BlackBerry security and law enforcement investigations do not mix. In general, police have had trouble decrypting phones for investigations. Google, Apple and BlackBerry have been stalwarts in making available the option for its device users to encrypt their data and not have it get deciphered by even those companies. While laws may soon come to pass regarding the issue, the Netherlands Forensic Institute seems to have skipped a step in the snafu — and it comes to a potential punch to BlackBerry’s reputation.
The NFI, which assists police and other investigators with evidence retrieval, was recently spotlighted by a Dutch crime blog for having found a way to recover and read 279 out of a total of 325 encrypted emails on Pretty Good Privacy-encrypted BlackBerrys. An NFI press officer confirmed to the blog that it was able to do this.
A number of specialty vendors PGP-encrypt BlackBerry devices and sell them to consumers looking for end-to-end communications encryption for any reason. A Canadian provider touted in a brochure that no registration is required when purchasing a device.
There is one known way to decrypt a PGP-protected device which involves extracting the data and any password protection hash from a memory chip and then attempting passwords to get through that protection. Experts aren’t certain of ways to achieve decryption through other means. Law enforcement agencies from the UK, the US and Canada have not said whether they have the capabilities to decrypt PGP BlackBerrys.
BlackBerry put out a statement on its blog today regarding the NFI claim, saying:
If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third party application, or deficient security behavior of the user.
The company maintains that it does not store nor release passwords.