In a nut shell, the BlackBerry service is too public to be used. Let's be rational here, how would you feel if you knew the president used a public copy of WindowsXP on all his PCs, or if he used a public copy of Internet Explorer and Outlook? How warm and fuzzy would you feel about the security of our Gov’t secrets? Of course Obama would like to keep his Blackberry, who wouldn’t? BlackBerry’s without a doubt increase the users productivity and availability. However, for most users the security of the BlackBerry solution is just an after thought. Obviously, if you are the most powerful man on the planet your security posture becomes a bit more critical (understatement of the year). In this blog I will lay out 3 major reasons why the security risk is just to great to allow President Obama to keep his beloved BlackBerry.
Over the years the President's access to mainstream communication systems has been prohibited, and for good reason, they are not secure enough. This is why the White House has its own communications network for e-mail, voice, video, and data delivery. They don’t just go and sign up with Qwest. That is why all the applications the President uses are custom. Everything from his e-mail client, browser, operating system, instant messaging system, word processor, etc. has had its source code either written from scratch by the Gov’t or highly modified by the Gov’t to make it more secure. Even many of the crypto algorithms that are used to encrypt the President's data at rest and in transit are custom developed and classified. My point is that everything the President touches in the digital world has been highly customized for him with a relentless focus on security.
Almost all of this customization code, techniques, algorithms, etc are highly classified. See NSA cryptography definitions around Suite A algorithms. Sure you could argue that it is a bit of security by obscurity but it seems to be a pretty successful tactic in the government’s bag of tricks so far.
So this brings me to my main premise for denying Obama the use of his BlackBerry device. The BlackBerry network is too public. Their vulnerabilities are published publicly, their SDKs are public, their devices are public, parts of their code is public, their RIM network is public, their software is public, anyone who pays $100 is allowed to obtain a RIM key to sign their code, exploit code to attack the multiple vulnerabilities in BlackBerry is public, etc. etc. etc.
Don’t get me wrong my whole argument is not based around obscurity per say. Instead it is based on the fact that if our President uses a completely public communication mechanism, like BlackBerry, which was not designed with “eyes only” security as an objective throughout its dev process then the likely hood of it being compromised jumps exponentially. This is especially true when every detail about the BlackBerry solution is available to the public and has been for years.
Let’s take a brief look at the state of BlackBerry security.
To start, the BlackBerry has had 9 high severity vulnerabilities since 2006. While that may seem great to the average enterprise and is far better than most other cell phone OS’s it is still 3 a year. So if we assume this trend will continue then we have to assume that Obama’s BlackBerry will be hacked 3 times a year for the next 4 years. It is important to note that 8 of the 9 vulnerabilities since 2006 resulted in full and complete device compromise if exploited successfully. RIM released a whitepaper titled “Protecting the BlackBerry device platform against malware” that has this to say about security
“To maintain and enforce the corporate network security policies, you also must apply a subset of your security solution and security policies on each BlackBerry device, since BlackBerry devices are an extension of your physical corporate network. Make sure that the security measures you set up are designed to protect your physical corporate network and to protect the security of the BlackBerry devices. “
So basically you need to protect the device because if you don’t it could result in your corporate network becoming compromised as well But then the whitepaper goes on to say this about the ability of the device to detect installed malware
Effective malware detection requires a comprehensive and frequently updated local database or a constant connection to a similarly qualified online database. While computers might have access to these databases, current mobile devices do not have enough storage space for a malware database and cannot guarantee a constant connection to the Internet.
So if the manufacturer even admits that the device has no way to defend itself against installed malware and if compromised could lead to compromise of your corp network too, are you still on the fence of whether or not our President should own one of these? If you are, then read on padawan learner. If your not, read on anyways ☺
The other frequently discussed issue with giving our President a BlackBerry is location tracking. It is well known and documented that it is possible to track the signals that cell phones emit. In lieu of full GPS, most new cell phones rely on this fact to help you with directions, find a place to eat, etc.
Several companies have popped up to provide this as a service to paranoid parents who want to know where their kids are to paranoid spouses who want to know what their significant other is doing. One example that supports the BlackBerry is http://www.accutracking.com/.
Net net of this is, if Obama has one of these on his person then he will be trackable. See any issues with that factoid? Of course.
The first in-depth public research done on the BlackBerry network was back in 2006 by “FX” and discussed at the 2006 Black Hat and DefCon conventions. It showed several flaws in the basic design of the system and vulnerabilities in some of the 3rd party apps used by BlackBerry. In my opinion it is largely because of FX’s work that BlackBerry started to take security seriously. It is more than coincidence that several of the vulnerabilities that were fixed by RIM were talked about previously by FX. FX’s session is a good read and helps set the background of the issues involved. Check it out here: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-FX.pdf
Okay, so there is an argument being made that we could just not let Obama store or access any classified material on his BlackBerry. OK fine. But that doesn’t solve all the issues by any stretch.
My final case against allowing our President to use a BlackBerry is that it might allow hackers to listen in to his conversations. Not his cell phone conversations, but rather his in person conversations.
To explain what I mean we need to go way back to 2006 (in fact 2004 really) and take a look at the legal case of United States vs. John Tomero (allegedly part of the Genovese Crime Family). In that case the district court approved the use of a "roving bug" that allowed authorities to turn a cell phone into a microphone without the user knowing. The case memorandum had this to say:
The government applied for a "roving bug," that is, the interception of Ardito's conversations at locations that were "not practical" to specify, as authorized by 18 U.S.C. Â§ 2518(11)(a). Judge Jones granted the application, authorizing continued interception at the four restaurants and the installation of a listening device in Ardito's cellular telephone. The device functioned whether the phone was powered on or off, intercepting conversations within its range wherever it happened to be. In a renewal application dated February 6, 2004, the government sought, and Judge Jones in due course granted, authority to install a roving bug in Peluso's cellular telephone. This order was renewed several times throughout 2004
Can you image if hackers took this kind of control over Obama’s BlackBerry device! Every briefing he has, anywhere, could be recorded remotely. I can’t think of a more serious breach of security can you?
I hope that the arguments and facts that I’ve laid out for you in this article have convinced you that there is no way we can let Obama keep his BlackBerry. If you still think he should have one I’d really like to hear your arguments for it. Please post them! If you have other reasons why you think Obama shouldn’t have a BlackBerry please post those for discussion as well.
For more discussion on this topic check out the NW chat here: http://www.networkworld.com/chat/archive/2009/011609-bloggers-chat-on-obama.html Mathew's blog here http://www.networkworld.com/community/node/37484 and Dan Tynan's comments here http://blogs.computerworld.com/obama_technology_0 You can also find related articles on Computer World here http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126471
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new anti-virus clientGoogle's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.