INSIDE BLACKBERRY BLOG

BBMe: Maintaining a Circle of Trust

As news outlets report on yet another vulnerability impacting a popular application, it’s time we ask ourselves: with all the different methods we use to communicate for work, with friends, and with family – which messaging apps can we really trust? 

WhatsApp recently patched a flaw detailed in CVE-2019-3568 where a buffer overflow vulnerability  “allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” Basically, an exploit of this vulnerability could allow a malicious actor to call a random WhatsApp number and plant spyware on the target’s phone. 

Any app that works under the premise of accepting and acting on data from unknown and untrusted sources is a risk to users.

One-way consumers and enterprises can help guard against these types of attacks is having a closed “circle of trust.” This is something that BlackBerry’s end-to-end encrypted messaging platform provides. With BBMe, individuals and IT administrators control who they communicate with, as an invite must be accepted before a message or call is sent or received. Enterprises can also require that all new contacts provide up-front manual proof of identity before any communication can occur.

Additionally, because BlackBerry doesn’t monetize data, BBMe won’t ask for a phone number, suggest contacts to users, nor will it desire to know where users are messaging from or what is being shared. It is private, secure, meets regulatory standards, and you have total control over your data and who you communicate with.

What this means for Enterprises

Businesses should ensure employees are sharing sensitive data securely through the correct channels, and have controls in place to protect against malicious actors gaining access to that data via vulnerable applications.

As the digitization of the workforce has gained pace, we’ve seen a rapid increase in the use of consumer applications in enterprise and public sector environments. Just last year, NHS England relaxed rules around the use of messaging apps, allowing doctors and clinicians to share personally identifiable information (PII) over WhatsApp and other consumer-grade tools.

As citizens, we should expect that the security of our private healthcare and financial information is held to a higher standard. 

The Internet of Things needs to be built on Trust 

The benefits of being increasingly connected are vast, and the possibilities range from connected devices making our homes more comfortable to contactless payments for quick on-the-go financial transactions - or even smarter, data-driven healthcare devices delivering more personalized levels of care. However, without trust, the promise of the IoT will not be realized.

We have long recognized that trust is built on three pillars: security, privacy and control. This is why we build them into everything we do, whether enabling organizations to embed secure communications capabilities into apps with our BlackBerry Spark Communications Services, or providing individuals with end-to-end encrypted BBMe messaging capabilities.

Unfortunately, exploits like this will happen again, which is why enterprises and consumers need to ask themselves: how much is my privacy worth, and am I and the companies that collect and store my information doing everything we can to protect it?

Campbell Murray

About Campbell Murray

Campbell Murray serves as the Technical Director, Cyber Security at BlackBerry