Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blackberry 10 Sends Full Email Account Credentials To RIM

Posted by timothy on from the good-job-rim dept.

vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)

13 of 191 comments (clear)

  1. What person thinks this is OK? by Anonymous Coward · · Score: 4, Insightful

    There is an engineer, somewhere within this organization, that thinks this is a good idea. I, the important person (due to my stack of dollar bills), will never purchase such a device.

    1. Re:What person thinks this is OK? by Anonymous Coward · · Score: 4, Insightful

      Rule of thumb for corporation ethics: If you have to ask the legal department if something is OK then it is still unethical and consumer unfriendly.

      Or the catchier version: If you can't tell if something is legal without asking a lawyer then your customers can't do it either.

    2. Re:What person thinks this is OK? by pla · · Score: 5, Informative

      What person thinks this is OK?

      Every single non-technical person in the company, who have no clue whatsoever about the implications of this, don't care about all your "paranoid theories", and "just want the damned thing to work!"

      The same people who give their email address to every popup ad that asks for it and then bitch to IT about all the spam they get. And then bitch about all the still-spam-but-of-interest-to-them they stop getting when you turn up the filters on their account. And then bitch about having to remember yet another password when you give them access to manage their own spam filter settings and can't you just be a dear and go in every morning and manually delete the spam they don't want but let the spam they do want through?

    3. Re:What person thinks this is OK? by Lunix+Nutcase · · Score: 5, Informative

      Protip: This is the way BIS has always worked. A post explaining this from four years ago... Heise is way behind the times if they've only just now discovered that this is how BlackBerry email works.

    4. Re:What person thinks this is OK? by LordLimecat · · Score: 4, Insightful

      The first time I saw that I knew I was not getting a blackberry.

      Then you didnt do your research very well, because BIS is the ghetto "i cant afford a BES" experience. A proper BES is magnitudes more secure than anything SSL has to offer.

    5. Re:What person thinks this is OK? by LordLimecat · · Score: 5, Insightful

      likely

      Translation: I know nothing about how BES works, but I wont let my ignorance prevent me from criticizing it.

      For the record, anyone who has administered a BES knows that its a far better experience than anything ActiveSync has ever had, and magnitudes more secure. ActiveSync bases its entire security on a single server certificate, and having your cert chain vetted, and assuming that your trusted CA doesnt get compromised, and your ciphers arent subject to the BEAST attack. BES has per-device keys, and until AES gets cracked, BES wont be cracked.

  2. To: NSA and other spooks by Jawnn · · Score: 4, Funny

    Memo: Go get it yourself. Gentlemen, We're tired of having to carry this data mining workload on our networks and servers. Here's the list of user names and passwords that we collected for you. Knock yourself out. Regards, RIM

  3. Does anyone care? by dgr73 · · Score: 4, Insightful

    I was in a conference once where all the big players in the security field were sitting and saying "no way we'll build backdoors into our systems, the best guarantee against that is the fact that if it's found out, we'll be killed in the market, nobody will buy from us". But considering how most companies hit by the NSA scandal are still doing brist business, I don't think RIM has anything to fear from anyone except a handful of Slashdotters, who use other types of phones anyway.

  4. Re:lol what by h4rr4r · · Score: 5, Informative

    Actually is has, if you don't have a BES.

    If you needed to login to a server that did not have a BES you were forced to hand over your credentials to blackberry since the devices themselves did not talk any other protocols.

    They called this service BIS.

  5. Summary in English by schneidafunk · · Score: 4, Informative

    "When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

    Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them."

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
  6. Re:Wow ... by ArsenneLupin · · Score: 4, Insightful

    IMAP even supports push via IMAP IDLE.

    Yes, but that only works while you are connected to the server, which needs a (potentially expensive) IP connection.

    True push might "wake up" your phone with a special SMS when a mail is ready, and then the phone only needs to establish the connection when needed, rather than keeping it up permanently, potentially incurring roaming fees.

  7. Re:Wow ... by LordLimecat · · Score: 5, Informative

    But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.

    Then despite youre really good explanation it seems that YOU dont fully understand it. If you have one of those expensive BES servers, RIM never sees your credentials, your mail, or anything, and you have THE most secure mass-market mobile email system out there.

    BES supports

    • Per-device symmetric encryption (way outclasses SSL which is a security nightmare between compromised CAs, compromised ciphers, and expiring certs)
    • Enforcing memory and device encrption for years prior to anyone else attempting it, let alone getting it right
    • remote device wipe which IOS / android have only recently gotten, and which actually works
    • enforcing any and every option you might want on any or all blackberries in your organization-- want to force all browsing thru a proxy? Or to go through your corporate firewall? Not a problem.
    • Locking down the devices to prevent installation of undesired apps

    Some of these features have been picked up by other device "classes" (IOS, Android), some have been reimplemented badly (ie, device encryption, remote wipe, screen lock), but noone has gotten the comms down as secure as a proper BES.

    If you're advising people to avoid BES for SECURITY REASONS, you shouldnt be in the business of advising people. Foreign governments have famously gotten their feathers ruffled because RIM makes it clear that there is no way to snoop those connections.

  8. Re:Debunked - Did anyone actually try verifying th by bshroyer · · Score: 4, Informative

    Karl continues:

    Let's push the button and see who talks to us.

    Jul 18 10:25:05 NewFS imapd[88446]: Login user=test host=mc35536d0.tmodns.net [208.54.85.195]

    And that's all. (That's the phone's IP address on T-Mobile, incidentally.)

    Now let's look at the SMTP server and see if there's any evidence of a connection from the 68.171 address block -- which belongs to BlackBerry, and which is alleged tries to connect back.

    [root@NewFS /var/log]# grep 68.171 spamblock
    [root@NewFS /var/log]#

    Nothing. Is the 208.54 address there?

    Jul 18 10:09:21 NewFS spamblock-sys[81673]: Starting SSL/TLS negotiation with peer [208.54.85.195]
    Jul 18 10:24:53 NewFS spamblock-sys[88447]: Starting SSL/TLS negotiation with peer [208.54.85.195]
    [root@NewFS /var/log]#

    Why yes there is, as the phone does connect to validate that the connection works (and it tells you it's doing so.) The other line, incidentally, is because there's another email account there (my real one!)

    The phone connected to the SMTP server ("spamblock-sys" is my custom spam filter, which knows how to perform SSL/TLS negotiation) and performs a STARTTLS negotiation exactly as I told it to do.

    Incidentally, it also brings up the server's certificate and asks me if it's ok too.

    But there is no connection back to either service from any other location related to this account setup. Not from BlackBerry, not from some other place, nowhere. Period.

    For those who want a bit more background on the SMTP side the code in question, particularly the SMTP code, is mine. The SMTP server in question ("Spamblock-Sys") was written from the ground up by myself. I know every single line of that code and am not relying on anyone else's word as to what is and is not logged, since I wrote it.

    The IMAP server in question is WU's with moderate modification.

    I have no idea if the guy in Germany is lying or if he is on an account provisioned for BIS (the older BlackBerry handsets) and his mobile provider is intercepting the transaction and passing it to BIS, which is doing what he's talking about.

    --
    The cure for cancer is coming: Reovirus