About Obama and that Blackberry

| Comments (6) | COMSEC SYSSEC
As you may have heard, President-Elect Obama may need to give up his Blackberry for "security reasons":

But before he arrives at the White House, he will probably be forced to sign off. In addition to concerns about e-mail security, he faces the Presidential Records Act, which puts his correspondence in the official record and ultimately up for public review, and the threat of subpoenas. A decision has not been made on whether he could become the first e-mailing president, but aides said that seemed doubtful.


Diana Owen, who leads the American Studies program at Georgetown University, said presidents were not advised to use e-mail because of security risks and fear that messages could be intercepted.

"They could come up with some bulletproof way of protecting his e-mail and digital correspondence, but anything can be hacked," said Ms. Owen, who has studied how presidents communicate in the Internet era. "The nature of the president's job is that others can use e-mail for him."

These seem like separate issues. I don't know what the Presidential Records Act says, outside of the Wikipedia article, but presumably this is an argument against the President using email at all, not just a Blackberry. Presumably what's required here is discretion in what gets sent over the Blackberry.

The security ("hacking") problem seems more serious. There are a number of issues here, including:

  • Confidentiality of the data going to and from the Blackberry.
  • Remote compromise of the Blackberry.
  • Tracking of the President via his Blackberry.
The confidentiality problem is comparatively easy to address. Cellular networks generally have relatively weak encryption, and even if that weren't true, you can't trust the cellular provider anyway. That said, there's plenty of technology for tieing up encrypted channels from the Blackberry back to some server in the White House where the data gets handled like email sent from White House computers (e.g., a VPN). I'm not familiar with the Blackberry VPN offerings, but this isn't something that would be that hard to develop.

Remote compromise is much more difficult to solve. You've got a device that's connected to the Internet, and of course it contains software with what you'd expect to be the usual complement of security vulnerabilities. You could perhaps try to tunnel all IP-level communications back through the White House, but you'd still have to worry about everything a the cellular/radio level which has to come directly through the ordinary cell network. Accordingly, you should expect that a dedicated attacker with access to the device's phone number, transmitter serial number, etc. would be able to remotely compromise it. Such a device could send copies of data to whoever controlled it, record any ambient audio (or video if you had a camera), etc. Protecting against remote compromise isn't like adding a VPN client; you have to worry about the entire surface area of the software and it's not like you're going to rewrite the entire Blackberry firmware stack. Cutting against this concern is the fact that the president isn't going to be the only person with access to sensitive material. Are we going to deny everyone on the direct presidential staff access to any sort of modern communications device?

Similar considerations apply to tracking. All you need is to know the phone's radio parameters and have an appropriate receiver, and the phone will helpfully transmit regular beacons. Again, though, it's not usually hard to figure out where the president is, surrounded as he is by a bunch of staffers and secret service agents. Additionally, many of those people will have radio transmitters, so it's not clear that denying the president his device will add much value. If it's imperative that the president not be tracked at any particular time, you can simply shut down his device then.


Confidentiality: The BlackBerry system uses a good grade of encryption end to end from the BlackBerry Enterprise Server (BES) to the device (triple-DES, if I remember correctly), with keys changed monthly (using mouse movement to generate a random seed), though it's possible for a key to be used longer if the user doesn't dock. The BES is owned by the enterprise (the White House, in this case), so there's no exposure to the telco, and I've heard of no cases of anyone hacking that and breaking in (though, clearly, the stakes increase in this situation, and so, therefore, does the incentive to work on it).

Also, there's a remote-wipe function that can be triggered from the BES, and the BES can enforce a particular length password, the combination of which can minimize exposure if it's lost or stolen (assuming that they can wipe it before the password is guessed). I have no idea how securely the wipe is done, and whether it'd be possible for an attacker to recover anything by pulling out the memory and analyzing it.

Compromise: If it's just needed to email/PIM functions, the Internet functions can be disabled. So if BOb can cope without a web browser and Google Maps, shutting that stuff down at the BES end (which is where all Internet data has to pass through) will be secure. All PIM data (not just email -- address book and calendar too) goes through the same secure (3DES) connection from the BES to the device, so no one can, say, sneak an address-book entry or calendar entry into the stream without breaking the 3DES encryption, even if they could tap into the radio.

I'm sure it's not perfect, but it really is one of the most secure wireless devices I've looked at.

Tracking, of course, is a real issue, and the BES-to-device security won't help there. Though, as you say, it's not clear how important that really is. (It's also very easy to have multiple devices and to swap them in and out, so they could set up a bunch of decoys that wander the world, and an attacker would have to know which one BOb was carrying at the time.)

I think their *real* concern is the distraction/overload factor, and the "security" issues are an easier way to get BOb to go along with it. Otherwise, he'd just say "I can handle it," and brush them aside.

People are forgetting that EVERYONE else will have a blackberry (or similar device). Every member of Obama's staff will most likely have one. Every member of Biden's staff will most likely have one. Ever seen George W. Bush's personal assistant? Has a blackberry and is quite near the president at all times. While working for the White House Rove had an iPhone for a while.

So any of the attack vectors at play here can already be carried out to track or compromise information with or without Obama carrying a blackberry.

Well, I didn't forget it. That's why i said "Cutting against this concern is the fact that the president isn't going to be the only person with access to sensitive material. Are we going to deny everyone on the direct presidential staff access to any sort of modern communications device?" I'll try to be less oblique next time...

So, what about this is Blackberry-specific? Did previous presidents not even have _mobile phones_?

BlackBerry supports AES-256 in addition to Triple-DES.

> "That said, there's plenty of technology for tieing up encrypted channels from the Blackberry back to some server in the White House where the data gets handled like email sent from White House computers (e.g., a VPN)."

This is default configuration for a BlackBerry. All transmissions are transferred encrypted to a special server within the organization's firewall. This server connects to the mail server for mail transfer, and also proxies web browsing.

> "Remote compromise of the Blackberry."

In theory, Common Criteria and FIPS certifications are supposed to solve this problem for government use of technology. BlackBerry has those. You'll probably note that certifications are not really a guarantee against compromise, but it's the best they can do right now for government security in general. Ultimately you're right that the only way to solve this problem is to tell everyone in the White House they can't use any technology at all.

> "Tracking of the President via his Blackberry."

Myself, I'd just follow the big motorcade. That, and Google News can usually give me a lock on the president's location with only a slight time delay.

One other potential issue not addressed is the possibility of classified materials going over this. Even AES isn't supposed to be used for Top Secret. But -- just guessing here -- I strongly suspect they are already not supposed to be sending that kind of thing over e-mail.

I am enjoying the speculation about possible computer security barriers to Obama's continued use of a Blackberry. However if I had to make a guess, I'd guess that the #1 issue is the Records Act issue: if Obama uses a Blackberry, then the government is required to archive all of his communications, and there is immense opportunity for embarassment in those records. (No, the Records Act doesn't "prevent" presidents from using such devices, but it imposes records-keeping requirements whose consequences are themselves so politically risky that I suspect it would be highly unwise for a US president to willingly accept those risks.)

I think Bruce Schneier pretty much nailed it here:

Leave a comment