Slashdot Mirror
Blackberry 10 Sends Full Email Account Credentials To RIM
vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)
So either RIM feels they should have this, or they're really stupid.
... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.
There is no reason to send your email credentials to RIM
Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
Looks like you have no clue how RIM e-mail works on Blackberries. Just copy and pasting a quick summary on how their e-mail system works. "Unlike other PDAs, the BlackBerry device does not log into your email account for you, and check for new messages. This pull type email is best related to having a Post Office box. It requires physical action on your part to go and check your mail. You have to get up, drive in your car to the PO Box location, open it up, check for new mail, get back in your car, and drive home. All this time you are expending time and energy. What happens if you are unable to check the box due to the store/post office being closed? You have to wait until the next chance you get, and then check. As you can see this is not a very time/energy efficient way of doing things.
On the other hand, if you had someone to bring your mail to you, a Postal worker wouldn’t that be a better alternative? All you have to do is sit at home and when the mail arrives you have it. No need to do anything, no need to go anywhere else. This is how the BlackBerry architecture works." (Example From Crackberry.com
For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.
I haven't done all my reading on the new BB10 setup, but I know previous devices not only used RIM's servers to fetch email before passing it on to the device, but actually tunneled all internet traffic through their system. Now, from the article (or at least Google's translation of it), it sounds like BB10 says that setup is no longer used for the push email. However, are they still tunneling through RIM? The article also seems to make a jump in assuming that RIM is storing this data (who else may be listening in along the way is another discussion entirely). The only reference that I saw in the article was to the connection occurring immediately after setting up the account. This could just as easily point to a "test, then throw away" procedure as part of e-mail setup on BB10. Unless there is additional information showing a series of connections over a period of time after setting up the account, there doesn't appear to be any indication that RIM is actually keeping this data.
For such a long comment it is astounding how you don't know how email works in 2013.
I think he knows how modern e-mail works and was explaining how Blackberry works.
What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.
Look, we've had IMAP IDLE since 1997, the first RIM pager was introduced in 1998 and the first Blackberry smartphone was introduced in 2000. It's never been about the available technology (I was using IMAP IDLE on my Treo 650 in 2004) but about, at the time, enforcing a business model using Blackberry Enterprise Servers. They were about $28K when the phones were about $300. They were rolling in the dough, because CxO's were demanding Blackberries as fashion accessories. The iPhone replaced it as the must-have fashion accessory. There is one great thing to say about the Blackberry - it had lots of hardware buttons to make message navigation very usable and most other smartphones missed and continue to miss this.
But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's the only way you can implement push email notifications, which once used to be something of Blackberry that people liked. Every other provider of such a service works in the same way.
Nobody cares. I work IT for a government agency, and our IT department decided (directly against my opinion) that it's basically not worth the effort to hide our data from the US government. Nothing's changed since the NSA scandal confirmed our worst strong suspicions and safe assumptions. Part of it comes from a defeatist view that they can break into anything they want to. I contend that they are _not_ magic and we _can_ keep them out. In some of our dealings it would be disadvantageous for the US government to see our hand.
Karl Denninger writes up his experience in attempting to replicate the claim. Karl calls BS:
http://market-ticker.org/cgi-ticker/akcs-www?singlepost=3242634
Don't Buy The BS Being Run on BB10 Email Security
There's a "report" flying around alleging that BB10 phones send unencrypted email passwords to BlackBerry and additionally that BlackBerry immediately connects back to the email server and signs on (which would, of course, require that it knows the password.)
This is easily tested and since I have a Z10 I decided to do exactly that.
What am doing here is setting up an account called "test" on my IMAP server to receive email and then will enter the credentials into the phone.
To make it interesting I will do it over the Cellular Connection rather than over WiFi, so that if the phone wants to do some sort of DNS lookup that my server might block (if it was using my DNS servers as it was connected via WiFi) it'll work.
Here we go. {full documentation follows}
The cure for cancer is coming: Reovirus