Blackberry 10 Sends Full Email Account Credentials To RIM

vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)

Re:lol what

[h4rr4r]

Actually is has, if you don't have a BES.

If you needed to login to a server that did not have a BES you were forced to hand over your credentials to blackberry since the devices themselves did not talk any other protocols.

They called this service BIS.

Re:What person thinks this is OK?

[pla]

What person thinks this is OK?

Every single non-technical person in the company, who have no clue whatsoever about the implications of this, don't care about all your "paranoid theories", and "just want the damned thing to work!"

The same people who give their email address to every popup ad that asks for it and then bitch to IT about all the spam they get. And then bitch about all the still-spam-but-of-interest-to-them they stop getting when you turn up the filters on their account. And then bitch about having to remember yet another password when you give them access to manage their own spam filter settings and can't you just be a dear and go in every morning and manually delete the spam they don't want but let the spam they do want through?

Re:What person thinks this is OK?

[Lunix Nutcase]

Protip: This is the way BIS has always worked. A post explaining this from four years ago... [crackberry.com] Heise is way behind the times if they've only just now discovered that this is how BlackBerry email works.

Summary in English

[schneidafunk]

"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them."

Re:What person thinks this is OK?

[inject_hotmail.com]

Next news on slashdot:

Shocking! Researcher discovers hitting submit on the login page of Gmail actually TRANFERS ALL YOUR CREDENTIALS to Google.

Hey asshole, pay attention. The issue here isn't that a first or second party is getting the password, it's that the third party is...the third party doesn't need it at all. Let me spell it out for you: This would be similar to Mozilla, Microsoft, or Apple transmitting your password to themselves just because you are using their browser.

Indeed, this is how it has always worked on BlackBerry devices, so I'm not quite sure why this is news. Anyone who didn't already understand this simply doesn't have any technical imagination.

Re:Wow ...

[ArsenneLupin]

If the phone brings down its IP connection while some TCP flows are still open, it might not be able to re-attach to these, as it will most probably get a different IP address once it brings up the physical connection again. Not to mention that the server would have no way of sending a packet to the mobile during this "sleeping" phase...

If on the other hand it doesn't bring down the IP connection, it might incur roaming fees, depending on commercial offers, contractual setups etc. If user is lucky, and is charged by traffic, then there will be no problem (almost no packets exchanged during idle). If on the other hand, he is billed over time (like some Austrian and Eastern European operators do), he'd still be stuck with a hefty roaming bill...

Re:Wow ...

[LordLimecat]

But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.

Then despite youre really good explanation it seems that YOU dont fully understand it. If you have one of those expensive BES servers, RIM never sees your credentials, your mail, or anything, and you have THE most secure mass-market mobile email system out there.

BES supports

• Per-device symmetric encryption (way outclasses SSL which is a security nightmare between compromised CAs, compromised ciphers, and expiring certs)
• Enforcing memory and device encrption for years prior to anyone else attempting it, let alone getting it right
• remote device wipe which IOS / android have only recently gotten, and which actually works
• enforcing any and every option you might want on any or all blackberries in your organization-- want to force all browsing thru a proxy? Or to go through your corporate firewall? Not a problem.
• Locking down the devices to prevent installation of undesired apps

Some of these features have been picked up by other device "classes" (IOS, Android), some have been reimplemented badly (ie, device encryption, remote wipe, screen lock), but noone has gotten the comms down as secure as a proper BES.

If you're advising people to avoid BES for SECURITY REASONS, you shouldnt be in the business of advising people. Foreign governments have famously gotten their feathers ruffled because RIM makes it clear that there is no way to snoop those connections.

Re:Debunked - Did anyone actually try verifying th

[bshroyer]

Karl continues:

Let's push the button and see who talks to us.

Jul 18 10:25:05 NewFS imapd[88446]: Login user=test host=mc35536d0.tmodns.net [208.54.85.195]

And that's all. (That's the phone's IP address on T-Mobile, incidentally.)

Now let's look at the SMTP server and see if there's any evidence of a connection from the 68.171 address block -- which belongs to BlackBerry, and which is alleged tries to connect back.

[root@NewFS /var/log]# grep 68.171 spamblock
[root@NewFS /var/log]#

Nothing. Is the 208.54 address there?

Jul 18 10:09:21 NewFS spamblock-sys[81673]: Starting SSL/TLS negotiation with peer [208.54.85.195]
Jul 18 10:24:53 NewFS spamblock-sys[88447]: Starting SSL/TLS negotiation with peer [208.54.85.195]
[root@NewFS /var/log]#

Why yes there is, as the phone does connect to validate that the connection works (and it tells you it's doing so.) The other line, incidentally, is because there's another email account there (my real one!)

The phone connected to the SMTP server ("spamblock-sys" is my custom spam filter, which knows how to perform SSL/TLS negotiation) and performs a STARTTLS negotiation exactly as I told it to do.

Incidentally, it also brings up the server's certificate and asks me if it's ok too.

But there is no connection back to either service from any other location related to this account setup. Not from BlackBerry, not from some other place, nowhere. Period.

For those who want a bit more background on the SMTP side the code in question, particularly the SMTP code, is mine. The SMTP server in question ("Spamblock-Sys") was written from the ground up by myself. I know every single line of that code and am not relying on anyone else's word as to what is and is not logged, since I wrote it.

The IMAP server in question is WU's with moderate modification.

I have no idea if the guy in Germany is lying or if he is on an account provisioned for BIS (the older BlackBerry handsets) and his mobile provider is intercepting the transaction and passing it to BIS, which is doing what he's talking about.