A gentleman by the name of Jeffrey Carr that happens to have a security blog managed to unearth the fact that the now infamous Dual EC DRBG security algorithm used by the NSA is in fact owned by a Blackberry Subsidiary. In his blog post, he gives a slight explanation about the algorithm itself and the fact that the NIST had recommended that algorithm for some time until it had been put into question by the Snowden documents.
As you can see from the patent document itself, Certicom, a subsidiary of Blackberry, holds the patent and actually filed for the patent back in 2006 and was eventually granted it in 2013. Although, to be fair to Blackberry, they acquired the company in 2009, well after Certicom had already implemented the NSA algorithm and filed for a patent under their name.
He also points out that according to the NIST there is a very long list of companies, including Blackberry that have implemented this algorithm in their software for security. These companies include Microsoft, Certicom, RSA, Cisco, Juniper Networks, McAfee, Symantec, Samsung, Lancope, SafeLogic, GE Healthcare, Thales eSecurity, Panzura, Catbird Networks, ARX, Kony, CoCo Communications, Riverbed Technology, The OpenSSL Foundation, Certicom, and Mocana.
It may be interesting to see how Blackberry addresses this issue and whether or not they can shine more light on the problem and explain why they are using a potentially flawed product. This would also potentially mean that all of Blackberry’s ‘secure’ products utilizing this algorithm aren’t really secure as Blackberry would lead you to believe. This includes Blackberry 10 OS and Blackberry 10 Enterprise Service, BBSWS and Blackberry Tablets. This would lead one to believe that any and all of Blackberry’s latest smartphones and tablets are essentially hackable by the NSA (or anyone that can utilize this vulnerability) based on Snowden’s documents and the advisory put out by the RSA.
I’m not sure what’s more damaging, the fact that Blackberry’s own company is the holder of this patent or that they implemented it in their own products and inadvertently made their own ‘secure’ products more insecure.