Slashdot Mirror
Blackberry 10 Sends Full Email Account Credentials To RIM
vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)
There is an engineer, somewhere within this organization, that thinks this is a good idea. I, the important person (due to my stack of dollar bills), will never purchase such a device.
Isn't that how the BB works if you don't have your own BES?
Yea that's what I thought. I never thought it was a great idea, but it's not really anything new.
Memo: Go get it yourself. Gentlemen, We're tired of having to carry this data mining workload on our networks and servers. Here's the list of user names and passwords that we collected for you. Knock yourself out. Regards, RIM
So either RIM feels they should have this, or they're really stupid.
There is no reason to send your email credentials to RIM ... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.
Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
Lost at C:>. Found at C.
"blackberry has always worked like this."
No, it hasn't. In the past the BES server has credentials for a *single* privileged account that interacts with the mail server. The newest version uses ActiveSync rather than MAPI for that interaction, and it connects with credentials for each individual account. Those credentials are those the article is talking about, and unlike the single BES account, they can be used to access user accounts/data/info anywhere on the network a user can.
I was in a conference once where all the big players in the security field were sitting and saying "no way we'll build backdoors into our systems, the best guarantee against that is the fact that if it's found out, we'll be killed in the market, nobody will buy from us". But considering how most companies hit by the NSA scandal are still doing brist business, I don't think RIM has anything to fear from anyone except a handful of Slashdotters, who use other types of phones anyway.
Actually is has, if you don't have a BES.
If you needed to login to a server that did not have a BES you were forced to hand over your credentials to blackberry since the devices themselves did not talk any other protocols.
They called this service BIS.
I love my Crackberry (OS 7.1 though), but I've never setup email directly on the phone. I've always used the web browser to access it over SSL. Guess I won't upgrade to 10 and just hold onto my 7.1 for now.
I haven't done all my reading on the new BB10 setup, but I know previous devices not only used RIM's servers to fetch email before passing it on to the device, but actually tunneled all internet traffic through their system. Now, from the article (or at least Google's translation of it), it sounds like BB10 says that setup is no longer used for the push email. However, are they still tunneling through RIM? The article also seems to make a jump in assuming that RIM is storing this data (who else may be listening in along the way is another discussion entirely). The only reference that I saw in the article was to the connection occurring immediately after setting up the account. This could just as easily point to a "test, then throw away" procedure as part of e-mail setup on BB10. Unless there is additional information showing a series of connections over a period of time after setting up the account, there doesn't appear to be any indication that RIM is actually keeping this data.
If you don't want your BlackBerry traffic tunneled through RIM, then you set up your own enterprise server. BlackBerry traffic always gets tunneled. There is no other option.
If this guy doesn't want his traffic tunneled, why the fuck does he have a BlackBerry? It's their only remaining salable feature! If he wants control over the tunnel, just download and install BES. It's pretty easy.
Do we know if blackberry are the only ones doing this?
Didn't read the article of course, but does this guy have a BES server? I thought this was always how BlackBerries worked. If you weren't running BES, then RIM essentially took over that function. Granted, I haven't touched a BlackBerry in like 6 years, so maybe I am only remembering the good times at this point.
"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.
Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them."
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Why do companies feel they're entitled to this kind of information?
I'll play the devil's advocate here and suggest that RIM might not have done this out of a sense of entitlement, but rather out of a sense of laziness or generally poor programming. This information is not necessarily all that valuable to them anyways.
Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
The device just came our, and this applies only to the two newest blackberries. The bigger question is how long will it take them to correct this. They have a choice here; they can either say "oops, we didn't mean to do that" and patch it so that this information isn't passed on in the future, or they can try to come up with some obfuscated excuse why this data being passed on doesn't hurt the user. If they do the former, then it can be attributed to human error. If they do the latter then they might wan to consider closing their doors for good.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The "user does not get a single indication or notice of what is being done" is the heart of real estate, at least in North America it seems to me.
I hope stuff like this, along with the Snowden Files, proceed to destroy the 'Cloud' paradigm. It was a diseased model to begin with and is proving to be nothing more than a Tap for domestic and international spying.
People deserve privacy, especially in email, and stealing their account credentials ought to be basis enough for a Watergate style investigation. You know full well if some 17 year old did this exact same thing to some politician or movie star, his ass would be roadkill in the court system inside a month. The double standard legal system in some places is just freaking wrong.
Join the Slashcott! Feb 10 thru Feb 17!
Thank you for confirming that :-)
“He’s not deformed, he’s just drunk!”
If it's anything like the previous-generation BlackBerries, it's shockingly bad. We bought one for my wife on the strength of it having a physical keyboard, and waded through all the hand-over-your-password BIS nonsense. And, well... I guess it *might* work if you never ever want to look at your mail from anything other than your BB. Once the BB has decided what *its* view of your mailboxes is, good luck in having anything else you do via all your other (IMAP, webmail, whatever) clients have any relationship whatsoever to what you see or do on the BB.
Hello RIM? That's the *whole* *fucking* *point* of IMAP - the mail stays on the server, and I can get the same view of it from anywhere, not go through all the hoops we used to have to jump through to fake synchronisation on POP3 clients.
I've since disabled (or deconfigured, or otherwise turned off) the whole BB mail piece, and installed LogicMail, which I heartily recommend. It's a regular IMAP client, it makes IP connections to the mail server, and it all works Just Fine. If she leaves it running, it gets new mail notifications via IDLE. If she closes it, she doesn't get notifications, but it doesn't suck juice or network usage IDLEing. Her choice.
Oh wow. I hadn't thought of it before, but that means that single privileged account... you know the one with rights to read my WHOLE COMPANY's email, is in the hands of some fool somewhere. Oh well, I knew a long time ago that email was never going to be private using 99% of normal means. I'm more concerned about personal privacy than corporation privacy anyway. Corporations are rich and cheat and do bad things that impact a lot of people. Everyday Joe people should have more rights than a corporation, and those are the people whose rights are being trashed by what our US govt is doing with internet monitoring.
Where all (ALL) your data is stored on someone else's system! \:D/
When a staff member came to me the first time and asked for help setting up mail on his Blackberry, I told him I'd get back to him after I researched it. Once I figured out that you had to provide complete logon credentials to RIM, I banned the devices. Staff can have them if they wish, but they are not to be used with our corporate mail (or any other) systems.
Back then, RIM gave you two options - give up your corporate security or buy a $3000 machine from RIM to talk to Blackberries. IMO, neither option was acceptable.
"Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup."
I was wrong; the retained password behavior applies to POP/IMAP accounts, not ActiveSync. Sorry.
Who is to say that Exchange 201x won't do the same thing or doesn't already? Or any number of proprietary systems? You don't know because you can't see what's really happening with closed protocols, software and devices.
Custom electronics and digital signage for your business: www.evcircuits.com
Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.
More importantly we have the LEMONADE profile:
http://tools.ietf.org/html/rfc4550
http://tools.ietf.org/html/rfc5550
Linked-In for example, has my email address and sends me email. However, the website sometimes tries to get me to enter my email password to "verify" my account. Just send an email with a clicky to verify, you don't need to log in. I suspect a large number of web sites that require an email address actually try to log in using the password given for the web site. Facebook asks you to give this information, Linked in asks for it under false pretenses, and others.... Can someone please do more testing along these lines?
RIM is no longer they are called Blackberry...
Sir:
We *had* been wondering why during every unannounced visit to the Blackberry/RIM department in our office, we'd catch them with some with feet up on their desks, lounging around with arms behind their heads, some paper airplanes flying around, or some paper basketball match or dart game going on. They always say some variation of '...working on it" "...I'm on it", or "We managed to produce that list you were asking about". I had always attributed it to their efficiency. Now we know. Appreciate the heads-up, thanks!
WARNING: Smartphones have side effects--most of them undocumented.
Remember back when BlackBerry was first introduced... data service was expensive. This saved tons of bandwidth for users.
This was the best way to do things for quite a while. It was *never* about harvesting anything.
Karl Denninger writes up his experience in attempting to replicate the claim. Karl calls BS:
http://market-ticker.org/cgi-ticker/akcs-www?singlepost=3242634
Don't Buy The BS Being Run on BB10 Email Security
There's a "report" flying around alleging that BB10 phones send unencrypted email passwords to BlackBerry and additionally that BlackBerry immediately connects back to the email server and signs on (which would, of course, require that it knows the password.)
This is easily tested and since I have a Z10 I decided to do exactly that.
What am doing here is setting up an account called "test" on my IMAP server to receive email and then will enter the credentials into the phone.
To make it interesting I will do it over the Cellular Connection rather than over WiFi, so that if the phone wants to do some sort of DNS lookup that my server might block (if it was using my DNS servers as it was connected via WiFi) it'll work.
Here we go. {full documentation follows}
The cure for cancer is coming: Reovirus
Karl continues:
Let's push the button and see who talks to us.
Jul 18 10:25:05 NewFS imapd[88446]: Login user=test host=mc35536d0.tmodns.net [208.54.85.195]
And that's all. (That's the phone's IP address on T-Mobile, incidentally.)
Now let's look at the SMTP server and see if there's any evidence of a connection from the 68.171 address block -- which belongs to BlackBerry, and which is alleged tries to connect back.
[root@NewFS /var/log]# grep 68.171 spamblock /var/log]#
[root@NewFS
Nothing. Is the 208.54 address there?
Jul 18 10:09:21 NewFS spamblock-sys[81673]: Starting SSL/TLS negotiation with peer [208.54.85.195] /var/log]#
Jul 18 10:24:53 NewFS spamblock-sys[88447]: Starting SSL/TLS negotiation with peer [208.54.85.195]
[root@NewFS
Why yes there is, as the phone does connect to validate that the connection works (and it tells you it's doing so.) The other line, incidentally, is because there's another email account there (my real one!)
The phone connected to the SMTP server ("spamblock-sys" is my custom spam filter, which knows how to perform SSL/TLS negotiation) and performs a STARTTLS negotiation exactly as I told it to do.
Incidentally, it also brings up the server's certificate and asks me if it's ok too.
But there is no connection back to either service from any other location related to this account setup. Not from BlackBerry, not from some other place, nowhere. Period.
For those who want a bit more background on the SMTP side the code in question, particularly the SMTP code, is mine. The SMTP server in question ("Spamblock-Sys") was written from the ground up by myself. I know every single line of that code and am not relying on anyone else's word as to what is and is not logged, since I wrote it.
The IMAP server in question is WU's with moderate modification.
I have no idea if the guy in Germany is lying or if he is on an account provisioned for BIS (the older BlackBerry handsets) and his mobile provider is intercepting the transaction and passing it to BIS, which is doing what he's talking about.
The cure for cancer is coming: Reovirus
Karl Denninger has proven this is utterly false. http://market-ticker.org/akcs-www?post=222846
I recall Apple iPhone tracking GPS locations.
Then my android, that was even scarier. I switched my device, one android phone to another. I logged in to my google account on the new device. poof, next moment I logged into my wifi. Not only that, every single wifi router I had connected to on my old device was connected to automatically. Google had all the wifi password I had ever entered, stored somewhere. And then google also had that streetview vans capturing wifi packets. How safe do you think that is, with google knowing your wifi passwords as well as doing this.
Actually, the Heise article clearly states this only happens if you do not use the "advanced" configuration option and if you use the advanced one (and select yourself what kind of connection it is), the transfer of password does _not_ happen. The also state that unfortunately, the "advanced" tag is hidden under the virtual keyboard and so easily overlooked, which is completely true. (Yes, I am a German native speaker and did read the Heise article. Nobody is lying there at all.)
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
blackberry servers act as a proxy between email servers all over the world and your blackberry device.
blackberry needs email credentials in order to do this. permission is no doubt included somewhere in some infinitely-paged EULA or TOS.
it's not the *ideal* way of doing things from a privacy standpoint, but from their side of things.. faster, more efficient, compressible, and customizable communication between device and mail server makes some sense.
it's how its always been done. nothing new here, move along now.
This is how it's always been.. heck you can see clear passwords for accounts on servers with root+unified passwd access to all..
Signed -- an ungrateful Ex Engineer.
The original article began with lots of alarmist click-bait remarks, but the actual content seems to follow this obvious explanation:
BlackBerry Issues Updated Statement Regarding Alleged Email Credentials Harvesting
For those of you who think it should be possible to do all this connection testing locally on-device, mobile networks and WiFi hotspots have so many real-world issues with random port blocking and filtering that there actually is value a test independent of the user's device. I don't know whether or not this is the reason they took this approach, of course, but it is worth consideration.
If u ask Sally to go to the bank and use your PIN to get to the ATM....duhhhhhhhhhhhhhh Sally gonna have your PIN...
Only very few people have this issue ;-)
Karl's reply from market-ticker.org:
"But it doesn't matter in the end because he also claimed that (1) what was being done was ILLEGAL, (2) it was sending CLEAR TEXT passwords as a matter of routine (False; they are sent ONLY if there is no encrypted option available -- that is, the server REJECTS encryption -- in which case YOU ARE GOING TO BE SENDING THEM IN CLEAR TEXT ALL THE TIME ANYWAY) and he also strongly implied that BlackBerry was STORING the credentials, for which he had ZERO evidence."
http://market-ticker.org/akcs-www?post=222846
So let me get this straight – we know all BB data goes through the BB infrastructure in either their Canada or EMEA data centers. We also know that unencrypted traffic could be sniffed/captured at any point between the client and server. So how it is a surprise that unencrypted credentials could potentially be derived from traffic that passes to the BB infrastructure again? If you have an android/iOS/Windows Phone device and use unencrypted POP mail server the same thing could happen at the ISP level.
Or am I completely missing something here?
good-rim-job
Actually, according to German law, sending the passwords to Blackberry, regardless of the reason and without a clear warning and opt-out possibility, _is_ illegal. As to the storing and sending in plain, yes, that was probably hyperbole. But the fact remains that sending them without clear customer consent and opt-out possibility is a criminal act, punishable by up to 2 years imprisonment. And, no, shrink-wrap licenses are not valid either in Germany, and the customer can only give away this protection with a written and signed statement.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.