of San Bernardino shooter Syed Farook.
The FBI later managed to hack into the iPhone using an alternate method, but Apple tried its level best to protect its customers' privacy and did not hand over backdoor in its secure device to law enforcement – though BlackBerry did just opposite of it.
BlackBerry has yet to comment on the matter.