Slashdot Mirror
Blackberry 10 Sends Full Email Account Credentials To RIM
vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)
There is an engineer, somewhere within this organization, that thinks this is a good idea. I, the important person (due to my stack of dollar bills), will never purchase such a device.
Yeah, which is why I always laugh whenever anyone says they are secure devices.
If they can rationalize this behavior only FSM know what else they are doing.
Memo: Go get it yourself. Gentlemen, We're tired of having to carry this data mining workload on our networks and servers. Here's the list of user names and passwords that we collected for you. Knock yourself out. Regards, RIM
It's so that they can push to the device from servers that don't support that functionality. This is how my previous (Nokia E71) phone did push email, for instance. But in that case you provided your login details through their website and then connected the phone to your Nokia Mail account, so it was clear what was going on.
I was in a conference once where all the big players in the security field were sitting and saying "no way we'll build backdoors into our systems, the best guarantee against that is the fact that if it's found out, we'll be killed in the market, nobody will buy from us". But considering how most companies hit by the NSA scandal are still doing brist business, I don't think RIM has anything to fear from anyone except a handful of Slashdotters, who use other types of phones anyway.
There is no reason to send your email credentials to RIM
Push notifications about new email?
Extreme Programming - Redundant Array of Inexpensive Developers
Actually is has, if you don't have a BES.
If you needed to login to a server that did not have a BES you were forced to hand over your credentials to blackberry since the devices themselves did not talk any other protocols.
They called this service BIS.
Bullshit.
IMAP even supports push via IMAP IDLE. There is no good reason for that in this day and age. This is just Blackberry again being behind the times and out of date.
For what POP3?
IMAP idle is widely supported in 2013.
So either RIM feels they should have this, or they're really stupid.
... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.
There is no reason to send your email credentials to RIM
Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
Looks like you have no clue how RIM e-mail works on Blackberries. Just copy and pasting a quick summary on how their e-mail system works. "Unlike other PDAs, the BlackBerry device does not log into your email account for you, and check for new messages. This pull type email is best related to having a Post Office box. It requires physical action on your part to go and check your mail. You have to get up, drive in your car to the PO Box location, open it up, check for new mail, get back in your car, and drive home. All this time you are expending time and energy. What happens if you are unable to check the box due to the store/post office being closed? You have to wait until the next chance you get, and then check. As you can see this is not a very time/energy efficient way of doing things.
On the other hand, if you had someone to bring your mail to you, a Postal worker wouldn’t that be a better alternative? All you have to do is sit at home and when the mail arrives you have it. No need to do anything, no need to go anywhere else. This is how the BlackBerry architecture works." (Example From Crackberry.com
For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.
I haven't done all my reading on the new BB10 setup, but I know previous devices not only used RIM's servers to fetch email before passing it on to the device, but actually tunneled all internet traffic through their system. Now, from the article (or at least Google's translation of it), it sounds like BB10 says that setup is no longer used for the push email. However, are they still tunneling through RIM? The article also seems to make a jump in assuming that RIM is storing this data (who else may be listening in along the way is another discussion entirely). The only reference that I saw in the article was to the connection occurring immediately after setting up the account. This could just as easily point to a "test, then throw away" procedure as part of e-mail setup on BB10. Unless there is additional information showing a series of connections over a period of time after setting up the account, there doesn't appear to be any indication that RIM is actually keeping this data.
For such a long comment it is astounding how you don't know how email works in 2013.
What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.
It's a little different, this sends it as soon as you set up the account apparently.
I've set my Android devices to not use Google's cloud backup because I'm increasingly distrustful of them. That, and keeping the Google+ shit at bay.
But in this case, it sounds like as soon as you create an account RIM has your password -- that to me is a terribly designed system.
And RIM wants to make their messaging client available on other platforms? Suddenly it doesn't look like a trustworthy system to me.
Lost at C:>. Found at C.
"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.
Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them."
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Why do companies feel they're entitled to this kind of information?
I'll play the devil's advocate here and suggest that RIM might not have done this out of a sense of entitlement, but rather out of a sense of laziness or generally poor programming. This information is not necessarily all that valuable to them anyways.
Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.
The device just came our, and this applies only to the two newest blackberries. The bigger question is how long will it take them to correct this. They have a choice here; they can either say "oops, we didn't mean to do that" and patch it so that this information isn't passed on in the future, or they can try to come up with some obfuscated excuse why this data being passed on doesn't hurt the user. If they do the former, then it can be attributed to human error. If they do the latter then they might wan to consider closing their doors for good.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I don't know what you guys are talking about. If the Blackberry is good enough for your President, it should be good enough for you.
But I guess thanks to that nice Mr Snowden, he doesn't have as much to hide any more.
IMAP even supports push via IMAP IDLE.
Yes, but that only works while you are connected to the server, which needs a (potentially expensive) IP connection.
True push might "wake up" your phone with a special SMS when a mail is ready, and then the phone only needs to establish the connection when needed, rather than keeping it up permanently, potentially incurring roaming fees.
For such a long comment it is astounding how you don't know how email works in 2013.
I think he knows how modern e-mail works and was explaining how Blackberry works.
What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.
Look, we've had IMAP IDLE since 1997, the first RIM pager was introduced in 1998 and the first Blackberry smartphone was introduced in 2000. It's never been about the available technology (I was using IMAP IDLE on my Treo 650 in 2004) but about, at the time, enforcing a business model using Blackberry Enterprise Servers. They were about $28K when the phones were about $300. They were rolling in the dough, because CxO's were demanding Blackberries as fashion accessories. The iPhone replaced it as the must-have fashion accessory. There is one great thing to say about the Blackberry - it had lots of hardware buttons to make message navigation very usable and most other smartphones missed and continue to miss this.
But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If it's anything like the previous-generation BlackBerries, it's shockingly bad. We bought one for my wife on the strength of it having a physical keyboard, and waded through all the hand-over-your-password BIS nonsense. And, well... I guess it *might* work if you never ever want to look at your mail from anything other than your BB. Once the BB has decided what *its* view of your mailboxes is, good luck in having anything else you do via all your other (IMAP, webmail, whatever) clients have any relationship whatsoever to what you see or do on the BB.
Hello RIM? That's the *whole* *fucking* *point* of IMAP - the mail stays on the server, and I can get the same view of it from anywhere, not go through all the hoops we used to have to jump through to fake synchronisation on POP3 clients.
I've since disabled (or deconfigured, or otherwise turned off) the whole BB mail piece, and installed LogicMail, which I heartily recommend. It's a regular IMAP client, it makes IP connections to the mail server, and it all works Just Fine. If she leaves it running, it gets new mail notifications via IDLE. If she closes it, she doesn't get notifications, but it doesn't suck juice or network usage IDLEing. Her choice.
Maybe the firmware of your device, mine is not running an official one.
If you have to let them store your password it is insecure. It is that simple. A good secure proxy system would be handed a token that identifies them as a user of your account but not you. So that one could actually audit usage and the like. BIS does not do this because it is less of integration and more of a MITM attack.
If on the other hand it doesn't bring down the IP connection, it might incur roaming fees, depending on commercial offers, contractual setups etc. If user is lucky, and is charged by traffic, then there will be no problem (almost no packets exchanged during idle). If on the other hand, he is billed over time (like some Austrian and Eastern European operators do), he'd still be stuck with a hefty roaming bill...
But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.
Then despite youre really good explanation it seems that YOU dont fully understand it. If you have one of those expensive BES servers, RIM never sees your credentials, your mail, or anything, and you have THE most secure mass-market mobile email system out there.
BES supports
Some of these features have been picked up by other device "classes" (IOS, Android), some have been reimplemented badly (ie, device encryption, remote wipe, screen lock), but noone has gotten the comms down as secure as a proper BES.
If you're advising people to avoid BES for SECURITY REASONS, you shouldnt be in the business of advising people. Foreign governments have famously gotten their feathers ruffled because RIM makes it clear that there is no way to snoop those connections.
Except maintaining a persistent IP connection is expensive. Not expensive in the sense of money, but expensive in terms of battery life - instead of the phone being able to go into a low power idle mode ("camping") where it only pings the tower once a second semi-autonomously, it now has to maintain an IP connection and wake up far more often. It's why battery life drains so much quicker once you turn on email fetching. If you need to handoff, the modem does it automatically with just a little power drawn. But handing off the IP connection requires a bit more work as well.
What RIM does is their servers do the polling and IP connection maintenance for you. They then use a very efficient communications mechanism (SMS) to tell your phone that new email has arrived and the phone wakes up and establishes a connection to RIM (all BB traffic is routed through RIM, including BES) and transfers the new data.
If you're using BES, RIM proxies your connection to the BES server and the connection is encrypted from RIM (because BES and the BB made a key when the link was established).
If you're not using BES, RIM is providing you BES-like stuff through the proxy. And yes, it also means RIM can read your email (they need to compress/transform attachments/process/etc the mail for the device - better to do it on beefy processors in a datacenter versus having to have the phone understand all the file formats). This also means attachments can stay on the server without being transferred over the data connection, or previews created, etc).
Which architecture is better? It depends. Full autonomy makes the iOS and Android way of the phone making the data connection, at the expense of battery life.
Flexibility and lower cost means a central server is nicer, but then it's like cloud email.
Karl Denninger writes up his experience in attempting to replicate the claim. Karl calls BS:
http://market-ticker.org/cgi-ticker/akcs-www?singlepost=3242634
Don't Buy The BS Being Run on BB10 Email Security
There's a "report" flying around alleging that BB10 phones send unencrypted email passwords to BlackBerry and additionally that BlackBerry immediately connects back to the email server and signs on (which would, of course, require that it knows the password.)
This is easily tested and since I have a Z10 I decided to do exactly that.
What am doing here is setting up an account called "test" on my IMAP server to receive email and then will enter the credentials into the phone.
To make it interesting I will do it over the Cellular Connection rather than over WiFi, so that if the phone wants to do some sort of DNS lookup that my server might block (if it was using my DNS servers as it was connected via WiFi) it'll work.
Here we go. {full documentation follows}
The cure for cancer is coming: Reovirus
Karl continues:
Let's push the button and see who talks to us.
Jul 18 10:25:05 NewFS imapd[88446]: Login user=test host=mc35536d0.tmodns.net [208.54.85.195]
And that's all. (That's the phone's IP address on T-Mobile, incidentally.)
Now let's look at the SMTP server and see if there's any evidence of a connection from the 68.171 address block -- which belongs to BlackBerry, and which is alleged tries to connect back.
[root@NewFS /var/log]# grep 68.171 spamblock /var/log]#
[root@NewFS
Nothing. Is the 208.54 address there?
Jul 18 10:09:21 NewFS spamblock-sys[81673]: Starting SSL/TLS negotiation with peer [208.54.85.195] /var/log]#
Jul 18 10:24:53 NewFS spamblock-sys[88447]: Starting SSL/TLS negotiation with peer [208.54.85.195]
[root@NewFS
Why yes there is, as the phone does connect to validate that the connection works (and it tells you it's doing so.) The other line, incidentally, is because there's another email account there (my real one!)
The phone connected to the SMTP server ("spamblock-sys" is my custom spam filter, which knows how to perform SSL/TLS negotiation) and performs a STARTTLS negotiation exactly as I told it to do.
Incidentally, it also brings up the server's certificate and asks me if it's ok too.
But there is no connection back to either service from any other location related to this account setup. Not from BlackBerry, not from some other place, nowhere. Period.
For those who want a bit more background on the SMTP side the code in question, particularly the SMTP code, is mine. The SMTP server in question ("Spamblock-Sys") was written from the ground up by myself. I know every single line of that code and am not relying on anyone else's word as to what is and is not logged, since I wrote it.
The IMAP server in question is WU's with moderate modification.
I have no idea if the guy in Germany is lying or if he is on an account provisioned for BIS (the older BlackBerry handsets) and his mobile provider is intercepting the transaction and passing it to BIS, which is doing what he's talking about.
The cure for cancer is coming: Reovirus
email polling couldn't account for more than a pittance of my 4GB monthly allowance
Generally push email is used to save on battery consumption not data transfer. And battery life is still a big sticking point even on modern smart phones.
I wish I were as sure of anything as some people are of everything