The Fraunhofer Institute for Secure Information Technology of Germany and RIM today announced the successful completion of an in-depth security analysis performed by Fraunhofer Institute SIT of the BlackBerry Enterprise Solution for mobile email and data push-services. Fraunhofer Institute SIT confirms the high quality of the security architecture of the BlackBerry Enterprise Solution and the strong data protection services it provides.
Based on the results, the Fraunhofer Institute SIT project team has issued a security certification of the BlackBerry Enterprise Solution for Microsoft Exchange. The certificate is based on the functionality, configuration and installation described in certification report 06-104302, which is available at www.sit.fraunhofer.de/testlab/certificates. Fraunhofer Institute SIT also confirmed that no hidden functionality or backdoors were found and that RIM and other third parties do not have access to data within the solution. The Fraunhofer Institute SIT certificate is valid until December 2010.
“With the approved secure key establishment and key exchange protocols in the BlackBerry architecture, the confidentiality and integrity of pushed content is provided and can not be intercepted by any party inside the communication channel,” said Dr. Claudia Eckert, Director of Fraunhofer Institute SIT. “BlackBerry communication provides end-to-end security for the evaluated interactions and services between BlackBerry smartphones and BlackBerry Enterprise Server.”
“RIM continues to set the benchmark for security in mobile communications and the BlackBerry Enterprise Solution is the first push-based solution to undergo this kind of security analysis. We are very pleased with the certification from Fraunhofer Institute SIT, which further reinforces why security conscious organizations and governments around the world have chosen the BlackBerry solution,” said Scott Totzke, Vice President, BlackBerry Security Group at Research In Motion. The BlackBerry Enterprise Solution has also previously received a FIPS 140 validation and a Common Criteria certification in addition to the Fraunhofer Institute SIT certificate.
Background on the security analysis conducted by Fraunhofer Institute SIT on the BlackBerry Enterprise Solution
Research In Motion engaged Fraunhofer Institute SIT to perform a comprehensive in-depth security evaluation of the BlackBerry Enterprise Solution with deep analysis of the solution’s components, interfaces, software platform, environment and protocols. For the project RIM provided Fraunhofer Institute SIT with access to in-depth technical information in order to be able to rigorously review the solution.
The analysis was carried out as three major projects:
1. The first project analyzed the security of the communication between the major components of the BlackBerry Enterprise Solution – the BlackBerry Enterprise Server, BlackBerry smartphone, and BlackBerry Infrastructure.
2. The second project analyzed the security of the communication between the individual components of the BlackBerry Enterprise Server and the processes involved.
3. The third project focused on the BlackBerry smartphone and the analysis of relevant physical and logical interfaces to the smartphone and its environment such as the Internet. In addition to the communication content and processes, the project team also evaluated the security of standard applications of the BlackBerry Enterprise Solution such as email attachment viewing, access and integration of corporate data sources, and the usage of the PIM applications.
The security analysis assumed extensive security demands for corporate users. Fraunhofer Institute SIT defined the protection goals, developed the attacking scenarios and performed attacks and manipulation attempts in practice. The tests were conducted in a typical reference installation in the Institute’s testlab with expert IT security knowledge and intimate knowledge of the BlackBerry Enterprise Solution based on design documents provided by Research In Motion.
During its evaluation, Fraunhofer Institute SIT identified many areas of strength and some recommendations to further improve the security design and configuration of the BlackBerry Enterprise Solution. Those improvements have already been implemented by RIM into existing products. For the complete evaluation result and the remaining security considerations, please refer to certification report 06-104302, which is part of the certificate.
* The certificate is based on the reference configuration (BlackBerry Enterprise Server for Microsoft Exchange v4.1.6 (bundle 60), BlackBerry® Pearl™ 8110 smartphone (EDGE), Firmware: v126.96.36.199 (Platform 188.8.131.52) and Cryptographic Kernel: v184.108.40.206c).