BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 03-25-2005, 04:06 PM   #1 (permalink)
Latino Hasta La Muerte
 
Join Date: Jan 2005
Location: Denville, NJ.
Model: 7250
OS: 4.1
PIN: G!!!
Carrier: Verizon
Posts: 9,022
Post Thanks: 50
Thanked 303 Times in 291 Posts
Default PIN Messaging - direct from BB to BB?

Please Login to Remove!

Am I correct in assuming that PIN messages go directly from one Blackberry to the other, no server in the middle? I recently read over on Blackberry Cool how Royal Bank of Canada went ape-shit over PIN messaging and made it their policy to completely disallow the practice. Seems they freaked because they had no way to monitor PIN messaging, no PIN log, or any copy like with email.

Is this really a secure communications method?
Offline  
Old 03-25-2005, 04:17 PM   #2 (permalink)
Knows Where the Search Button Is
 
vapochilled's Avatar
 
Join Date: Mar 2005
Location: new joisey
Model: 7290
Posts: 38
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

anything OTA is not secure,period, that said...as far as I am aware, PIN messages do not go via any corparate BES, they go via the carriers routing. pls correct me if thats not the case
Offline  
Old 03-25-2005, 04:19 PM   #3 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,769
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

And they absolutely get routed through the RIM network (they get passed somewhere from carrier to carrier), so they pass through a server someplace.
Offline  
Old 03-25-2005, 04:33 PM   #4 (permalink)
Latino Hasta La Muerte
 
Join Date: Jan 2005
Location: Denville, NJ.
Model: 7250
OS: 4.1
PIN: G!!!
Carrier: Verizon
Posts: 9,022
Post Thanks: 50
Thanked 303 Times in 291 Posts
Default

That makes a lot more sense! How would one BB unit find another? So RBC's objection was that, unlike with email, they had no record themselves of their employees' communications. But the records do exist somewhere, like at RIM or T-Mobile.
Offline  
Old 03-25-2005, 05:04 PM   #5 (permalink)
Retired BBF Moderator
 
Join Date: Aug 2004
Model: N/A
Carrier: N/A
Posts: 3,309
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rambo47
That makes a lot more sense! How would one BB unit find another? So RBC's objection was that, unlike with email, they had no record themselves of their employees' communications. But the records do exist somewhere, like at RIM or T-Mobile.
You got it! Yes their is some sort of record with regards to PIN to PIN messages as NJ said seeing they transport via the carrier at some point, the concern I think RBC was having with those messages is the possibility of PIN messages being used to inform, warn, jump the gun or whatever with security trades and transaction with little or no ability to trace intial contact.
Offline  
Old 03-26-2005, 07:35 AM   #6 (permalink)
Talking BlackBerry Encyclopedia
 
AL904's Avatar
 
Join Date: Mar 2005
Location: Jacksonville Beach, FL
Model: 9000
Carrier: at&t
Posts: 215
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

If a Blackberry is not connecting using BWC or BES, (in other words, receiving email via desktop re-director,) can it still send and receive PIN messages?
__________________
Al in Jacksonville Beach, FL

Offline  
Old 03-26-2005, 07:37 AM   #7 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: i5s
Carrier: AT&T
Posts: 27,769
Post Thanks: 32
Thanked 439 Times in 379 Posts
Default

Yes.
Offline  
Old 03-26-2005, 03:10 PM   #8 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Feb 2005
Location: Alberta
Model: 8300
Carrier: Rogers
Posts: 350
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

CIBC is suing several former executives who started their own company. Just prior to them leaving CIBC they traded confidential company information by way of PIN messages. They were on a BES and it is the IT policy that requires PIN messages be backed up and stored, they were under the assumption that PIN's could not be seen or something? So when they cradled it stored their PIN messages and when they left CIBC checked their logs. Busted. As far as I have heard that is the only "security breach" when it comes to PINs
Offline  
Old 03-26-2005, 03:20 PM   #9 (permalink)
Latino Hasta La Muerte
 
Join Date: Jan 2005
Location: Denville, NJ.
Model: 7250
OS: 4.1
PIN: G!!!
Carrier: Verizon
Posts: 9,022
Post Thanks: 50
Thanked 303 Times in 291 Posts
Default

THAT'S what I assumed couldn't happen with PIN messaging. T-Mobile or Cingular or whatever service provider would have a log, but not the company deploying the Blackberries. I didn't know there was even an internal log of PIN messages created in the Blackberry itself. I would have thought the only way for CIBC to get the logs was through subpoena of the carrier.
Offline  
Old 03-27-2005, 12:03 AM   #10 (permalink)
Talking BlackBerry Encyclopedia
 
Steve's Avatar
 
Join Date: Dec 2004
Location: Cedar Falls, Iowa
Model: 9630
Carrier: Sprint
Posts: 490
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I hadn't used PIN until seeing more folks posting about it. Today, I sent my wife a PIN message and I thought push mail was fast! WOW! It seemed like it seemed nearly an instant! I even got the "d" for delivered over the sent check mark, that's when her BB alerted her.

I do BCC my BB e-mails to my home PC, this bypasses everything besides the carrier's servers.

Thanks for making me curious!
Steve
- The Final Frontier
__________________
9630 Tour - Sprint

Last edited by Steve : 03-31-2005 at 09:39 PM.
Offline  
Old 03-27-2005, 12:29 AM   #11 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Mar 2005
Location: Texas
Model: 8900
Carrier: AT&T/Cingular
Posts: 416
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I think of it this way - no matter WHAT you do, there's prob a record of it somewhere!!
__________________
7290>8700>8310>8900
Offline  
Old 03-27-2005, 11:40 AM   #12 (permalink)
jdh
Thumbs Must Hurt
 
Join Date: Mar 2005
Location: Toronto
Model: 8700
Carrier: Rogers
Posts: 121
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rambo47
THAT'S what I assumed couldn't happen with PIN messaging. T-Mobile or Cingular or whatever service provider would have a log, but not the company deploying the Blackberries. I didn't know there was even an internal log of PIN messages created in the Blackberry itself. I would have thought the only way for CIBC to get the logs was through subpoena of the carrier.
For accounting purposes, the carrier might have a log that messages were sent and received (ie, from and to), but I seriously doubt that they track the content of those messages, since it would be a violation of their privacy policy to do so.

When you have a Blackberry issued by a company, it's company property, and it's reasonable for that company to have a policy in place that allows them to control and monitor what you do with it (the same as the content of your traditional e-mail account). However, when you buy a device from a wireless carrier, there is no room for such a policy, and for them to track the content of PIN messages would be a violation of recent privacy laws (aside from the fact that from a logistical point of view, I'm sure they can't be bothered).

As for the Blackberry storing a log of PIN messages, I doubt that this was the case in the CIBC situation.... More likely the employees still had the actual PIN messages in their mailboxes (ie, they hadn't deleted/purged them), and when they connected their Blackberries, the desktop backup simply backed that data up along with everything else that was on their BBs....

Try this: Do a backup with your Blackberry desktop, and then open up the backup file with notepad or somesuch... You'll see your data, including your e-mail messages, contained in there... It's not necessarily in an easily human-readable format, but it's not encrypted either.
Offline  
Old 03-28-2005, 02:53 PM   #13 (permalink)
New Member
 
Join Date: Feb 2005
Location: Montreal, Canada
Model: 8700r
Carrier: Rogers
Posts: 13
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jdh
snip...

As for the Blackberry storing a log of PIN messages, I doubt that this was the case in the CIBC situation.... More likely the employees still had the actual PIN messages in their mailboxes (ie, they hadn't deleted/purged them), and when they connected their Blackberries, the desktop backup simply backed that data up along with everything else that was on their BBs....

snip...
Exactly!
Offline  
Old 03-28-2005, 03:07 PM   #14 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Mar 2005
Location: Texas
Model: 8900
Carrier: AT&T/Cingular
Posts: 416
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yikes! JDH you're right! I saw all my contacts, emails, etc!
__________________
7290>8700>8310>8900
Offline  
Old 03-28-2005, 05:31 PM   #15 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Location: Middle of Nowhere, USA
Model: 7290
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rambo47
Am I correct in assuming that PIN messages go directly from one Blackberry to the other, no server in the middle? I recently read over on Blackberry Cool how Royal Bank of Canada went ape-shit over PIN messaging and made it their policy to completely disallow the practice. Seems they freaked because they had no way to monitor PIN messaging, no PIN log, or any copy like with email.

Is this really a secure communications method?
From my RIM tech guy:

PIN to PIN:
Message goes from device, to RIM (to discover what network the target device resides), to device.
PIN message are still encrypted via 3-DES, but the actual encryption key is the same for all devices, so the messages are not transmitted in cleartext. A company can make their own key but then it limits PIN to PIN to within the company.

PIN messages are only ever stored on the device (either the sending or receiving device). Leaving the messages on the device means they are accessible there or if you backup your device, accessible using the backups of the device. This is where the messages in question were (either on the device or in the backups the user made).

So from this understanding PIN-to-PIN is secure enough from user to user, but if you are going to make copies of the messages via backups or leave the messages on your device then they are accessible as you would expect.

Goes to show - secure your device and remove backups when they are no longer needed. Pretty typical personal user security issues that only the user really has control over. The users were obviously stupid - the BlackBerry was a company device and the company was obviously entitled to the information on it and the backups that were made on their company desktops/computers.

Bunker
Offline  
Old 03-28-2005, 06:15 PM   #16 (permalink)
Thumbs Must Hurt
 
MooseNYC's Avatar
 
Join Date: Jan 2005
Location: NYC
Model: 9650
OS: 6.0.0.524
Carrier: Verizon
Posts: 192
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default PIN to PIN messages - Question ref: BES

I understand that the PIN message is routed via RIM but is there no setting on a BES to log the items or captire the message? (BES users only)

It was discussed earlier that if the sender erases the message after sending but before 'holstering' the device it wont get logged (assuming wireless reconcilliation). Is this true?

Regards,

Dave
__________________
Formerly - HTC Thunderbolt / 9550 / 9630 / 8830 / 8100 / 8700 / 7290 / 7100g / 7510 / 7230 / 6710 /. .
Offline  
Old 03-29-2005, 10:42 PM   #17 (permalink)
Zro
CrackBerry Addict
 
Zro's Avatar
 
Join Date: Mar 2005
Model: 8800
Carrier: Rogers
Posts: 597
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ok, time to spew out some info and set this to rest.

On a fresh BlackBerry (as in just had application loader done to load the OS) PIN to PIN can only be seen on the sending and receiving BlackBerry.

They are NOT 3DES encrypted, they are SAH-1 hashed and compressed.

Companies can now get software to load onto the handhelds (I just found this out tonight) that will monitor your message box and blind copy anything it sees there to a server running their backend software.

Wireless reconcile has nothing to do with PIN messages.

If you don't do an auto backup (or backup at all) the received PIN messages will never be anywhere other than the BlackBerry (sender and receiver, and assuming neither have deleted their copy).

PIN messages do touch the BlackBerry infrastructure, but only in a routing sense. They are not tracked or logged there.

PIN messages do not touch your BES server at all, so there's no setting they can set to log them...but they can set an IT policy to disallow sending PIN messages.

This is also the reason that if your BES goes down, or your Exchange/Groupwise/Domino server goes down, you can still send PIN messages.

Carriers cannot tell the difference between a PIN message, an email, or a calendar sync process. They just see BlackBerry data and forward it to the BlackBerry infrastructure.

PIN 2 PIN is fast because it's only using the wireless network, no additional backend overhead (email server, BES, internet traffic, etc)

CIBC has never (to my knowledge) said how they got the PIN messages, but from one article I read in a local paper, they were still on the BlackBerry when the people turned them in when they quit. Someone else mentioned that they used a backup file restored onto another BlackBerry.

Your backup file can be restored onto any other BlackBerry.

A company BlackBerry belongs to the Company. People seem to forget this at times. It is not for personal communication, personal email, conspiracy, whatever....companies just allow you to do this.

ok, done Ranting now...did I forget anything? or anyone have any other questions about PIN messages?

Zro
Offline  
Old 03-30-2005, 02:03 PM   #18 (permalink)
New Member
 
Join Date: Mar 2005
Model: 8830
Carrier: Telus
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy

Yes... How do you solve the error messge Decryption failure, please regenerate key when some people send you messages.

It doesn't happen for all BB users, just some for some reason. They have tried generating a new key to no avail.

Last edited by J0dest3r : 03-30-2005 at 02:14 PM.
Offline  
Old 03-31-2005, 06:19 PM   #19 (permalink)
Thumbs Must Hurt
 
loonews's Avatar
 
Join Date: Feb 2005
Location: Memphis, TN
Model: 7280, 7290, 7250, 7100
Posts: 98
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J0dest3r
Yes... How do you solve the error messge Decryption failure, please regenerate key when some people send you messages.

It doesn't happen for all BB users, just some for some reason. They have tried generating a new key to no avail.
I am now having this problem with people on my corporate BES sending pins to people outside our company, I figure it's one or a number of these policy settings so if I figure it I'll let you know, but if someone knows please let me know.
__________________
------------------------------------------------
Sent from my Blackberry Handheld - The next best thing to No Vacation!
Offline  
Old 03-31-2005, 08:37 PM   #20 (permalink)
Zro
CrackBerry Addict
 
Zro's Avatar
 
Join Date: Mar 2005
Model: 8800
Carrier: Rogers
Posts: 597
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

There is a flag that you can set in the IT policy to disallow PIN messages. Actually, I think there are multiple flags that can be set...One for no send/receive PIN messages, and one for sending PIN messages...there may be more.

Zro
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.