itspsr18 eng

8/2/2019 Itspsr18 Eng

http://slidepdf.com/reader/full/itspsr18-eng 1/37

INFORMATION TECHNOLOGY

SECURITY

SÉCURITÉ DES TECHNOLOGIESDE L’INFORMATION

IT SecurityProducts/Systems Report

Personal DigitalAssistant

VulnerabilityAssessment (PDA VA)

October 2002 ITSPSR-1



Personal Digital Assistant Vulnerability Assessment (PDA VA) (ITSPSR-18)

October 2002

This page intentionally left blank.




Foreword October 2002 i

Foreword

The Personal Digital Assistant Vulnerability Assessment (PDA VA) (ITSPSR-18) is anunclassified document issued under the authority of the Chief, Communications Security

Establishment (CSE).

This product review was prepared by CSE for the use of the federal government. It incorporatesall of the PDA related information from the General Guidelines for the Use of Wireless Devices

in the Federal Government (ITSA-18). The review is informal and limited in scope. It is not anassessment or evaluation, and does not represent an endorsement of the product by CSE. Thematerial in it reflects CSE’s best judgement, in light of the information available to it at the time

of preparation. Any use which a third party makes of this report, or any reliance on or decisionsmade based on it, are the responsibility of such third parties. CSE accepts no responsibility for

damages, if any, suffered by any third party as a result of decisions or actions based on thisreport.

Requests for additional copies, changes in distribution and further information should be directedto CSE’s Client Services team at 613-991-7600 or [email protected].

© 2002 Government of Canada, Communications Security Establishment (CSE)

P.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4

This publication may be reproduced verbatim, in its entirety, without charge, for educational and

personal purposes only. However, written permission from CSE is required for use of thematerial in edited or excepted form, or for any commercial purpose.




ii October 2002 Foreword

This page left intentionally blank.




Executive Summary October 2002 iii

Executive Summary

The number of PDAs in use at various levels within the GoC is steadily growing. PDAtechnology has recently seen a significant increase in its processing power and communicationcapability. Its ever-increasing processing and storage capability, its user-friendly wireless

communications features and its small size make the PDA a very attractive device to federalgovernment employees. The files and applications normally found on desktop Personal

Computers (PCs) and laptops can now be processed by PDAs. Information and data can beeasily transferred from the corporate network to PDAs using a wide variety of mediums: cradle;infrared link; modem and radio frequency emissions through wireless local area network;

Bluetooth; and cellular communications.

As with any new technology, PDAs have a number of vulnerabilities. These vulnerabilities are

very similar to those found with laptop computers. The large number of PDAs expected to beused in the federal government will offer an adversary greater opportunities to compromisesensitive information. Implementation of standard IT security procedures and practices, and the

use of approved cryptography for information storage and transmission will mitigate the majorityof the threats posed against PDAs.

CSE has conducted a vulnerability assessment on the BlackBerry™ system and considers theencryption feature offered by the Enterprise edition adequate for the protection of informationProtected B and below. Although the complete BlackBerry™ system does not meet all of the

GoC’s cryptographic requirements, it provides some level of protection against inadvertentdisclosure or eavesdropping by a non-sophisticated adversary.

CSE continues its activities aimed at evaluating PDA technology and is working with PDAindustry developers to strengthen the security mechanisms of their products.




iv October 2002 Executive Summary





Table of Contents October 2002 v

Table of Contents

Foreword ........................................................................................................................................i

Executive Summary...................................................................................................................iii

Table of Contents .......................................................................................................................v

List of Figures ........................................................................................................................... vii Abbreviations and Acronyms ................................................................................................ ix

1 Introduction ..................................................................................................................... 1

1.1 Background ........................................................................................................... 1 1.2 Purpose and Scope .............................................................................................1

1.3 Document Structure .............................................................................................1

2 General PDA Guidelines............................................................................................... 3

2.1 Overview of PDAs................................................................................................ 3

2.2 Physical and Information Storage Security...................................................... 3 2.3 Desktop and Server Security..............................................................................3 2.4 Software Security ................................................................................................. 4

2.5 Communications Security ................................................................................... 4 2.5.1 Communication Interfaces ...................................................................... 4

2.5.2 RF Communications ................................................................................5 2.5.3 Infrared ....................................................................................................... 5 2.5.4 Bluetooth.................................................................................................... 5

2.5.5 Wireless LAN ............................................................................................5 2.5.6 Cellular Telephone Network ...................................................................6

2.5.7 Land-line Telephone Network ................................................................6 2.6 Acoustic Security.................................................................................................. 6 2.7 Emanation Security..............................................................................................6

2.8 Cryptographic Security........................................................................................ 6

2.9 Classified Network Security................................................................................7 3 BlackBerry™ System....................................................................................................9

3.1 BlackBerry™ System Overview .........................................................................9 3.2 BlackBerry™ Relay.............................................................................................. 9 3.3 Cryptography in the BlackBerry™ System .....................................................10

3.4 BlackBerry™ Internet Edition ...........................................................................10 3.5 BlackBerry™ to BlackBerry™ ..........................................................................12

3.6 BlackBerry™ Redirector....................................................................................13 3.7 BlackBerry Enterprise Server™ (BES) ...........................................................14

3.7.1 General ....................................................................................................14

3.7.2 Intra-departmental e-mail using BlackBerry™ Handhelds .............16

3.7.3 Inter-departmental e-mail using BlackBerry™ Handhelds .............16 3.7.4 Transmission Control Protocol (TCP) Port 3101...............................17 3.7.5 Summary..................................................................................................17

4 Proposed Solutions for Securing the BlackBerry™ System ...........................19

4.1 General ................................................................................................................19

4.2 VPNs between Departments ............................................................................19 4.3 S/MIME-Enabled BlackBerry™ Solution ........................................................20

4.4 Commercial S/MIME-Enabled BlackBerry™ Handheld ...............................21




vi October 2002 Table of Contents

5 Conclusion.....................................................................................................................23

5.1 Summary of Recommended Practices ...........................................................23

5.1.1 General PDA Recommended Practices .............................................23 5.1.2 Recommended Practices for using the BlackBerry™ System........23

5.2 Recommendation ...............................................................................................24

5.3 Conclusion...........................................................................................................24 6 Bibliography ..................................................................................................................25




List of Figures October 2002 vii

List of Figures

Figure 1 - BlackBerry™ Relay..................................................................................................10

Figure 2 - BlackBerry™ Internet Edition.................................................................................11

Figure 3 - BlackBerry™ to BlackBerry™ operation. .............................................................12

Figure 4 - BlackBerry™ Redirector Application.....................................................................13

Figure 5 - BlackBerry Enterprise Server™.............................................................................15

Figure 6 - BlackBerry Enterprise Server™ with deployed VPNs ........................................20




viii October 2002 List of Figures





Abbreviations and Acronyms October 2002 ix

Abbreviations and Acronyms

BES BlackBerry Enterprise Server™

CSE Communications Security Establishment

DES Data Encryption Standard

DSO Departmental Security Officer

GoC Government of Canada

GoC PKI Government of Canada Public Key Infrastructure

GPRS General Packet Radio Service

LAN Local Area Network

MS Microsoft

PC Personal Computer

PCMCIA Personal Computer Memory Card International Association

PCS Personal Communication System

PDA Personal Digital Assistant

PIN Personal Identification Number

RF Radio Frequency

RIM® Research In Motion (Limited)

S/MIME Secure Multi-purpose Internet Mail Extensions

TCP Transmission Control Protocol

TRA Threat and Risk Assessment

VPN Virtual Private Network




x October 2002 Abbreviations and Acronyms





Introduction October 2002 1

1 Introduction

1.1 Background

In June 2000, CSE began the study of the PDA technology and more specifically the

BlackBerry™ system due to its growing number in the federal government. Several researchactivities on PDA were carried out since then, including the analysis of the BlackBerry™System.

1.2 Purpose and Scope

The aim of this report is to synthesize the information discovered during the past researchactivities and present recommendations for more secure use of PDAs in general, and more

specific recommendations for the BlackBerry™ system. This report will focus initially on theBlackBerry™ system and other products will be included when their research is complete.

This report does not provide detailed analysis or the vulnerabilities of communication protocols.However, references to relevant CSE publications are provided with a high level overview.

1.3 Document Structure

This document is structured as follows:

Section 1 – Introduction describes the background and defines the scope and aim of this report.

Section 2 – General PDA Guidelines describes the vulnerabilities related to the use of PDAs ingeneral. It also offers actions that could mitigate those threats.

Section 3 – BlackBerry™ System describes the operation of the various components thatconstitute the BlackBerry™ system, its different modes of operation and the vulnerabilities thateach mode faces.

Section 4 – Proposed Solutions for Securing the BlackBerry™ Handheld describes possiblesolutions proposed by CSE to secure the communications between the sender and the recipient.

Section 5 – Conclusion provides a summary of the threat mitigating actions recommended by

CSE and an approval statement on the restricted use of the BlackBerry™ system for thetransmission of Protected B information.

Annex A – BlackBerry™ System contains classified information about the BlackBerry™system. Its distribution is controlled. GoC departments wishing to receive a copy of this annexshould contact CSE’s Client Services team at 613-991-7600 or [email protected].




2 October 2002 Introduction





General PDA Guidelines October 2002 3

2 General PDA Guidelines

2.1 Overview of PDAs

PDAs are comparable to low-performance laptops that can input, process, store, transmit and

receive data. They have limited processing capabilities and are normally used in conjunctionwith a more powerful desktop workstation or server. Their processing and storage capability arenevertheless steadily increasing, their size and weight reducing, and the variety of add-on

devices and applications is growing. These added conveniences will greatly accelerate thepropensity of users’ dependence on them.

PDAs, like laptop computers, are mobile devices that require additional physical protection

procedures over and above the physical access controls normally associated with servers anddesktop computers. Unlike laptop computers, PDAs are more convenient to carry around and

will be used by a greater number of federal government employees. This greater number of PDAs in use by federal government employees offers a greater number targets to adversaries.

2.2 Physical and Information Storage Security

Access to the information stored inside a PDA is controlled using access control featuresnormally built into the PDA or controlled by the operating system. Should the access control

feature be activated on the PDA, the user has to enter a valid password or Personal IdentificationNumber (PIN) to access the installed applications and the stored information. Access controlmechanisms should support the full set of alphanumeric characters to reduce the possibility of

guessing the user’s password. Finally, passwords and PINs should be randomly selected andchanged regularly. The Departmental Security Officer (DSO) can offer advice in this regard.

Ensuring the positive control of a PDA is an important factor to reduce the risk of passwordcracking and tampering attacks. Even short-term access to a device could allow the subversionof the access control mechanism and allow the extraction of sensitive information or the planting

of a rogue application.

The security of the information contained in a PDA should not rely solely on the access control

features of the product but also on encryption. Information that has been encrypted usingmechanisms that meet the GoC’s cryptographic requirements would be adequately protectedeven if the handheld has been exposed to tampering. Commercial products validated to

FIPS 140-1 and FIPS 140-2 are currently available. A handheld that does not encrypt its contentusing GoC-approved cryptography (such as the BlackBerry™ handheld) should be assumed

compromised if it is lost or stolen. CSE is working with industry to encourage the developmentof products that meet GoC cryptographic requirements.

2.3 Desktop and Server Security

Most PDAs are used in conjunction with a desktop computer or server to share information suchas contact lists, datebook entries, e-mail, and files. The desktop or server runs a communications

application that allows automatic or semi-automatic synchronization with the handheld via a data




4 October 2002 General PDA Guidelines

link (e.g., cable, modem, infrared, wireless). A typical scenario for the desktop-handheld link isto synchronize information and backup the contents of the handheld memory onto the desktop

computer. There is a potential risk that information could be downloaded to the handheldwithout the knowledge of the user. Care must be taken when configuring the synchronization

software to mitigate this risk. Without extensive testing it is preferable that handhelds not be

used with desktops or servers that process sensitive information.

Certain types of PDAs require the user’s workstation to be left logged in, while others interact

directly with network servers. Depending on the user’s workstation environment, an adversarycould plant a rogue program in the workstation to be uploaded during the PDA synchronization.

Therefore, the security measures protecting unattended desktops or servers should becommensurate with the security level of the information processed by the network.

2.4 Software Security

PDAs have the capability to load and execute software, allowing the possibility that maliciouscode could be introduced into these devices and the workstations and networks to which they

connect. While instances of malicious code affecting PDAs have been relatively rare thus far, itis predicted that the number of incidents will rise as the popularity of the PDA increases and theavailability of freeware and shareware software for PDA grows. As a reasonable precaution,

virus scanners, such as those available from Symantec, Computer Associates, Trend Micro andMcAfee, should be used and updated routinely. Presently, viruses found on PDAs are targeted

towards the user’s desktop computer and network, and use the PDA as a transport agent.Ensuring that the anti-virus applications operating on the user’s desktop and on the handheld areat the latest revision will provide optimum protection.

2.5 Communications Security

2.5.1 Communication Interfaces

PDAs can now very easily communicate through a variety of communication interfaces. PDAspresently support, through expansion packs, all types of PCMCIA cards that are normally foundwith laptops. Therefore, PDAs are no longer restricted to only exchanging information through a

cradle connected to a workstation, but can now communicate using infrared or radio frequency(RF) technology.

Communication between devices is usually initiated by the user; however, some PDAs can beconfigured to automatically accept and transmit information such as application data programsand applets without user intervention or knowledge. To reduce the risk of receiving and sending

unintended and/or potentially malicious software, PDAs with this feature should be configuredso that the reception and transmission of information is user initiated. If this is not possible due

to configuration control, then these devices should be configured so that the user initiates thelaunch of such received programs and applets. Device configuration settings should be carefullyverified since their defaults leave the device vulnerable to attacks. Firewall applications for

PDAs are beginning to appear on the market and should be used to prevent unauthorized accessthrough these communication interfaces.





CSE is presently taking steps to influence technical advances in the wireless transmissiontechnology to incorporate security mechanisms that meet the GoC cryptographic security

requirements.

2.5.2 RF Communications

RF communications are more susceptible, depending on the transmission scheme, to interceptionand exploitation from distances up to several kilometers away. The use of encryption productssuch as Virtual Private Network (VPN) applications or e-mail encryptors, that meet the GoC’s

cryptographic requirements offers adequate protection against inadvertent disclosure oreavesdropping by a non-sophisticated adversary.

RF communications are also susceptible to flooding attacks which could cause a denial of service, or force the PDA to resynchronize allowing unwanted users to join the network. Thefirst threat is difficult to counter with commercial products. The latter could be countered using a

user authentication scheme (vice a device).

2.5.3 Infrared

Infrared is used by PDAs for communication at short range with similarly equipped handhelds,PCs and peripherals, or cellular telephones. TV and VCR remote controls are well knownexamples of infrared devices. Infrared technology works only where the devices are within sight

of each other and not through walls. These characteristics make it less susceptible to denial of service attacks. Improperly configured PDAs are vulnerable to adversaries accessing stored

information or intercepting transmissions using the infrared capabilities of the PDA, although theattacker must be in close proximity.

2.5.4 Bluetooth

PDAs can communicate with other neighboring devices using a Bluetooth PCMCIA interfacecard or a built-in Bluetooth feature. Bluetooth is a transmission scheme that supports both voice

and data, and provides short range (up to 10 meters) wireless connectivity between electronicdevices such as computers, telephones and entertainment equipment. Bluetooth intercept andexploitation equipment can be easily procured and operated. CSE has researched the Bluetooth

transmission scheme and the report entitled Bluetooth Vulnerability Assessment (ITSPSR-17)should be consulted.

2.5.5 Wireless LAN

PDAs can communicate wirelessly with a Local Area Network (LAN) through a wireless

Ethernet PCMCIA adapter card. The PDA interface uses the IEEE 802.11 communicationprotocol, which gives it a range of approximately 100 meters. CSE has conducted severalresearch activities with wireless LAN technology and the document entitled Preliminary

Vulnerability Assessment of Wireless LANs (ITSG-14) should be consulted. The document isavailable on-line at:http://www.cse-cst.gc.ca/en/knowledge_centre/publications/manuals/ITSG-14.html .





2.5.6 Cellular Telephone Network

PDAs can be directly connected to cellular telephones or use a Personal Communications System

(PCS) PCMCIA interface card to enable the user to communicate with the corporate network using the cellular telephone network. CSE has researched PCS network vulnerabilities and the

reports entitled Trends in Wireless Technology and Security – A Market Research Study

(ITSPSR-20), Government of Canada Wireless Vulnerability Assessment (ITSPSR-15) andPersonal Communication System (PCS) and Cellular System Vulnerability Assessment

(ITSPSR-16) should be consulted.

2.5.7 Land-line Telephone Network

PDAs may also be connected to the Internet and/or the corporate network through a regularPCMCIA modem and the land-based telephone network. The same risks exist as when using ahome computer with a modem. The communication path between the handheld and the distant

desktop or server is through an untrusted telephone or Internet connection where the possibilityof information compromise, corruption or mis-routing exists.

2.6 Acoustic Security

Several brands of PDAs now feature a built-in voice recording capability that can easily beunintentionally activated by pressing a button, even when the device is powered down and

password protected. These devices contain sensitive microphones that can record ambient noiseand distant conversations. These devices should not be brought into areas where sensitive

conversations are present or, if this can not be achieved, users should be made aware of thepotential of compromise.

2.7 Emanation Security

Computer systems and their peripherals (e.g. printer, projection system) emanate radio frequencyenergy that can be intercepted and analysed to recover sensitive information. A PDA with a

wireless communications capability operated in close proximity to such equipment, becomes anexcellent vehicle to broadcast sensitive information, which could then be intercepted andcompromised by a sophisticated adversary. Users should turn off any wireless communication

features of their PDA in areas where classified information is being electronically processed.

2.8 Cryptographic Security

The risk of compromising information during storage or transmission, over land-based orwireless communications, can be mitigated by using GoC-approved cryptography. The GoC’s

cryptographic requirements include the use of:

a. cryptographic products that are, use or integrate cryptographic modules validated toFIPS 140-1 or FIPS 140-2; and

b. GoC-approved cryptographic algorithms and key management schemes.

Validation to FIPS 140-1 or FIPS 140-2 ensures that the cryptographic functions have been

correctly implemented in that product, while approved cryptographic algorithms and key





management schemes ensure that encrypted data is resistant to cryptographic analysis attacks.The following CSE’s website should be consulted for the list of approved algorithms and

validated modules:

www.cse-cst.gc.ca/en/services/crypto_services/crypto_algorithms.html

www.cse-cst.gc.ca/en/services/industrial_services/cmv_val_products.html

2.9 Classified Network Security

A large portion of information processed on classified networks, such as appointments and

schedules, is unclassified. Although the transfer and the transmission of this unclassifiedinformation to a PDA may seem like a safe practice, the risk exists that classified information

could inadvertently be transferred, or that unauthorized access to the classified network begranted through the handheld device (e.g., due to human error or a software malfunction).Wireless connection of the PDA to the classified network requires that the security posture of the

network be modified, which may render it vulnerable to network attacks such as session hijack attacks and port scanning attacks. Finally, the theft or loss of the handheld could potentially lead

to the compromise of the information stored on the device and provide unauthorized access tothe classified network through the device.

Taking into consideration all the issues presented in Section 2 of this document, PDAs should

not be granted access to classified networks. CSE is working with our allies to develop solutionsthat can be used with classified information and systems.




BlackBerry™System October 2002 9

3 BlackBerry™ System

3.1 BlackBerry™ System Overview

The BlackBerry™ wireless handheld device is a small but powerful PDA that includes such

applications as a calendar, an address book, a task list, and has the capability to send and receivee-mail messages wirelessly. The BlackBerry™ system can be configured to operate in fourdifferent modes of operation:

a. BlackBerry™ Internet Edition;

b. BlackBerry™ to BlackBerry™;

c. BlackBerry™ Redirector; and

d. BlackBerry Enterprise Server™ (BES).

Each mode of operation is briefly described.

Presently, Rogers AT&T and Bell Mobility support the BlackBerry™ system in Canada. In thisreport, they are referred to as the cellular service providers.

3.2 BlackBerry™ Relay

The BlackBerry™ Relay is located between the cellular service provider network and theInternet. Its function is to redirect data communications traffic to and from BlackBerry™handhelds using the devices’ PINs. Refer to Figure 1 for a diagram. The BlackBerry™ Relay is

located within the network of the cellular service provider.

The BlackBerry™ Relay will forward e-mail messages and other data packets to the

BlackBerry™ handheld and, in the event that the device is powered down, the relay will keep the

e-mail message until the handheld is powered up. The data could be stored in the relay for daysif the handheld is not powered up.




10 October 2002 BlackBerry™System

INTERNET

Cellular Service Provider

Base Station

User's

Blackberry Handheld

BlackBerryTM

Relay

Cellular Service ProviderBlackBerry TM Relay Network

Cellular Service ProviderNetwork and Gateway

Redirects traffic to andfrom BlackBerry handhelds

Figure 1 - BlackBerry™ Relay

3.3 Cryptography in the BlackBerry™ System

Research In Motion Limited (RIM) has implemented the Triple DES (Data Encryption Standard)symmetric encryption algorithm with a 112-bit key. However, the encryption feature is onlyavailable with the BlackBerry™ Redirector and the BES options. Triple DES is a GoC-approved

cryptographic algorithm for the protection of designated information. It is recommended that theencryption key be changed at least weekly. At the time of publication, the firmware inside the

RIM 850, RIM 857, RIM 950 and RIM 957 Wireless Handheld™ products has been validated tothe FIPS 140-1 or FIPS 140-2 standard at the Security Level 1. However, the cryptographicmodule contained in the BES and the Redirector has not been validated to the FIPS 140-1 and as

such, CSE does not have any level of assurance about the cryptography implemented in thesecritical system components. For the current list of validated products, refer to CSE’s website at

www.cse-cst.gc.ca/en/services/industrial_services/cmv_val_products.html . Refer to the ITSecurity Alert CSE Approved Cryptographic Algorithms for the Protection of Designated

Information and for Electronic Authentication and Authorization Applications within the

Government of Canada (ITSA-11A) for key management information about the Triple DES.

Contact CSE’s Client Services team at 613-991-7600 or [email protected] for Annex A,which contains additional information about the cryptography used in the BlackBerry™ system.

3.4 BlackBerry™ Internet Edition

Refer to Figure 2 for a diagram of the BlackBerry™ Internet Edition option. This option is

available from both cellular service providers. The provider manages a Microsoft (MS)Exchange e-mail server and a BES, and users of the BlackBerry™ Internet Edition have an





account on this server (e.g. [email protected]). The MS Exchange Server and BESare connected to the BlackBerry™ Relay, which provides connectivity to the BlackBerry™

handhelds.

INTERNET

Cellular Service ProviderBase Station

User'sBlackberry Handheld

User'sInternet Mail System

Other user'sInternet Servive Provider

Mail System

BlackBerryTM

RelayMS Exchange

Server with BES

Cellular Service ProviderNetwork and Gateway


BlackBerry TM Relay

Network

Figure 2 - BlackBerry™ Internet Edition

When one user sends an e-mail message to another user, the MS Exchange Server receives it and

forwards it to the BES for transmission to the BlackBerry™ handheld. Contrary to othertopologies using the BES, the transmission to the user’s BlackBerry™ handheld is not encrypted.

Also, as with any other e-mail service, the e-mail is stored on the provider’s MS ExchangeServer until the user downloads it to his or her workstation. The reverse applies when the usersends an e-mail message from his or her handheld. The message is again sent as cleartext to the

BlackBerry™ Relay via the cellular network where it will be forward to the MS Exchange/ BESserver for transmission over the Internet. A copy of this e-mail is saved on the MS ExchangeServer.

Through CSE’s analysis, it was shown that this option presents several vulnerabilities:

a. The information transmitted is not encrypted and is vulnerable to interception and

exploitation;

b. The information resides unencrypted on a server that is not controlled by any GoCdepartment, and is vulnerable to exploitation by hackers and rogue cellular service provider

personnel;

c. The information will, in all likelihood, be backed up unencrypted by the cellular service

provider and be vulnerable to exploitation by hackers and rogue cellular service providerpersonnel;





d. The information is not encrypted when it is downloaded to the user’s computer when he orshe logs in the cellular service provider server and is vulnerable to interception and

exploitation; and

e. The information could potentially wait in the BlackBerry™ Relay if the user does not have

the BlackBerry™ handheld turned on and is vulnerable to exploitation by hackers and rogue

cellular service provider personnel.CSE does not recommend the use of this option by GoC departments to communicate sensitive

information.

3.5 BlackBerry™ to BlackBerry™

INTERNET


Base Station


Gateway and Cellular

Network

User 1's

BlackBerry Handheld


Base Station

User 2'sBlackBerry Handheld

Figure 3 - BlackBerry™ to BlackBerry™ operation.

Refer to Figure 3 for a diagram describing the operation of the BlackBerry™ to BlackBerry™

option. The BlackBerry™ offers the option of transmitting information directly from oneBlackBerry™ handheld to another using only the cellular telephone network without having togo through the Internet. This option is commonly referred to as the PIN-to-PIN option. The

BlackBerry™ handheld encrypts the message using the Triple DES encryption algorithm, butwith a cryptographic key that has been installed in every BlackBerry™ handheld. Since this pre-

programmed key is the same on all BlackBerry™ handhelds, it creates an exploitablevulnerability. CSE does not recommend the use of this option by GoC departments tocommunicate sensitive information.





3.6 BlackBerry™ Redirector

User 3 Workstat ion

I N T E R N E T

Cel lu lar Service ProviderBase Stat ion

Cel lu lar Service Provider

Gateway and Cel lu lar Network

User 1BlackBerry Handheld

User 2

BlackBerry Handheld

User 1 Workstat ionwi th Redirector

User 2 Workstat ionwi th Redirector

MS Exchange

Mai l Server

Network Access Po in t

wi th adequate protect ion

Figure 4 - BlackBerry™ Redirector Application

The BlackBerry™ Redirector is an application that is installed on the user’s workstation andredirects all incoming e-mail messages to the user’s BlackBerry™ handheld or, if the e-mailarrives from the user’s BlackBerry™ handheld, it will redirect it to the intended recipient. This

application offers encryption for all message traffic transmitted on the link between theworkstation that runs the BlackBerry™ Redirector application and the BlackBerry™ handheldusing the Triple DES algorithm. All other e-mail messages received from or sent to another

recipient will not be encrypted. This option requires that the user’s workstation be powered onand logged in for the BlackBerry™ Redirector to function. This scenario requires that adequate

security measures be implemented to protect this potentially vulnerable workstation.

The Triple DES key is generated on the user’s workstation and downloaded to the BlackBerry™

handheld when the handheld is inserted into the cradle. While this key generation method isconsidered adequate for the intended security level (Protected B), its implementation has notbeen tested by any third-party testing scheme (e.g. FIPS 140-1, FIPS 140-2, Common Criteria).

Refer to Figure 4 for assistance in the description of the BlackBerry™ Redirector operation. If User 1 sends an e-mail to User 3 from his or her BlackBerry™ handheld, the message will beencrypted from the handheld to his or her workstation where the BlackBerry™ Redirector

functions. The message will be protected through the RF link, the cellular service provider and





the Internet, and will enter the user’s network and reach his or her workstation where themessage will be decrypted. The workstation e-mail application will then handle the message as

any other message and send it unencrypted to the MS Exchange Server. The e-mail will be sentto User 3 still unencrypted. This description remains the same if User 3 is a user external to

User 1’s network.

If User 1 sends an e-mail to User 2, the e-mail will follow the same encrypted path up to his orher workstation, and unencrypted to the MS Exchange Server and further to User 2’s

workstation. Since the BlackBerry™ Redirector application is running on User 2’s workstation,the message will be encrypted from that workstation to User 2’s BlackBerry™ handheld.

This option mitigates the security issues identified in the BlackBerry™ Internet Edition andBlackBerry™ to BlackBerry™ options because the information is stored on GoC controllednetworks and assets, and the generation of the Triple DES key is more secure. However, the

following security issues identified during CSE’s analysis need to be considered with this option:

a. The confidentiality of the e-mail is only guaranteed up to the user’s workstation (if the

encryption option is activated). The e-mail will follow the automated security rules effectedon the network (e.g. all e-mail normally not encrypted); and

b. The physical security measures surrounding user’s workstation need to be assessed because

the workstation must always be operational (e.g. locking screen saver application activated).

Even though this option provides adequate cryptographic security, CSE does not recommend its

use because of the vulnerabilities offered by the unattended workstation.

3.7 BlackBerry Enterprise Server™ (BES)

3.7.1 General

The function of the BES application is similar to the BlackBerry™ Redirector except that itoperates in conjunction with the MS Exchange Server. Even though BES can run on the same

physical server as the MS Echange Server, RIM recommends that the BES operate on a separatephysical server. As such, the BES centralizes the e-mail redirection and encryption functionsaround the mail server. Because the BES operates in conjunction with the MS Exchange Server,

the user is not required to be logged in at his or her workstation, hence alleviating the criticalsecurity issue with the constant unattended operation of the user’s workstation with the

BlackBerry™ Redirector application.

The encryption mechanism used with the BES is very similar to the one used with theBlackBerry™ Redirector. Encryption is only applied to messages exchanged between the user’s

BES and the handheld, and as such does not inherently offer end-to-end protection between thesender’s device and the recipient’s device. The communication path between the user’s BES and

the recipient’s server is not protected by the sender’s BlackBerry™ system. Conversely, if therecipient is a BlackBerry™ user, the communication link between his or her BES and theBlackBerry™ device is encrypted, again offering some level of protection for the RF link.





User 3 Workstation

INTERNET


Base Station


Gateway and Cellular Network

User 1Department A

BlackBerry Handheld

User 2Department A

BlackBerry Handheld

User 1 Workstation User 2 Workstation

Department A

MS ExchangeMail Server

with BES

Department A

Network Firewall

User 3 WorkstationUser 1 Workstation User 2 Workstation

Department B

MS Exchange

Mail Serverwith BES

Department B

Network Firewall


Base Station

User 1Department B

BlackBerry Handheld

User 2Department B

BlackBerry Handheld

Department A Department B

Figure 5 - BlackBerry Enterprise Server™

Figure 5 illustrates the infrastructure proposed by RIM for the use of BlackBerry™ handheldscommunicating wirelessly to the departmental LAN. The BES application is installed with thedepartment’s MS Exchange Server to redirect any e-mail destined to the mobile user’s account

from the department’s e-mail server to this user’s BlackBerry™ handheld. The BES accesses thelocally stored Triple DES keys to encrypt all messages going to the handheld and decrypts all

messages received from the same handheld. As was the case for the BlackBerry™ Redirector,the Triple DES keys are generated on the user’s workstation and downloaded to the MSExchange Server to be used by the BES. It is important to note that the key generation function

performed on the workstation, and the encryption and decryption functions performed on theBES have not been tested and validated to the FIPS 140-1 or FIPS 140-2.

Departmental networks are assumed to be correctly configured and managed so that outsidemalicious users can not access sensitive data stored onto the networks and that data transmittedoutside the network is adequately protected.

An e-mail sent to a mobile user will first arrive at the user’s departmental e-mail account thatoperates on the MS Exchange Server. The MS Exchange Server will redirect the e-mail to the

BES application that will encrypt the message using the Triple DES encryption algorithm and the





locally stored key, and send it to the cellular service provider wireless network via the Internetfor wireless transmission to the BlackBerry™ handheld. When the handheld receives the e-mail,

it will automatically decrypt it and save it into its internal memory unencrypted for later perusalby the user.

Conversely, when a mobile user sends an e-mail, the BlackBerry™ handheld encrypts themessage using Triple DES and transmits it to his or her MS Exchange Server using the cellularservice provider wireless network and the Internet. When the BES application receives the

message, it decrypts it and forwards the message to the MS Exchange Server. The MS ExchangeServer will process the message as any other message, whether it is destined to an internal user

or an external one.

3.7.2 Intra-departmental e-mail using BlackBerry™ Handhelds 1

In the case where two users from the same department exchange e-mails using their

BlackBerry™ handhelds devices, the traffic between the wireless devices and the BES isencrypted using the Triple DES algorithm. The message is considered adequately protected

because the e-mail travels from the sending user to receiving user in an encrypted form and whenunencrypted is behind a correctly configured firewall.

3.7.3 Inter-departmental e-mail using BlackBerry™ Handhelds 2

This scenario describes the process where two users located in different departments areexchanging e-mails using their BlackBerry™ handheld devices. The e-mail from the sending

user is encrypted by his or her wireless device using the Triple DES algorithm and is transmittedto the his or her BES application where it will be decrypted and forwarded to the MS ExchangeServer for message routing.

The processing of this e-mail by the Exchange Server is the same as any e-mail sent from aregular workstation and will be sent according to the established policies (e.g. public key

cryptography, VPNs). Therefore, if there are no protection mechanisms implemented betweenthe two users from different departments, the message will be sent in cleartext (unencrypted)when it travels through the Internet.

After the e-mail arrives at the receiving user’s MS Exchange Server, the BES encrypts themessage and transmits it via the Internet and the wireless network to the receiver’s BlackBerry™

handheld device. The receiver’s wireless device decrypts the message and stores it in itsmemory for the user to read it. A copy of the message is also stored in the user’s account in theMS Exchange Server.

1 This situation assumes that the whole department is contained in a single enclave with a single point of

entry into the enclave

2 This situation applies to all other situations where data communication occurs between two separate

enclaves over the Internet.





3.7.4 Transmission Control Protocol (TCP) Port 3101

The BES requires the opening of the TCP port 3101 on the department’s firewall to access the

BlackBerry™ Relay located between the Internet and wireless service provider’s network. Anytime a new port is opened to a department’s network, the department should revisit its Threat and

Risk Assessment (TRA) to insure that any assumptions or decisions made during the preparation

of the TRA are not invalidated by this change. If the rules on the firewall are written correctly,then only the BES will be able to initiate the connection to this port. The connection through

TCP port 3101 is outbound- initiated by the BES when it initiates a connection with theBlackBerry™ Relay at the wireless network (through TCP port 3101). Therefore, security

mechanisms should be implemented to prevent any host other than the BES, within or outside thecorporate environment, from establishing this connection.

The connection from the BES application to the BlackBerry™ Relay located at the edge of the

wireless service provider’s network through TCP port 3101 has to be authenticated by the BES.If the BES can not verify the authenticity of the BlackBerry™ Relay the connection is dropped.

All the traffic through TCP port 3101 is encrypted using the Triple-DES algorithm.

3.7.5 Summary

While the BlackBerry™ system provides security for the wireless link between the BES

application and the BlackBerry™ handheld devices, it does not provide end-to-end security whensending an e-mail message between two users who are in the same department or in two different

departments. The message is still travelling between the two MS Exchange Server/BESunencrypted unless external mechanisms have been implemented (e.g. Entrust Express, VPNs) toprotect the transmission. This situation may mislead users into thinking, “if the BlackBerry™

handheld encrypts the message, it must be encrypted all the way”.




Proposed Solutions for Securing October 2002 19

the BlackBerry™System

4 Proposed Solutions for Securing the BlackBerry™System

4.1 General

The desired solution for GoC would be for the BlackBerry™ system to:

a. provide end-to-end encryption between the sender’s BlackBerry™ handheld and therecipient’s workstation or handheld using digital certificates managed by the GoC PublicKey Infrastructure (GoC PKI) directly on the handheld;

b. ensure that sensitive information is internally stored in encrypted form; and

c. ensure that all cryptographic applications meet the GoC’s cryptographic requirements.

Interim solutions are available and the CSE is working with RIM to develop longer-termsolutions.

4.2 VPNs between Departments

To provide end-to-end protection for the e-mail messages sent by mobile users using their

BlackBerry™ handheld and BES, departments supporting these users could deploy VPNencryptors between themselves. In addition to providing protection to the mobile users, thisdeployment could also protect all messages and data, sensitive or not, transmitted between these

departments. Figure 6 illustrates the proposed solution.




20 October 2002 Proposed Solutions for Securing


User 3 Workstation

INTERNET


Base Station

Cellular Service ProviderGateway and Cellular Network

User 1Department A

BlackBerry Handheld

User 2Department A

BlackBerry Handheld

User 1 Workstat ion User 2 Workstation

Department A


with BESDepartment A

Network Firewall

User 3 WorkstationUser 1 Workstation User 2 Workstation

Department B


with BES

Department BNetwork Firewall


Base Station

User 1Department B

BlackBerry Handheld

User 2Department B

BlackBerry Handheld

Department A Department B

VPN VPN

Proposed

Addition ofVPN

Figure 6 - BlackBerry Enterprise Server™ with deployed VPNs

This solution, however, has some limitations in that the users can not securely send e-mailmessages to users of networks who have not deployed interoperable VPNs. Because the VPNencryption overlay is transparent to the users, they could possibly and wrongly assume that all

e-mail messages transmitted are protected from end-to-end while in fact they are not. Even withthe use of VPN encryptors, stored data in the handheld remains unencrypted. Users should be

informed of these limitations and to which users/networks they can safely send e-mail messages.

This solution will be beneficial to departments that have already deployed or intend to deployinteroperable VPNs since the cost of the installation and maintenance could be expensive. It is

recommended that departments deploy products that meet the GoC’s cryptographic requirementslisted in Section 2 of this publication. The list of validated cryptographic modules containing

several validated VPNs from various vendors can be found at:

http://www.cse-cst.gc.ca/en/services/industrial_services/cmv_val_products.html

4.3 S/MIME-Enabled BlackBerry™ Solution

The CSE is presently working with RIM to develop the government-sponsored S/MIME-EnabledBlackBerry™ solution, which will securely transmit sensitive e-mail messages protected with




Proposed Solutions for Securing October 2002 21


end-to-end cryptography using the S/MIME protocol. This solution will allow users to sende-mail messages to any BlackBerry™ handheld that runs the S/MIME application or any user

desktop that supports S/MIME. E-mail messages that have been received encrypted are storedencrypted in the BlackBerry™ handheld. The messages are decrypted for reading and are re-

encrypted when they are closed. The solution will use the already deployed GoC PKI to retrieve

the recipient’s public certificate, which is critical to end-to-end transmission security. Thissolution will also ensure the validity of the public certificates and will use GoC-approved

cryptographic algorithms. Finally, the solution will be validated to the FIPS 140-1 orFIPS 140-2 at a later date.

The implementation of the government-sponsored S/MIME-Enabled BlackBerry™ solution isexpected to be completed in the fall 2002.

4.4 Commercial S/MIME-Enabled BlackBerry™ Handheld

RIM is working on a commercial version of the government-sponsored S/MIME-EnabledBlackBerry™ solution that will operate in the General Packet Radio Service (GPRS) mode.

RIM has not indicated when the solution will be commercially available.




22 October 2002 Proposed Solutions for Securing






Conclusion October 2002 23

5 Conclusion

5.1 Summary of Recommended Practices

5.1.1 General PDA Recommended PracticesThis report presented several recommendations to secure the information stored inside PDAs,

and transmitted to or received from the corporate networks. The following summarize thoserecommendations:

a. The access control features should be activated;

b. Users should use randomly selected passwords and PINs and should change themregularly;

c. Information stored on the PDA should be encrypted using mechanisms that meet theGoC’s cryptographic requirements. If the PDA does not use those security mechanisms

and is lost or stolen, then the information stored on the PDA should be considered

compromised;d. If the user’s workstation is required to be logged in to support the user’s PDA operation,

the security measures protecting that workstation should be commensurate to the security

level of the information processed by the network;

e. Anti-virus applications should be used on the user’s PDA and his or her workstation.They should also be updated as often as possible;

f. PDA communications, whether RF or land-based, should be protected using products thatmeet the GoC’s cryptographic requirements. The cryptographic keys should be changedfrequently or at least as recommended in the GoC-approved algorithm web page for the

selected algorithm;www.cse-cst.gc.ca/en/services/crypto_services/crypto_algorithms.html

g. PDAs should not be brought in areas where sensitive information is processed ordiscussed; and

h. PDAs should not be granted access to classified networks.

5.1.2 Recommended Practices for using the BlackBerry™ System

The BlackBerry™ Internet Edition, the BlackBerry™ to BlackBerry™ option and the

BlackBerry™ Redirector options should not be used for the transmission of sensitiveinformation.

While the BlackBerry Enterprise Server™ provides the best security features offered by RIM, it

does not provide end-to-end protection for e-mail messages travelling outside the user’scorporate network. To alleviate this shortfall, CSE recommends using one of the following

solutions:

a. BlackBerry Enterprise Server™ with VPNs deployed between departments; and

b. S/MIME-Enabled BlackBerry™ Solution




24 October 2002 Conclusion

5.2 Recommendation

The encryption feature offered by the BlackBerry™ system should be used as it provides some

level of protection against inadvertent disclosure or eavesdropping by a non-sophisticatedadversary even though the BlackBerry™ handheld does not meet all of GoC’s cryptographic

requirements. As such, this device should only be used with information PROTECTED B and

below.

5.3 Conclusion

CSE is continuing to work with industry in the development of wireless solutions to protect GoCsensitive information. CSE is conducting additional research in wireless device security

vulnerabilities and federal departments will be kept appraised of its findings.




6 Bibliographya. Personal Communications Systems (PCS) Digital Mobile Phone Security Alert (ITSA-16A),

February 2000, Communications Security Establishment.

b. CSE Approved Cryptographic Algorithms for the Protection of Designated Information and

for Electronic Authentication and Authorization Applications within the Government of Canada (ITSA-11A), March 2000, Communications Security Establishment.

c. General Guidelines for the Use of Wireless Devices in the Federal Government (ITSA-18),September 2001, Communications Security Establishment.

d. Preliminary Vulnerability Assessment of Wireless LANs (ITSG-14), October 2001,Communications Security Establishment.

e. Government of Canada Wireless Vulnerability Assessment (ITSPSR-15), May 2002,Communications Security Establishment.

f. Personal Communications Systems (PCS) and Cellular System Vulnerability Assessme nt(ITSPSR-16), October 2002, Communications Security Establishment.

g. Bluetooth Vulnerability Assessment (ITSPSR-17), October 2002, Communications SecurityEstablishment.

h. Trends in Wireless Technology and Security – A Market Research Study (ITSPSR-20),October 2002, Communications Security Establishment.

itspsr18 eng

Documents