Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blackberry 10 Sends Full Email Account Credentials To RIM

Posted by timothy on from the good-job-rim dept.

vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)

11 of 191 comments (clear)

  1. What person thinks this is OK? by Anonymous Coward · · Score: 4, Insightful

    There is an engineer, somewhere within this organization, that thinks this is a good idea. I, the important person (due to my stack of dollar bills), will never purchase such a device.

    1. Re:What person thinks this is OK? by Anonymous Coward · · Score: 4, Insightful

      Rule of thumb for corporation ethics: If you have to ask the legal department if something is OK then it is still unethical and consumer unfriendly.

      Or the catchier version: If you can't tell if something is legal without asking a lawyer then your customers can't do it either.

    2. Re:What person thinks this is OK? by Anonymous Coward · · Score: 2, Insightful

      The first time I saw that I knew I was not getting a blackberry. That was/is a security nightmare.

      That's why RIM offers BlackBerry Enterprise Server. If you don't want RIM tunneling your email, you host your own tunnels. BlackBerry has always worked this way.
      Did you really think that all of the companies that use BlackBerry send their email through RIM's servers?

    3. Re:What person thinks this is OK? by LordLimecat · · Score: 4, Insightful

      The first time I saw that I knew I was not getting a blackberry.

      Then you didnt do your research very well, because BIS is the ghetto "i cant afford a BES" experience. A proper BES is magnitudes more secure than anything SSL has to offer.

    4. Re:What person thinks this is OK? by LordLimecat · · Score: 5, Insightful

      likely

      Translation: I know nothing about how BES works, but I wont let my ignorance prevent me from criticizing it.

      For the record, anyone who has administered a BES knows that its a far better experience than anything ActiveSync has ever had, and magnitudes more secure. ActiveSync bases its entire security on a single server certificate, and having your cert chain vetted, and assuming that your trusted CA doesnt get compromised, and your ciphers arent subject to the BEAST attack. BES has per-device keys, and until AES gets cracked, BES wont be cracked.

  2. Wow ... by gstoddart · · Score: 1, Insightful

    So either RIM feels they should have this, or they're really stupid.

    There is no reason to send your email credentials to RIM ... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.

    Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.

    --
    Lost at C:>. Found at C.
    1. Re:Wow ... by h4rr4r · · Score: 2, Insightful

      Bullshit.
      IMAP even supports push via IMAP IDLE. There is no good reason for that in this day and age. This is just Blackberry again being behind the times and out of date.

    2. Re:Wow ... by h4rr4r · · Score: 3, Insightful

      For such a long comment it is astounding how you don't know how email works in 2013.

      What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.

    3. Re:Wow ... by gstoddart · · Score: 3, Insightful

      It's a little different, this sends it as soon as you set up the account apparently.

      I've set my Android devices to not use Google's cloud backup because I'm increasingly distrustful of them. That, and keeping the Google+ shit at bay.

      But in this case, it sounds like as soon as you create an account RIM has your password -- that to me is a terribly designed system.

      And RIM wants to make their messaging client available on other platforms? Suddenly it doesn't look like a trustworthy system to me.

      --
      Lost at C:>. Found at C.
    4. Re:Wow ... by ArsenneLupin · · Score: 4, Insightful

      IMAP even supports push via IMAP IDLE.

      Yes, but that only works while you are connected to the server, which needs a (potentially expensive) IP connection.

      True push might "wake up" your phone with a special SMS when a mail is ready, and then the phone only needs to establish the connection when needed, rather than keeping it up permanently, potentially incurring roaming fees.

  3. Does anyone care? by dgr73 · · Score: 4, Insightful

    I was in a conference once where all the big players in the security field were sitting and saying "no way we'll build backdoors into our systems, the best guarantee against that is the fact that if it's found out, we'll be killed in the market, nobody will buy from us". But considering how most companies hit by the NSA scandal are still doing brist business, I don't think RIM has anything to fear from anyone except a handful of Slashdotters, who use other types of phones anyway.