bbm管理

I felt secure communicating on the BBM... Till some time back!!

我感到在BBM上进行交流非常安全...待会儿再来!!

It was probably the fact that the BBM messages do not travel over the internet was making me feel 'secure' about it, or was it the fact that BBM only works on a BlackBerry Devices and my belief that BlackBerry devices are secure by design. Not Sure...but somehow I thought it was the safest IM App avaiable.

可能是因为BBM消息没有通过互联网传播，这使我对此感到“安全”，或者是BBM仅在BlackBerry设备上工作，并且我认为BlackBerry设备在设计上是安全的。 不确定...但是我以某种方式认为它是最安全的IM App。

I fired my browser and landed on Google. I couldn’t find many articles about the security of messages communicated over BBM. I couldn’t even find any notes on the BBM architecture. I will just summarize what I was able to understand from many different pages.

我启动了浏览器并登陆了Google。 我找不到很多有关通过BBM传递的消息的安全性的文章。 我什至找不到关于BBM体系结构的注释。 我将总结从许多不同的页面我能理解的内容。

Blackberry Messenger is a skin on top of the basic PIN to PIN messaging which has been there on these devices for long. A “PIN” is a hardware address, similar to a MAC address, and is unique to every BlackBerry device. A “PIN” however is not an authentication password nor is it a user identifier. It is the method by which the BlackBerry device is identified to the RIM relay for the purpose of finding the device within the global wireless service providers’ networks.

Blackberry Messenger是在这些设备上已经存在很长时间的基本PIN到PIN消息传递之上的皮肤。 “ PIN”是类似于MAC地址的硬件地址，并且对于每个BlackBerry设备而言都是唯一的。 但是，“ PIN”既不是认证密码，也不是用户标识符。 这是将BlackBerry设备标识给RIM中继的方法，目的是在全球无线服务提供商的网络内查找该设备。

Alice sends a message to Bob. The target address for this message would be the PIN of Bob's Blackberry Device. The message is received by her service provider which sends the message to the RIM Relay Server. The RIM relay identifies Bob’s BlackBerry device by its PIN and forwards the message directly to Bob’s wireless service provider. These messages do not travel thru the internet or the Blackberry Enterprise Server and hence are faster than email communication. It is ideal for communication in Emergencies, or when your Emails Server/BES etc are not functional. I am sure this raises the question about compliance, auditing, content security etc. These messages bypass all the onion skins of security and land on the devices directly. Unless specifically configured on the BES thru an IT Policy, these messages are not logged on the BES. This has prompted certain enterprises to disable PIN to PIN messages on their corporate BB devices.

爱丽丝向鲍勃发送消息。 该消息的目标地址为Bob的Blackberry设备的PIN。 该消息由其服务提供商接收，该服务提供商将消息发送到RIM中继服务器。 RIM中继通过其PIN识别Bob的BlackBerry设备，并将消息直接转发到Bob的无线服务提供商。 这些消息不会通过Internet或Blackberry Enterprise Server传播，因此比电子邮件通信快。 非常适合紧急情况下的通信，或者在您的电子邮件服务器/ BES等无法正常工作时使用。 我确信这引起了有关合规性，审核，内容安全性等问题。这些消息绕过了所有安全性的洋葱皮，直接落在设备上。 除非通过IT策略在BES上进行了特殊配置，否则这些消息不会记录在BES上。 这促使某些企业在其公司BB设备上禁用PIN到PIN消息。

Now, one would assume that since RIM has been serious about security, they would have made the transmission secure by encrypting it. Well they did! All PIN to PIN messages are encrypted with Triple DES. Excellent!! Not exactly all RIM devices are loaded with a common peer-to-peer (same) encryption key which is used for encrypting the PIN to PIN messages. This would mean that every blackberry device can decrypt any PIN message that it receives because every BlackBerry device stores the same peer-to-peer encryption key. RIM advises users in one of the security guides to “consider PIN messages as scrambled, not encrypted”. It would mean that if I were to sniff the traffic coming to your device I could potentially decrypt the PIN messages and see them. The probability of such a threat actually happening is very rare but technically possible.

现在，人们可以假设，由于RIM十分重视安全性，因此他们将通过加密来确保传输的安全性。 好吧，他们做到了！ 所有PIN到PIN消息均使用Triple DES加密。 优秀的！！ 并非所有的RIM设备都加载了通用的对等（相同）加密密钥，该密钥用于对PIN到PIN消息进行加密。 这意味着每个黑莓设备都可以解密收到的任何PIN消息，因为每个BlackBerry设备都存储相同的对等加密密钥。 RIM在一份安全指南中建议用户“将PIN消息视为加扰的而不是加密的”。 这意味着，如果我要嗅探进入您设备的流量，则可以解密PIN消息并查看它们。 实际上发生这种威胁的可能性很小，但在技术上是可能的。

As I mentioned earlier the PIN is a number burnt on to the device and is permanent. This highlights another potential vulnerability. Bob's device is wiped and assigned to Dave. The device would still retain the same PIN and will continue to receive PIN messages addressed to that PIN. Alice would be unaware of the fact that her messages intended to Bob are being delivered to Dave.

正如我之前提到的，PIN是设备上的永久数字，并且是永久性的。 这突出了另一个潜在的漏洞。 Bob的设备已擦除并分配给Dave。 设备仍将保留相同的PIN，并将继续接收发送到该PIN的PIN消息。 爱丽丝将不会意识到她发给鲍勃的消息已经传递给戴夫了。

Let us consider another situation. Chuck steals Bob’s device. Chuck could actually impersonate Bob and elicit information from Alice. Alice would think that she is communicating with Bob and unsuspectingly share information. She is in fact communicating with the PIN of Bob’s device which is now with Chuck.

让我们考虑另一种情况。 查克偷了鲍勃的设备。 查克实际上可以冒充鲍勃，并从爱丽丝那里获取信息。 爱丽丝会以为她正在与鲍勃交流，毫无疑问地共享信息。 实际上，她正在与Bob的设备（现在与Chuck在一起）的PIN进行通信。

If PIN can be spoofed it could be another potential threat to the security of messages exchanged using P2P. I was not able to find any information on how to do it. The forums seems to suggest that it’s not possible.

如果可以伪造PIN，则可能是对使用P2P交换消息的安全性的另一个潜在威胁。 我找不到有关如何执行操作的任何信息。 论坛似乎暗示不可能。

Lesson learnt:

学习到教训了：

Be careful when sharing sensitive information over BBM/PIN Messages because:-

通过BBM / PIN消息共享敏感信息时要小心，因为：

PIN-to-PIN messages are encrypted using an encryption key which is accessible to everyone.

PIN到PIN消息使用每个人都可以访问的加密密钥加密。

The messages you send are to an address which is tied to a device and not a person.

您发送的消息将发送到与设备而非个人绑定的地址。

Big Boss might be watching. If PIN-to-PIN messages are configured to be logged on the BES server, all BBM/PIN Messages would be logged in Clear Text Log files on the BES Server.

大老板可能在看。 如果将PIN到PIN消息配置为记录在BES服务器上，则所有BBM / PIN消息都将记录在BES服务器上的明文日志文件中。

I still love my Blackberry :)

我仍然爱我的Blackberry :)

翻译自: https://www.experts-exchange.com/articles/3588/Myth-BBM-is-Secure.html

bbm管理