NSA Probably Couldn’t Crack Merkel’s BlackBerry

wayne Rash

The NSA spied on Angela Merkel – but Wayne Rash thinks her phone’s encryption kept the spooks out

When the news broke that the US National Security Agency was tracking the mobile communications of German Chancellor Angela Merkel and other foreign leaders, video and photos started circulating of the chancellor displaying her official BlackBerry Z10 embossed with Germany’s eagle emblem.

But despite all of the hype about the NSA’s alleged tapping of the cell phones of world leaders, it’s highly unlikely that even the NSA would be able to crack the encryption built into Merkel’s government-issued smartphone, according to the phone’s vendor, Secusmart, a German company that turns the BlackBerry Z10 into a secure communications device.

Angela Merkel © 360b shutterstockSo, you won’t talk?

The German government bought as many as 40,000 of these secure BlackBerry Z10 cell phones in the spring of 2013, including one for Merkel. eWEEK reported on the new device in March of 2013 following a meeting with Secusmart executives at the CeBIT trade show in Hannover, Germany.

The device includes an encryption engine installed via a micro SD card. Once installed, the BlackBerry meets NATO requirements for classified communications. The Secusmart device allows the BlackBerry to act as a typical smartphone, while encrypting all communications with other secure systems.

“The high security solution from Secusmart for secure communication within the government was not affected,” said Secusmart CEO Hans-Christoph Quelle in a prepared statement e-mailed to eWEEK. In that statement the company explained that even if the encrypted communications between Merkel and other German officials were intercepted, it’s highly unlikely that the contents could have been cracked. Secusmart uses the 128-bit Advanced Encryption Standard on all voice and data communications.

In its statement, the company described how its encryption process works. “The Secusmart company’s encryption technique was developed together with security experts at the BSI (The German Federal Office for Information Security) and their security is openly documented. It’s based on the Secusmart Security Card, a micro SD card with an integrated SmartCard chip. This miniature crypto-processor takes care of the encryption of voice and data communication within the mobile phone including authenticating calling parties. Its 128-bit AES encryption enables 340 sextillion different keys—imagine 36 zeros after the number 340.”

“Theoretically, it would take 149 billion years to crack this code based on today’s technical standards, even with the use of special computers,” Dr. Quelle explained. “The universe itself isn’t even that old. That’ll definitely keep the USA busy for a while.”

A German government spokesperson declined to comment on the security features of the chancellor’s BlackBerry. “We do not give details of communication devices the chancellor uses,” the spokesperson said.

But this doesn’t mean all of the chancellor’s mobile communications were reliably secure. Apparently Ms. Merkel has more than one cell phone and while her official communications with other German government leaders were protected, calls and emails from her personal phone were not. This means that it’s entirely possible that her personal calls and other communications were intercepted and opened.

But did NSA get the Chancellor’s personal calls?

This means that the real question is did Chancellor Merkel discuss sensitive topics using unencrypted communications? The answer to that is unclear, but there’s a good chance she may have. While Merkel’s communications within NATO partners could have been encrypted, communications with others could not have been, at least not through the Secusmart encryption engine on her BlackBerry.

Adding to this worry is the fact that the Secusmart encryption can be bypassed when users want to communicate outside of the secure environment. For example, if a user of a Secusmart-equipped BlackBerry wants to send email or text messages to someone who isn’t using such a device, then those messages travel in the clear, and the NSA can listen in easily.

In addition, the NSA has reportedly been listening in on Merkel’s communications since long before she became Chancellor and long before Secusmart developed encryption for the BlackBerry. While her communications that took place within the framework of BlackBerry Messenger and BlackBerry Enterprise Server may still have protected her messages, that would depend on whether or not she used a BlackBerry, which she likely did. But it’s still likely that many, if not all, of her messages were recorded by the NSA, even if the agency failed to do so over the last few months of 2013.

“At the end of the day, users bear the responsibility for their own security. As long as they communicate from the secure area of their phone, they are completely protected from espionage attacks,” Quelle said. And therein lies the problem, not just for the Chancellor, but for everyone who communicates sensitive information.

The failure to protect critical data has been behind nearly all of the breaches of sensitive information. While most companies don’t deal in national security, they do routinely handle personally identifiable information ranging from credit card numbers to health data. When this information is compromised, it’s almost always due to a failure at some point to protect it.

What this means is that information must be protected at all stages of its existence, from the place where it’s created, to the networks over which it travels, to the place where it’s kept safe for backup.

The NSA isn’t the only group that’s trying to take your data, after all. There’s also everyone from the Chinese government to cyber-criminals who want your data either for competitive reasons, or to use the information to commit crimes. While you probably don’t want the NSA combing through your databases and emails, you don’t want random strangers doing so either.

Shhh! Try our whistleblower quiz!

Originally published on eWeek.