President Obama probably has the most famous Blackberry on the planet. In addition to being the first U.S. president to use a handheld device, his insistence on keeping a Blackberry as his personal communication device caused a stir among Whitehouse and national security staff. But the problems were worked out, and Obama's Blackberry is now secure… or is it?
Kevin Mitnick, a cybercrime pioneer, claims that given the right skills, a person could hack Obama's handheld (FoxNews.com, 2009). I don't think you need to interview a former hacker to understand that any piece of technology can be hacked, given time, patience, perseverance, and the right skill set. Most security professionals don't work under the assumption their networks are completely secure, just secure enough.
The president's Blackberry issue is a lesson is risk management. Although Obama's device requires better security than mine, the principles are the same.
First, let's look at the work-factor (time and effort) necessary to crack Obama's Blackberry. The handheld has a special encryption package and Obama is limited in how he can use it. No IM is allowed and only a small number of people are allowed to communicate with him via email (abcnews.com, 2009). Physical access to Obama's Blackberry is very limited, unless the hacker can break through the phalanx of Secret Service agents. I'm sure it's on someone's checklist to protect the Blackberry as they would anything else of national security significance. So getting to the device is extremely difficult, even if an attacker knew what to do when he or she got there.
Second, the probability of being arrested once a hack is complete is very high. Hacking into the president's technology would call down upon the unfortunate hacker the full force of U.S. Federal law enforcement. Ask Mitnick how that worked out for him. And the Feds are much better at rooting out cybercriminals than they were in the late 20th century.
There has been speculation about whether GPS capability in the Blackberry might give away Obama's position. However, this is easily resolved by turning the device off when the Secret Service takes the president to an undisclosed location. Anyone who has worked with the Secret Service, even for a very short time like I did, knows these guys pay attention to even the minutest details. I don't think the GPS will be an issue.
The work factor and the probable consequences of hacking into the president's Blackberry act together as a strong deterrent against all but the most motivated attacker, one who either doesn't care if he or she is caught or is under the protection of a powerful sponsor (e.g., China or Russia).
- The device is encrypted
- The device is not subject to easy physical access
- The user is limited in how he can use the Blackberry
- Communication is with a small, known, vetted group
After all this, can the device or supporting service still be hacked? Of course. However, the safeguards in place provide a reasonable and appropriate level of security while allowing the president to maintain contact with key staff at all times. In other words, security is present without preventing Obama from doing his job.
Although the controls for the president are more stringent than for your normal business user, the objective is the same.
- Understanding the motivation and skill sets of probable attackers, design and implement security controls which make the level of effort or risk higher than the reward. Accomplish this without rendering network-supported processes inoperable due to onerous restrictions.
- Assume your network or device will be breached. Design and document a practiced incident response process, including coordination with law enforcement.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.