Forgot your password?

FAQ: BlackBerry Messenger & PIN Messages are NOT Encrypted

itsb57-e-2 I just wanted to provide some more detail to my previous explanation of what communications are encrypted on a BlackBerry. This issue has caused quite a bit of confusion recently so I thought I would clear it up specifically for BlackBerry Messenger and PIN messages.

BlackBerry Messenger and PIN to PIN messages are NOT encrypted. They are scrambled using a global cryptographic key which EVERY BlackBerry in the world uses. BES administrators have the option to encrypt the body of PIN messages (but not the PIN itself) using a organization specific encryption key but that limits users to only be able to send PIN messages within the organization so it is usually not done. It is possible to use the S/MIME Package RIM sells to encrypt PIN to PIN messages but that gets complicated and is really only done by Government organizations.

There are a couple of problems with PIN to PIN messaging that is also the basis of BlackBerry messenger that you should know about. The Communications Security Establishment in Canada was kind enough to detail some of these issues:

  • As said before PIN to PIN messages by default are NOT encrypted they are scrambled using a cryptographic key
  • If an wireless carrier or government manages to reroute your PIN message to any other BlackBerry in the world by changing the header then it will be readable on that device
  • Devices cannot be reused by another person since messages for that PIN will continue to come to the device for the original owner. Think of it this way. If you sell your BlackBerry the new owner will get your PIN messages. The sender would also have no idea that this is the case.
  • You have no idea if the person sending you that PIN message has not sold their device or had it stolen by another person who is impersonating them.
  • Even if an organization uses their BES with a organization specific PIN key the PIN number is still not encrypted and sent in the clear. That means a snoop could see who is sending messages back and forth.

Any questions?

19 total comments on this postSubmit your comment!
  1. So if you want encrypted emails, just use something like atomichelix openpgp on blackberry and have the receiver do the decryption.

  2. About time someone conveyed all this to the powers that be in India.

  3. There is no need to buy anything to encrypt messages using S/MIME. Just use BBDM to import your keys and you’ll be all set.

  4. Thanks for clearing this up Ronen. It funny, I’ve had so called security experts that frequent a certain C BlackBerry site tell me emphatically that all BlackBerry Messenger traffic is “encrypted”. Despite RIM documents that say otherwise.

  5. It is. Make sure you tick the box and just install your certs. It’s a shame that it only works for PIN messages…

  6. Ronen, sorry but “scrambled using a cryptographic key” means the same as “encrypted”. This is not an encoding issue but one regarding the use of _crypto keys_. I agree that the encryption is weak, since it is using a shared key rather than using public key infrastructure (PKI), which can incorporate X.509 digital certs.

    I don’t think RIM wants to discuss the encryption keys and security features of BlackBerry. It is not in their best interest to do so. Suffice to say that, regarding the Saudi issue, high-level government officials in the U.S. and Canada helped broker a solution for the Saudis.

    • Hi Joe,
      Encrypted and Scrambled are totally different things. Scrambling has much lower overhead and usually involves a public key that ANYBODY can decrypt if they have the public key. Anybody with a BlackBerry HAS that public key to de-scramble the previously scrambled information making it SUPER easy to break.
      Encryption is usually based on a public-private key system involving some sort of handshake or pre-sharing of the public and private keys.
      If you want I can point out some articles detailing the differences.

      • Ronen, I luv ya, and I appreciate the discussion, but in WWII, the Germans used the famous enigma machine to encrypt messages (see PKI wasn’t even developed until the 70s, publicly disclosed in ’76. PKI was invented by Diffie, Hellman, Rivest, Shamir, and Adelman; hence, Diffie-Hellman and RSA being used as high-grade encryption algorithms today by private & public organizations, government, banks, and even folks who use PGP/GPG, etc. These guys weren’t even born when the enigma was invented!

        The term “public key” only has to do with PKI, which uses two asymmetric keys (public & private keys) versus the more primitive symmetric keys which uses one key, shared at both ends. This is what was used in the enigma and is used in many systems & devices even today.

        Symmetric keys are not necessarily “super easy to break”; however, the strength of the system is based entirely on the security of the secret key at both ends. For example, if someone were to get your WEP key off your router, then they can decrypt all your WEP traffic. Of course, one can always “scramble” the secret key with a password to protect it from prying eyes… but even that is an encryption technique — just a primitive one, using a symmetric key; i.e., a secret password.

        Public-Key Infrastructure (or PKI) uses a combination of a public key and a private key. Both keys are bound together in such a manner that they are “related”. The public key is shared openly to allow others to decrypt messages you encrypt with your private key. By using a combination of your private key and someone else’s public key, you can encrypt a message that only that someone else can decrypt. That’s the beauty of PKI. Anyway, I can bore people on encryption and security.

        • Yes, but RIM themselves states clearly in their BIS security documents (available online at RIM web site) that email, PIN, and SMS messages are NOT “encrypted”. Nit pick details of scrambling verus plaintext versus encryption all we want, the hubbub in the media is about messages being encrypted, and unless you’re on a BES RIM says quite clearly in their own documentation that such messages are NOT encrypted.

    • I agree with you, joe257…
      “PIN to PIN messages by default are NOT encrypted they are scrambled using a cryptographic key” is an ambiguous statement. Just like you said, scrambling using a cryptographic key is equal with encrypt…

      and to ronen, “Anybody with a BlackBerry HAS that public key to de-scramble the previously scrambled information making it SUPER easy to break” that is true and it’s similar to primitive encryption (or i will call it a symmetric cryptosystem) characteristic. In symmetric anyone who know the key can easily decrypt the message but then questions may pop up, “How the other party know the key?”, “Is anyone can get the key?” because if you’re not know the key it’s really difficult to crack the message….
      as seen in my question, i am not a bb’s user but i really concern about it.

  7. encryption means using a private thing to be able to read the content of en encrypted data.

    scrambling is the layman word for cyphering. Cyphering and decyphering is something that is not related to security (in a sense that it does not provide anything to protect the data cyphered).

    example of encryption : cable TV. It requires a smart card with a PIN code to be able to decrypt the flow and have images and sound. It is of course per user basis.

    example 1 of cyphering : you record a video in MP4 format. Everybody having the MP4 decoder can decode the flow and have images and sound.

    example 2 of cyphering : you decide to replace any letter with the following letter. “Hello World” is encoded into “Ifmmp Xpsme” and easily decoded, provided you posess the step-by-step protocol.

    Remember back in 1998 when Office 6 provided a way to encode/decode a Word file ? It was a trick but anyone owning a Word file was able to decode it. It’s the same with Blackberry PIN messages.

  8. Hi, Ronen
    A friend wants to sell me a bb but i was asking about the pin and all, if the phone is reset to factory setting, can a new user make use of the messenger using a different username with the same pin? thanks

  9. @lfe:
    People buy and use “used” BlackBerry smartphones all the time. Assuming you have a properly provisioned BlackBerry data plan, you will have full use of all BlackBerry capabilities. Are you worried that you will get pin and BlackBerry Messenger messages intended for your friend? If he/she upgraded to a new BlackBerry, and properly transferred the provisioning, his/her BlackBerry Messenger contacts will be automatically updated so they BlackBerry Messenger with his/her new BlackBerry. However, since the PIN is now yours, if his/her contacts sent a PIN message to the PIN, I’m pretty sure it would come to you, not your friend. Does that answer you ?

  10. @DavidB
    Thanks. That answers my question
    Thanks too, the question has been answered.

  11. Hi Joe,
    Love the example but I think you missed my issue. The enigma worked because only german uboats had an enigma to decipher messages. With BlackBerry messenger everybody who owns a BlackBerry has a exact copy of your enigma key. In other words governments can reroute your traffic to ANY BlackBerry and it will be decrypted.

  12. I am still somewhat new to my bb msgr. I recently recieved a request for friends on my bb msgr from someone i have no idea who they are!! How is this possible, and how did they get my pin no. to even request?? Its kinda scary to me….If anyone could please explain, that would be great, thx…..Michelle

2 total pingbacks on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC