BB10’s ‘dated’ crypto lets snoops squeeze the juice from your BlackBerry – researcher
BlackBerry BB10 OS uses dated protocols that leave users at risk to known cryptographic attacks, according to a security researcher.
The latest version of the smartphone maker’s operating system, BlackBerry 10, uses TLS 1.0, while competitors use TLS 1.2. According to the researcher, this leaves BlackBerry fans using BB10 at risk of being attacked by BEAST, a cryptographic attack developed in 2011 that’s capable of decrypting sensitive web traffic protected by the ubiquitous secure sockets layer protocol.
Supported protocols for devices running BB10 include “cipher suites containing dangerous, treacherous or weak algorithms” such as RC4, ECDSA (NIST curves, owned by BlackBerry) and SHA1, according to the prolific forum member at CrackBerry. By contrast, more robust ciphers such as AES GCM and SHA2 are not supported, according to a post on the CrackBerry Forum. The poster argues that this leaves both business and consumer users of BlackBerry more open to government snooping.
We put these criticism to BlackBerry. In response, the smartphone maker defended its security practices without addressing the specific criticism about BB10. BlackBerry did, however, commit to updating to introduce support for the latest industry protocols as part of its general security update process.
BlackBerry uses a layered security approach to ensure all of our devices provide customers a unique level of protection. In addition, our detection capabilities are constantly evolving and adapting to address emerging security and privacy concerns in order to help keep BlackBerry customers protected.
We will also continually make updates in upcoming software releases, including support for the latest industry protocols.