Improve company productivity with a Business Account.Sign Up


Myth - BBM is Secure

Published on
15,230 Points
1 Endorsement
Last Modified:
I felt secure communicating on the BBM... Till some time back!!

It was probably the fact that the BBM messages do not travel over the internet was making me feel 'secure' about it, or was it the fact that BBM only works on a BlackBerry Devices and my belief that BlackBerry devices are secure by design. Not Sure...but somehow I thought it was the safest IM App avaiable.

I fired my browser and landed on Google. I couldn’t find many articles about the security of messages communicated over BBM. I couldn’t even find any notes on the BBM architecture. I will just summarize what I was able to understand from many different pages.

Blackberry Messenger is a skin on top of the basic PIN to PIN messaging which has been there on these devices for long. A “PIN” is a hardware address, similar to a MAC address, and is unique to every BlackBerry device. A “PIN” however is not an authentication password nor is it a user identifier. It is the method by which the BlackBerry device is identified to the RIM relay for the purpose of finding the device within the global wireless service providers’ networks.

Alice sends a message to Bob. The target address for this message would be the PIN of Bob's Blackberry Device. The message is received by her service provider which sends the message to the RIM Relay Server. The RIM relay identifies Bob’s BlackBerry device by its PIN and forwards the message directly to Bob’s wireless service provider. These messages do not travel thru the internet or the Blackberry Enterprise Server and hence are faster than email communication. It is ideal for communication in Emergencies, or when your Emails Server/BES etc are not functional. I am sure this raises the question about compliance, auditing, content security etc. These messages bypass all the onion skins of security and land on the devices directly. Unless specifically configured on the BES thru an IT Policy, these messages are not logged on the BES. This has prompted certain enterprises to disable PIN to PIN messages on their corporate BB devices.

Now, one would assume that since RIM has been serious about security, they would have made the transmission secure by encrypting it. Well they did! All PIN to PIN messages are encrypted with Triple DES. Excellent!! Not exactly all RIM devices are loaded with a common peer-to-peer (same) encryption key which is used for encrypting the PIN to PIN messages. This would mean that every blackberry device can decrypt any PIN message that it receives because every BlackBerry device stores the same peer-to-peer encryption key. RIM advises users in one of the security guides to “consider PIN messages as scrambled, not encrypted”. It would mean that if I were to sniff the traffic coming to your device I could potentially decrypt the PIN messages and see them. The probability of such a threat actually happening is very rare but technically possible.

As I mentioned earlier the PIN is a number burnt on to the device and is permanent. This highlights another potential vulnerability. Bob's device is wiped and assigned to Dave. The device would still retain the same PIN and will continue to receive PIN messages addressed to that PIN. Alice would be unaware of the fact that her messages intended to Bob are being delivered to Dave.

Let us consider another situation. Chuck steals Bob’s device. Chuck could actually impersonate Bob and elicit information from Alice. Alice would think that she is communicating with Bob and unsuspectingly share information. She is in fact communicating with the PIN of Bob’s device which is now with Chuck.

If PIN can be spoofed it could be another potential threat to the security of messages exchanged using P2P. I was not able to find any information on how to do it. The forums seems to suggest that it’s not possible.

Lesson learnt:

Be careful when sharing sensitive information over BBM/PIN Messages because:-

PIN-to-PIN messages are encrypted using an encryption key which is accessible to everyone.
The messages you send are to an address which is tied to a device and not a person.
Big Boss might be watching. If PIN-to-PIN messages are configured to be logged on the BES server, all BBM/PIN Messages would be logged in Clear Text Log files on the BES Server.
 I still love my Blackberry :)
1 Comment
LVL 15

Expert Comment

by:Eric AKA Netminder

Congratulations! Your article has been published.

Page Editor

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Join & Write a Comment

The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Watch the working video to know how to import Outlook PST/OST files to Amazon WorkMail. Kernel released this tool which is very easy to use and migrate single or multiple PST and OST files to Amazon WorkMail. To know more about Kernel Import PST to …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month