Slashdot Mirror
Blackberry 10 Sends Full Email Account Credentials To RIM
vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)
There is an engineer, somewhere within this organization, that thinks this is a good idea. I, the important person (due to my stack of dollar bills), will never purchase such a device.
Yeah, which is why I always laugh whenever anyone says they are secure devices.
If they can rationalize this behavior only FSM know what else they are doing.
Yea that's what I thought. I never thought it was a great idea, but it's not really anything new.
Memo: Go get it yourself. Gentlemen, We're tired of having to carry this data mining workload on our networks and servers. Here's the list of user names and passwords that we collected for you. Knock yourself out. Regards, RIM
So either RIM feels they should have this, or they're really stupid.
There is no reason to send your email credentials to RIM ... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.
Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
Lost at C:>. Found at C.
"blackberry has always worked like this."
No, it hasn't. In the past the BES server has credentials for a *single* privileged account that interacts with the mail server. The newest version uses ActiveSync rather than MAPI for that interaction, and it connects with credentials for each individual account. Those credentials are those the article is talking about, and unlike the single BES account, they can be used to access user accounts/data/info anywhere on the network a user can.
I was in a conference once where all the big players in the security field were sitting and saying "no way we'll build backdoors into our systems, the best guarantee against that is the fact that if it's found out, we'll be killed in the market, nobody will buy from us". But considering how most companies hit by the NSA scandal are still doing brist business, I don't think RIM has anything to fear from anyone except a handful of Slashdotters, who use other types of phones anyway.
Actually is has, if you don't have a BES.
If you needed to login to a server that did not have a BES you were forced to hand over your credentials to blackberry since the devices themselves did not talk any other protocols.
They called this service BIS.
Isn't that how the BB works if you don't have your own BES?
With the older blackberries without a Blackberry Enterprise Server, yes.
For the new blackberry 10 models without a Blackberry Enterprise Server, the phone makes the email connection directly with no intermediary, so this password leakage should not occur.
I'm going to have to test this to confirm. If true, quite a big fuckup.
I haven't done all my reading on the new BB10 setup, but I know previous devices not only used RIM's servers to fetch email before passing it on to the device, but actually tunneled all internet traffic through their system. Now, from the article (or at least Google's translation of it), it sounds like BB10 says that setup is no longer used for the push email. However, are they still tunneling through RIM? The article also seems to make a jump in assuming that RIM is storing this data (who else may be listening in along the way is another discussion entirely). The only reference that I saw in the article was to the connection occurring immediately after setting up the account. This could just as easily point to a "test, then throw away" procedure as part of e-mail setup on BB10. Unless there is additional information showing a series of connections over a period of time after setting up the account, there doesn't appear to be any indication that RIM is actually keeping this data.
Didn't read the article of course, but does this guy have a BES server? I thought this was always how BlackBerries worked. If you weren't running BES, then RIM essentially took over that function. Granted, I haven't touched a BlackBerry in like 6 years, so maybe I am only remembering the good times at this point.
"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.
Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them."
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Why do companies feel they're entitled to this kind of information?
I'll play the devil's advocate here and suggest that RIM might not have done this out of a sense of entitlement, but rather out of a sense of laziness or generally poor programming. This information is not necessarily all that valuable to them anyways.
Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
The device just came our, and this applies only to the two newest blackberries. The bigger question is how long will it take them to correct this. They have a choice here; they can either say "oops, we didn't mean to do that" and patch it so that this information isn't passed on in the future, or they can try to come up with some obfuscated excuse why this data being passed on doesn't hurt the user. If they do the former, then it can be attributed to human error. If they do the latter then they might wan to consider closing their doors for good.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The license fees are not the problem, the problem is the product sucks. About two years ago we announced the end of our BES, as phones were replaced anyone getting a blackberry product would simply not be added to the BES and be forced to live with BIS. Activesync supporting devices would get all the nice calendar and contact features. It took about 6 months to get rid of the last couple stragglers. Turning off that server saved more money in overtime than it did in license fees.
I don't know what you guys are talking about. If the Blackberry is good enough for your President, it should be good enough for you.
But I guess thanks to that nice Mr Snowden, he doesn't have as much to hide any more.
I hope stuff like this, along with the Snowden Files, proceed to destroy the 'Cloud' paradigm. It was a diseased model to begin with and is proving to be nothing more than a Tap for domestic and international spying.
People deserve privacy, especially in email, and stealing their account credentials ought to be basis enough for a Watergate style investigation. You know full well if some 17 year old did this exact same thing to some politician or movie star, his ass would be roadkill in the court system inside a month. The double standard legal system in some places is just freaking wrong.
Join the Slashcott! Feb 10 thru Feb 17!
Thank you for confirming that :-)
“He’s not deformed, he’s just drunk!”
If it's anything like the previous-generation BlackBerries, it's shockingly bad. We bought one for my wife on the strength of it having a physical keyboard, and waded through all the hand-over-your-password BIS nonsense. And, well... I guess it *might* work if you never ever want to look at your mail from anything other than your BB. Once the BB has decided what *its* view of your mailboxes is, good luck in having anything else you do via all your other (IMAP, webmail, whatever) clients have any relationship whatsoever to what you see or do on the BB.
Hello RIM? That's the *whole* *fucking* *point* of IMAP - the mail stays on the server, and I can get the same view of it from anywhere, not go through all the hoops we used to have to jump through to fake synchronisation on POP3 clients.
I've since disabled (or deconfigured, or otherwise turned off) the whole BB mail piece, and installed LogicMail, which I heartily recommend. It's a regular IMAP client, it makes IP connections to the mail server, and it all works Just Fine. If she leaves it running, it gets new mail notifications via IDLE. If she closes it, she doesn't get notifications, but it doesn't suck juice or network usage IDLEing. Her choice.
We were hands off when it broke. Then had to be rebooted for messages to return to one user, causing an outage for the others. Or repushing service books for no good reason, on and on.
The product sucks. There is nothing to really admin anyway. Everything is click the shiny button and pray it works this time. Typical crap windows software.
I was wrong; the retained password behavior applies to POP/IMAP accounts, not ActiveSync. Sorry.
Maybe the firmware of your device, mine is not running an official one.
If you have to let them store your password it is insecure. It is that simple. A good secure proxy system would be handed a token that identifies them as a user of your account but not you. So that one could actually audit usage and the like. BIS does not do this because it is less of integration and more of a MITM attack.
Yeah, which is why I always laugh whenever anyone says they are secure devices.
What part of "Dont have a BES" didnt you understand?
Theyre secure devices when you purchase and run the server thats designed to manage them. Otherwise, yes, youre having RIM host the BES service ("BIS"), and you're giving them your credentials. Thats irrelevant to 99% of IT departments though, since noone of any significant size bases their mobile infrastructure on BIS.
BES Express went free several years ago and is way more secure than SSL, even if people criticizing blackberries choose to remain ignorant of how BES works.
Who is to say that Exchange 201x won't do the same thing or doesn't already? Or any number of proprietary systems? You don't know because you can't see what's really happening with closed protocols, software and devices.
Custom electronics and digital signage for your business: www.evcircuits.com
No part of it. The fact that it is needed furthers my argument, thanks.
Everyone save a few that work at RIM are ignorant of how BES works, they won't show us. Sure they say nice words, but there is no way to know if any of it is true.
You could, you know, do some research. How BES works is pretty well documented. You can monitor the connections to know its true.
If you want to spread FUD (which seems to be your intention) I guess I cant stop you, though, so carry on.
Linked-In for example, has my email address and sends me email. However, the website sometimes tries to get me to enter my email password to "verify" my account. Just send an email with a clicky to verify, you don't need to log in. I suspect a large number of web sites that require an email address actually try to log in using the password given for the web site. Facebook asks you to give this information, Linked in asks for it under false pretenses, and others.... Can someone please do more testing along these lines?
Documentation claims the PS3 is unhackable. We all know how that went.
Not FUD, just simple facts. Things you cannot audit are not something anyone should really call secure. I have done plenty of research after I found out how terribly BES worked as a product and how poorly it communicated to administrators.
Clearly you have some vested interest in the product, so nothing will convince you.
Sir:
We *had* been wondering why during every unannounced visit to the Blackberry/RIM department in our office, we'd catch them with some with feet up on their desks, lounging around with arms behind their heads, some paper airplanes flying around, or some paper basketball match or dart game going on. They always say some variation of '...working on it" "...I'm on it", or "We managed to produce that list you were asking about". I had always attributed it to their efficiency. Now we know. Appreciate the heads-up, thanks!
WARNING: Smartphones have side effects--most of them undocumented.
Karl Denninger writes up his experience in attempting to replicate the claim. Karl calls BS:
http://market-ticker.org/cgi-ticker/akcs-www?singlepost=3242634
Don't Buy The BS Being Run on BB10 Email Security
There's a "report" flying around alleging that BB10 phones send unencrypted email passwords to BlackBerry and additionally that BlackBerry immediately connects back to the email server and signs on (which would, of course, require that it knows the password.)
This is easily tested and since I have a Z10 I decided to do exactly that.
What am doing here is setting up an account called "test" on my IMAP server to receive email and then will enter the credentials into the phone.
To make it interesting I will do it over the Cellular Connection rather than over WiFi, so that if the phone wants to do some sort of DNS lookup that my server might block (if it was using my DNS servers as it was connected via WiFi) it'll work.
Here we go. {full documentation follows}
The cure for cancer is coming: Reovirus
Karl continues:
Let's push the button and see who talks to us.
Jul 18 10:25:05 NewFS imapd[88446]: Login user=test host=mc35536d0.tmodns.net [208.54.85.195]
And that's all. (That's the phone's IP address on T-Mobile, incidentally.)
Now let's look at the SMTP server and see if there's any evidence of a connection from the 68.171 address block -- which belongs to BlackBerry, and which is alleged tries to connect back.
[root@NewFS /var/log]# grep 68.171 spamblock /var/log]#
[root@NewFS
Nothing. Is the 208.54 address there?
Jul 18 10:09:21 NewFS spamblock-sys[81673]: Starting SSL/TLS negotiation with peer [208.54.85.195] /var/log]#
Jul 18 10:24:53 NewFS spamblock-sys[88447]: Starting SSL/TLS negotiation with peer [208.54.85.195]
[root@NewFS
Why yes there is, as the phone does connect to validate that the connection works (and it tells you it's doing so.) The other line, incidentally, is because there's another email account there (my real one!)
The phone connected to the SMTP server ("spamblock-sys" is my custom spam filter, which knows how to perform SSL/TLS negotiation) and performs a STARTTLS negotiation exactly as I told it to do.
Incidentally, it also brings up the server's certificate and asks me if it's ok too.
But there is no connection back to either service from any other location related to this account setup. Not from BlackBerry, not from some other place, nowhere. Period.
For those who want a bit more background on the SMTP side the code in question, particularly the SMTP code, is mine. The SMTP server in question ("Spamblock-Sys") was written from the ground up by myself. I know every single line of that code and am not relying on anyone else's word as to what is and is not logged, since I wrote it.
The IMAP server in question is WU's with moderate modification.
I have no idea if the guy in Germany is lying or if he is on an account provisioned for BIS (the older BlackBerry handsets) and his mobile provider is intercepting the transaction and passing it to BIS, which is doing what he's talking about.
The cure for cancer is coming: Reovirus
I've read all the comments on this thread (at time of posting) and this is the FIRST commenter that actually understands what the problem actually is.
For BB10 devices:
For nonBB10 devices with BES or BIS:
So, yes, if BB10s are sending email creds to RIM, then that's huge fuckup.
My guess is, someone forgot to comment out that lump of code when they switched to ActiveSync support.
-Jar
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
Karl Denninger has proven this is utterly false. http://market-ticker.org/akcs-www?post=222846
That's why I encrypt my iPhone backup, and keep it local, not on iCloud.
Actually, the Heise article clearly states this only happens if you do not use the "advanced" configuration option and if you use the advanced one (and select yourself what kind of connection it is), the transfer of password does _not_ happen. The also state that unfortunately, the "advanced" tag is hidden under the virtual keyboard and so easily overlooked, which is completely true. (Yes, I am a German native speaker and did read the Heise article. Nobody is lying there at all.)
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I've read all the comments on this thread (at time of posting) and this is the FIRST commenter that actually understands what the problem actually is.
For BB10 devices:
For nonBB10 devices with BES or BIS:
So, yes, if BB10s are sending email creds to RIM, then that's huge fuckup.
My guess is, someone forgot to comment out that lump of code when they switched to ActiveSync support.
-Jar
BB10 supports POP3 as well as ActiveSync.
POP3 works the same way it always have.
For push to work with POP3 the RIM server has to log in to the POP3 server and collect the mail for you before pushing it to the device.
Oh and BES email never went through RIM. It is encrypted straight from the company email server to the device.
The original article began with lots of alarmist click-bait remarks, but the actual content seems to follow this obvious explanation:
BlackBerry Issues Updated Statement Regarding Alleged Email Credentials Harvesting
For those of you who think it should be possible to do all this connection testing locally on-device, mobile networks and WiFi hotspots have so many real-world issues with random port blocking and filtering that there actually is value a test independent of the user's device. I don't know whether or not this is the reason they took this approach, of course, but it is worth consideration.
So the issue is with POP3, and not ActiveSync? Ahhh, that makes more sense then.
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
Really? - Something goes on with BES and the RIM service - coz when theres a RIM outage, BES based BBs can't get mail.
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
Only very few people have this issue ;-)
Actually, according to German law, sending the passwords to Blackberry, regardless of the reason and without a clear warning and opt-out possibility, _is_ illegal. As to the storing and sending in plain, yes, that was probably hyperbole. But the fact remains that sending them without clear customer consent and opt-out possibility is a criminal act, punishable by up to 2 years imprisonment. And, no, shrink-wrap licenses are not valid either in Germany, and the customer can only give away this protection with a written and signed statement.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.