BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 07-18-2013, 08:35 AM   #1
ZombieBerry
BlackBerry Extraordinaire
 
ZombieBerry's Avatar
 
Join Date: Sep 2010
Location: Toronto
Model: Priv
OS: 5.1.1
PIN: 2AB9C463
Carrier: WIND
Posts: 2,364
Default Security Concerns with BB10

Please Login to Remove!

Blackberry 10 macht E-Mail-Passworte für NSA und GCHQ zugreifbar | Knowledge Brings Fear

Summary in english:

When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP 68.171.232.33 (or others from RIM netblock)

Update:

Since some diehard Blackberry friends doubted the veracity of this discovery here are example logfiles from dovecot and smtpd. The original domain has been replaced with “mymailserver.org” and the IP with “217.xxx.xxx.xxx”.
I started configuring the mail account 13:46. As can be clearly seen, long before there is a successful connect from my mobile operator E-Plus (46.115.99.217) that should have happened in the very first place, the Blackberry server 68.171.232.33 connected back to my mailserver apparently trying to figure out the correct configuration for the account, as soon as I had entered user, password and mailserver name. And it logged in sucessfully with my e-mail credentials after figuring out the correct SSL / TLS configuration.

smtpd log:

Jul 17 13:47:12 mymailserver vpopmail[98463]: vchkpw-submission: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:47:12 mymailserver vpopmail[98464]: vchkpw-submission: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:47:13 mymailserver vpopmail[98465]: vchkpw-smtp: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:47:13 mymailserver vpopmail[98466]: vchkpw-smtp: (PLAIN) login success [email address]:68.171.232.33
Jul 17 13:48:59 mymailserver vpopmail[98580]: vchkpw-smtp: (PLAIN) login success [email address]:46.115.99.217



dovceot log:

Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: master out: USER 96457 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:11 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: master out: USER 96458 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:11 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:11 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:11 auth(default): Info: master out: USER 96459 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:11 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:11 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:11 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:11 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: master out: USER 96460 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:12 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: master out: USER 96461 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:12 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:47:12 auth(default): Info: vpopmail(frank@mymailserver.org,68.171.232.33): lookup user=frank domain=mymailserver.org
Jul 17 13:47:12 auth(default): Info: master out: USER 96462 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:47:12 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=68.171.232.33, lip=217.xxx.xxx.xxx, TLS
Jul 17 13:47:12 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:12 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:47:12 IMAP(frank@mymailserver.org): Info: Disconnected: Logged out bytes=8/328
Jul 17 13:48:54 auth(default): Info: vpopmail(frank@mymailserver.org,46.115.99.217): lookup user=frank domain=mymailserver.org
Jul 17 13:48:54 auth(default): Info: client out: OK 1 user=frank@mymailserver.org
Jul 17 13:48:54 auth(default): Info: vpopmail(frank@mymailserver.org,46.115.99.217): lookup user=frank domain=mymailserver.org
Jul 17 13:48:54 auth(default): Info: master out: USER 96480 [email address] uid=89 gid=89 home=/usr/local/vpopmail/domains/mymailserver.org/frank
Jul 17 13:48:54 imap-login: Info: Login: user=<frank@mymailserver.org>, method=PLAIN, rip=46.115.99.217, lip=217.xxx.xxx.xxx, TLS

English Summary with German original @ Blackberry 10 macht E-Mail-Passworte für NSA und GCHQ zugreifbar | Knowledge Brings Fear
__________________
fere libenter homines id quod volunt credunt
Offline  
Old 07-18-2013, 07:50 PM   #2
daphne
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Paspt
OS: 10.3.0.90
PIN: X1ZPY34K
Carrier: VZW but not for long
Posts: 9,176
Default Re: Security Concerns with BB10

Unfortunately this is not really surprising since all mobile communications are now being monitored and recorded and sent to the NSA, along with all internet communications.
__________________
Report spam text messages to 7726
#BlackBerry by choice
Offline  
Old 07-18-2013, 08:21 PM   #3
ZombieBerry
BlackBerry Extraordinaire
 
ZombieBerry's Avatar
 
Join Date: Sep 2010
Location: Toronto
Model: Priv
OS: 5.1.1
PIN: 2AB9C463
Carrier: WIND
Posts: 2,364
Default

Quote:
Originally Posted by daphne View Post
Unfortunately this is not really surprising since all mobile communications are now being monitored and recorded and sent to the NSA, along with all internet communications.
I would take this with a grain of salt. There is more to the story than is reported.

Email setup was done automatically, which means the person entered his/her email address and password. What does BlackBerry do when that happens. It fetches the information like server and stuff. If you enter advanced and fill in all the information yourself, then BB's servers are not involved. This only affects POP/IMAP, not AS.

I'm not convinced that BlackBerry keeps the login information. I believe it is being collected to use against their database to aid in adding the info it needs to complete the setup.
Posted via BlackBerryForums.com Mobile
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads for: Security Concerns with BB10
Thread Thread Starter Forum Replies Last Post
Guide to breaking cell phone security revealed b_ohare General BlackBerry Discussion 1 12-30-2009 07:52 PM
Security Concerns? ljbuckley General BlackBerry Discussion 2 07-21-2009 08:12 PM
Security Concerns - Google Sync purevol Aftermarket Software 3 12-21-2007 07:16 PM
Password Protect your Pearl? Security concerns. ruprick General 8100 Series Discussion - Pearl 18 02-07-2007 04:20 PM


ETERFANT Dental LED Flash Photography Oral Cell Phone Camera Filling Light Tools picture

ETERFANT Dental LED Flash Photography Oral Cell Phone Camera Filling Light Tools

$63.89



Flash Technology 97ER3695, Replacement Day (White) Strobe Flash Tube picture

Flash Technology 97ER3695, Replacement Day (White) Strobe Flash Tube

$237.47



CH341A 24 25 Series EEPROM Flash BIOS USB Programmer Module + SOIC8 Test Clip picture

CH341A 24 25 Series EEPROM Flash BIOS USB Programmer Module + SOIC8 Test Clip

$7.98



Edwards Signals Flashing Light with Horn Red Lens 120V AC, 7 3/8 Ht 6

Edwards Signals Flashing Light with Horn Red Lens 120V AC, 7 3/8 Ht 6" Dia

$59.95



NSA Enespro AGP 40cal Arc Flash Kit w/ Lift Front Hood, No Gloves ARC40KITNG-XL picture

NSA Enespro AGP 40cal Arc Flash Kit w/ Lift Front Hood, No Gloves ARC40KITNG-XL

$778.36



LP Weather Logic Seam And Flashing Tape (boxes) picture

LP Weather Logic Seam And Flashing Tape (boxes)

$150.00







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.