Dutch police claim to have cracked Blackberry encryption

13 Jan 2016

A Dutch police unit, Netherlands Forensic Institute (NFI), has claimed to be able to decrypt messages on Blackberry's most secure smartphones and can read messages, without giving details of the methods it used,  BBC reported.

Troubled phone maker Blackberry had touted the services it provided, as the safest methods of communication.

However, a Dutch Police spokeswoman told the BBC, "We are confident that Blackberry provides the world's most secure communications platform to government, military and enterprise customers.

"However, we can't comment on this claim as we don't have any details on the specific device or the way that it was configured, managed or otherwise protected, nor do we have details on the nature of the communications that are claimed to have been decrypted."

It was believed that the decrypting tests were conducted on PGP Blackberrys, handsets with an extra layer of encryption provided by online vendors, such as GhostPGP and TopPGP.

The NFI, a body that provides forensic evidence to Dutch police, was not willing to explain how it decrypted messages from the devices, although it seemed that it needed physical access to handsets.

Meanwhile, according to documents seen by Dutch blog Crime News, the NFI claimed to have decrypted 275 out of 325 emails encrypted with PGP from a handset in their possession. The software to crack the encryption reportedly came from Israeli firm Cellebrite.

Cellebrite sells forensic devices to law enforcement organisations, though, it does not claim any particular expertise at cracking Blackberry handsets.

According to commentators, the trick might be in the reference to PGP.

There were a number of third-party vendors offering Blackberry phones that had had PGP added to save users the sometimes tedious routine of installing it themselves, The Register reported. It added, it well might be that the handset in question was crackable not due to a Blackberry flaw but an incorrect implementation of PGP itself.