BlackBerry’s acquisition of Cylance raises eyebrows in the security community

BlackBerry, which has rebranded as a security company as its mobile handset business fades, purchased Cylance, the machine-learning based anti-malware company, for $1.4 billion dollars last week. The move is in line with BlackBerry’s public strategy to secure endpoint devices such as cars, medical devices, and critical infrastructure, but it raises eyebrows in the security community, given the company’s history with encryption backdoors.

The company plans to integrate Cylance’s anti-malware solution into the BlackBerry Spark platform, “which is at the center of our strategy to ensure data flowing between endpoints (in a car, business, or smart city) is secured, private, and trusted,” BlackBerry wrote in a statement.

Deploying Cylance’s well-respected anti-malware service on IoT devices is potentially a big win for IoT security, but CEO John Chen’s stance on ” lawful access ” has put him and BlackBerry at odds with much of the security community.

As early as 2010, at the height of BlackBerry’s popularity as a handset manufacturer, the company is thought to have shared its global decryption key for consumer BlackBerry devices with the Canadian federal police, the RCMP. (Chen was not working at BlackBerry at this time.)

During the Apple v. FBI spat a couple years ago, when the FBI was clamoring for backdoored encryption, Chen was a vocal critic of Apple, and called for tech companies to cooperate with law enforcement. In October 2017, Chen said in an interview that he would be willing to find a way to circumvent BlackBerry’s security at the request of law enforcement. In a blog post dated November 20, however, Chen said that “BlackBerry’s products do not have backdoors,” while reiterating his stance that tech companies should “comply with reasonable lawful access requests.”

An internet of vulnerable things

Court documents make clear that at least as early as 2010 the Canadian federal police had a copy of BlackBerry’s global decryption key, installed in every consumer device at the factory. Whoever possessed a copy of that key was able to decrypt text messages sent between BlackBerry’s consumer handsets.

According to the company, none of BlackBerry’s current enterprise software products have a global decryption key. But the security community has a long memory, and Chen’s recent public statements have raised concerns.

In a call on November 16 announcing the Cylance acquisition, CSO asked Chen whether he would continue BlackBerry’s support for “lawful access” encryption backdoors as the new head of Cylance. Chen said, “We do support legal access. I believe every company should,” adding that “we all have a social responsibility to protect the safety of the government and the people.”

It’s too early to tell the downstream effect that stated position might have on Cylance technology, but any method that provides access to encrypted information without the user’s consent weakens security for everyone. Not only can law enforcement gain access, but as the world’s leading cryptographers have concluded for years, the risk that a “golden key” will be stolen by bad actors – from criminals to state-sponsored hackers – is high.

A similar system deployed for the types of IoT devices that Cylance supports could have disastrous consequences. There is no evidence that Cylance has ever put backdoors in its malware detection solution, or whitelisted government malware. But with John Chen now in control of Cylance, some in the security community see trouble ahead.

“Anyone that whitelists malware of any type runs the risk of weakening critical infrastructure for everyone, including governments and citizens. No malware should ever be whitelisted,” Harry Halpin, a security researcher at Inria, the French national institute for research in computer science and automation, and MIT, tells CSO.

BlackBerry’s acquisition of Cylance worries Halpin, who adds, “A track record of cooperation by anyone points to possible future cooperation.”

The problem with lawful access

Any deliberately created vulnerability, even those created for use by law enforcement, will inevitably be hacked.

Backdoored encryption has far more serious consequences in the IoT space. “In a world where cryptographic keys protect cars, cardiac devices, trains, and smart meters, losing those keys has grave implications,” Éireann Leverett, founder and CEO of Concinnity Risks, tells CSO. “Our safety literally depends on those keys.”

The difficulty of knowing whether someone has stolen a copy of an encryption backdoor, combined with the difficulty of updating hard-coded backdoors, makes “lawful access” measures unworkable.

“If we have to reset our passwords every time our bank gets hacked,” Leverett asks, “how can companies still allow these hard-coded backdoors, that they can’t reset?”

Backdoors don’t have to be hardwired into a device. They can be any method that provides access to encrypted information without the user’s consent. “Backdoors can be a public safety issue when present in remotely accessible, safety-critical systems,” Beau Woods, a Cyber Safety Innovation Fellow with the Atlantic Council in Washington, tells CSO. “Technical capabilities are policy agnostic – they can’t distinguish between what is permitted and forbidden by law.”

Backdoors in machine learning

A backdoor in machine learning technology of the type developed by Cylance would look very different from the encryption backdoor BlackBerry deployed in its consumer handsets. Researchers have demonstrated that machine learning can be backdoored, and how such backdoors might work.

“It’s possible they [BlackBerry] could add machine learning-specific backdoors of the style we proposed last year that makes it ignore their own state-sponsored malware,” Brendan Dolan-Gavitt, an assistant professor in the computer science and engineering department at New York University, tells CSO.

“We showed that when you’re training something like a deep learning system you can teach it to recognize specific triggers and then misclassify any inputs that have that trigger,” Dolan-Gavitt adds. “We haven’t looked at anti-malware systems specifically, but I think it would work.”

The FBI has been demanding tech companies create backdoors for 20 years to make it easier for law enforcement to do its job. Asking BlackBerry to whitelist law enforcement malware to gain access to a suspect’s IoT devices would yield an enormous amount of intimate information about that person. But that kind of “wiretapping” permits more than just eavesdropping – it enables attacks on data integrity and availability as well, attacks that malicious actors will inevitably engage in.

Backdoors in BlackBerry/Cylance products are by no means a foregone conclusion. No known evidence contradicts Chen’s claim that BlackBerry’s current products are free of backdoors. Given the sensitive nature of IoT, however, Chen’s statements regarding lawful access raise legitimate questions.