BlackBerry, which has rebranded as a security company as its mobile handset business fades, purchased Cylance, the machine-learning based anti-malware company, for $1.4 billion dollars last week. The move is in line with BlackBerry’s public strategy to secure endpoint devices such as cars, medical devices, and critical infrastructure, but it raises eyebrows in the security community, given the company’s love affair with encryption backdoors.
The company plans to integrate Cylance’s anti-malware solution into the BlackBerry Spark platform, “which is at the center of our strategy to ensure data flowing between endpoints (in a car, business, or smart city) is secured, private, and trusted,” BlackBerry wrote in a statement.
Deploying Cylance’s well-respected anti-malware service on IoT devices is potentially a big win for IoT security, but BlackBerry’s longstanding support for encryption backdoors should concern organizations who plan to use the Cylance/Spark product.
BlackBerry’s black eye
Under the guise of “lawful access,” BlackBerry CEO John Chen gave the global encryption key for consumer BlackBerry phones to Canada’s federal police force, the RCMP — a decision that made every BlackBerry consumer on the planet vulnerable to foreign spies, organized crime, and even terrorists.
While leaving a law enforcement “golden key” under the doormat for malicious actors to discover and use to violate the confidentiality of user text messages is bad, a similar system deployed for IoT devices could result in injury or death. Any cooperation with law enforcement that creates such a backdoor weakens security for everyone, experts told CSO.
“Backdoors can be a public safety issue when present in remotely accessible, safety-critical systems,” Beau Woods, a Cyber Safety Innovation Fellow with the Atlantic Council in Washington, tells CSO. “Technical capabilities are policy agnostic — they can’t distinguish between what is permitted and forbidden by law.”
There is no evidence that Cylance has ever put backdoors in its malware detection solution, or whitelisted government malware. But with John Chen now in control of Cylance, it will be a question on everyone’s mind.
Why lawful access is bad security
BlackBerry’s so-called “lawful access” policy created a deliberate security vulnerability on behalf of law enforcement, one that could easily have been stolen — and probably was. As the world’s leading cryptographers have concluded for years, this kind of “golden key” will inevitably be hacked by foreign powers like Russia, China and Israel.
Backdoored encryption has far more serious consequences in the IoT space. “In a world where cryptographic keys protect cars, cardiac devices, trains, and smart meters, losing those keys has grave implications,” Éireann Leverett, founder and CEO of Concinnity Risks, tells CSO. “Our safety literally depends on those keys.”
Deploying that kind of backdoor in medical devices could result in injury or death. Security expert Marie Moe, the research manager for the information security team at SINTEF in Norway, who has lived with a pacemaker since her early thirties, worries that encryption backdoors in medical devices would get stolen, either from the vendor or law enforcement, and then used for nefarious purposes. “I would not like to have a backdoor into my pacemaker,” Moe tells CSO.
The difficulty of knowing whether a major nation-state player has stolen a copy of an encryption backdoor, combined with the difficulty of updating hard-coded backdoors, makes such “lawful access” measures not only unworkable, but a threat to society.
“If we have to reset our passwords every time our bank gets hacked,” Leverett asks, “how can companies still allow these hardcoded back doors, that they can’t reset?”
But that’s exactly what BlackBerry did under John Chen’s stewardship.
What did BlackBerry Do?
According to Motherboard, the Canadian federal police were able to intercept and decrypt the text messages of any personal BlackBerry phone in the world. The global decryption key was loaded onto every handset during manufacturing. “With this one key, any and all messages sent between consumer BlackBerry phones can be decrypted and read,” Motherboard wrote.
Using this key, the Canadian federal police decrypted more than one million text messages over a two-year period. According to heavily redacted court documents obtained by VICE Canada, “the RCMP maintains a server in Ottawa that ‘simulates a mobile device that receives a message intended for [the rightful recipient.]'”
The judge in the case made it clear that “all parties” — including the government prosecutor — agreed that “the RCMP would have had the correct global key when it decrypted messages during its investigation. By resorting to the global key,” the judge said, “the RCMP was able to decrypt the intercepted messages.”
Not only did BlackBerry create a global encryption backdoor and give it to the Canadian police, the company also responded to court orders from dozens of countries around the world, a move criticized as violating both due process and diplomatic norms.
BlackBerry provides “lawful access” globally
According to reporting by Canada’s CBC, “We [BlackBerry] were helping law enforcement kick ass,” a source at BlackBerry told CBC, who reported that “the company is swamped by requests that come directly from police in dozens of countries.”
U.S. law prohibits American companies from intercepting user communications on behalf of foreign countries, the CBC reported, but as a Canadian company, BlackBerry operates under the looser regulations in place north of the border. Legal experts criticized the move as an end run around mutual legal assistance treaties (MLATs), the normal process for law enforcement to request assistance.
In a blog post, Chen defended the decision, writing, “Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles.”
While BlackBerry’s desire to help the police catch criminals is no doubt well-intentioned, the unintended consequences of backdoors creates an even greater hazard to society as a whole. For an enterprise that has explicitly branded itself as a “security company” and that wants to lead in securing critical infrastructure, BlackBerry’s continued support for such backdoors raises questions about the company’s competency to operate in the security space.
In a call on Friday announcing the Cylance acquisition, CSO asked Chen whether he would continue BlackBerry’s support for “lawful access” encryption backdoors as the new head of Cylance. Chen said, “We do support legal access. I believe every company should,” adding that “we all have a social responsibility to protect the safety of the government and the people.”
That means backdoors in Cylance’s machine learning-based anti-malware service could be on the drawing board.
Backdoors in machine learning
Backdoors in machine learning have gotten little attention, but researchers have demonstrated proofs of concept for how such backdoors might work.
“It’s possible they could add machine learning-specific backdoors of the style we proposed last year that makes it ignore their own state-sponsored malware,” Brendan Dolan-Gavitt, an assistant professor in the computer science and engineering department at New York University, tells CSO.
“We showed that when you’re training something like a deep learning system you can teach it to recognize specific triggers and then misclassify any inputs that have that trigger,” Dolan-Gavitt adds. “We haven’t looked at anti-malware systems specifically, but I think it would work.”
The FBI has been demanding tech companies create backdoors for 20 years to make it easier for law enforcement to do its job. Asking BlackBerry to whitelist law enforcement malware in order to gain access to a suspect’s IoT devices would yield an enormous amount of intimate information about that person. But that kind of “wiretapping” permits more than just eavesdropping — it enables attacks on data integrity and availability as well, attacks that malicious actors will inevitably engage in.
BlackBerry’s stated goal to ensure that data flowing between endpoints is “secured, private, and trusted” is laudable, but can only be achieved by refusing to deploy backdoors on those endpoints, backdoors that can be exploited by criminals, spies, and terrorists from around the world.
This story, “BlackBerry’s acquisition of Cylance raises eyebrows in the security community” was originally published by
Share this post if you enjoyed! 🙂