BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/)
-   BlackBerry and Mobile Security (http://www.blackberryforums.com/blackberry-mobile-security/)
-   -   Security Concerns with BB10 (http://www.blackberryforums.com/blackberry-mobile-security/264824-security-concerns-bb10.html)

ZombieBerry 07-18-2013 09:35 AM

Security Concerns with BB10
 
Blackberry 10 macht E-Mail-Passworte für NSA und GCHQ zugreifbar | Knowledge Brings Fear

Summary in english:

When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP 68.171.232.33 (or others from RIM netblock)

Update:

Since some diehard Blackberry friends doubted the veracity of this discovery here are example logfiles from dovecot and smtpd. The original domain has been replaced with “mymailserver.org” and the IP with “217.xxx.xxx.xxx”.
I started configuring the mail account 13:46. As can be clearly seen, long before there is a successful connect from my mobile operator E-Plus (46.115.99.217) that should have happened in the very first place, the Blackberry server 68.171.232.33 connected back to my mailserver apparently trying to figure out the correct configuration for the account, as soon as I had entered user, password and mailserver name. And it logged in sucessfully with my e-mail credentials after figuring out the correct SSL / TLS configuration.

smtpd log:

Jul 17 13:47:12 mymailserver vpopmail[98463]: vchkpw-submission: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:47:12 mymailserver vpopmail[98464]: vchkpw-submission: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:47:13 mymailserver vpopmail[98465]: vchkpw-smtp: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:47:13 mymailserver vpopmail[98466]: vchkpw-smtp: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:48:59 mymailserver vpopmail[98580]: vchkpw-smtp: (PLAIN) login success [email address]:46.115.99.217



dovceot log:

Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: master out: USER 96457 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:11 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: master out: USER 96458 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:11 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: master out: USER 96459 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:11 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:11 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:11 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:11 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: master out: USER 96460 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:12 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: master out: USER 96461 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:12 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: master out: USER 96462 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:12 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:12 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:12 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:12 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:48:54 auth(default): Info: vpopmail(frank@mymailserver.org,46.115.99.217): lookup user=frank domain=mymailserver.org
Jul 17 13:48:54 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:48:54 auth(default): Info: vpopmail(frank@mymailserver.org,46.115.99.217): lookup user=frank domain=mymailserver.org
Jul 17 13:48:54 auth(default): Info: master out: USER 96480 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:48:54 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=46.115.99.217, lip=217.xxx.xxx.xxx, TLS

English Summary with German original @ Blackberry 10 macht E-Mail-Passworte für NSA und GCHQ zugreifbar | Knowledge Brings Fear

daphne 07-18-2013 02:50 PM

Re: Security Concerns with BB10
 
Unfortunately this is not really surprising since all mobile communications are now being monitored and recorded and sent to the NSA, along with all internet communications.

ZombieBerry 07-18-2013 03:21 PM

Quote:

Originally Posted by daphne (Post 1806002)
Unfortunately this is not really surprising since all mobile communications are now being monitored and recorded and sent to the NSA, along with all internet communications.

I would take this with a grain of salt. There is more to the story than is reported.

Email setup was done automatically, which means the person entered his/her email address and password. What does BlackBerry do when that happens. It fetches the information like server and stuff. If you enter advanced and fill in all the information yourself, then BB's servers are not involved. This only affects POP/IMAP, not AS.

I'm not convinced that BlackBerry keeps the login information. I believe it is being collected to use against their database to aid in adding the info it needs to complete the setup.
Posted via BlackBerryForums.com Mobile


All times are GMT -5. The time now is 10:44 AM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.