[mahva]

The way BlackBerry is using the email setup has security experts raising alarm bells.
Frank Rieger, spokesperson for the Chaos communication club is calling on all people to stop using BlackBerry's email setup since BlackBerry stores all login Infos on their servers thus granting the NSA and other security agency's access to your email account.

BlackBerry needs to immediately address those concerns since they are not authorized to keep my password and login name. They are violating the law and can be held responsible.

Quote:
"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween ?namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the ?Five Eyes?, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client shouldonlyconnect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP68.171.232.33 (or others from RIM netblock"

When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween ?namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the ?Five Eyes?, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client shouldonlyconnect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP68.171.232.33 (or others from RIM netblock
http://frank.geekheim.de/?p=2379

Posted via CB10

[howarmat]

Interesting. How is it differ from android and ios?

[BallRockReaper]

There is no difference, but BlackBerry is known for security not for sharing account details to NSA and all other.



I am not special, I am a Limited Edition using Tapatalk 4 beta

[LP_Rigg]

So does gmail, outlook, yahoo etc... I am less worried about BlackBerry servers than the third parties (based in the U S) who we know are known collaborators with the NSA. I use google products (chrome) only to download leaks.

Posted via CB10

[mahva]

The problem is you need direct access to o mail provider not through their servers!

Posted via CB10

[OldSkoolVWLover]

Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween ?namely the NSA and GCHQ as documented by the recent Edward Snowden leaks

Even without BB doing this the NSA can get in between.

[trwrt]

There is no difference, but BlackBerry is known for security not for sharing account details to NSA and all other.

There's definitely a difference. The phone should talk directly to the mail server, there's no need for any traffic to go through BlackBerry. If this is true then they need to explain why they are doing this because it seems totally unnecessary.

[trwrt]

Even without BB doing this the NSA can get in between.

Yes, but when I set up my mail I make sure it goes through an encrypted SSL tunnel, so that even if you could sniff my traffic you'd still have to be able to decrypt it somehow. The OP's post indicates that the logins from BlackBerry aren't doing that, making it trivial to grab usernames/passwords as they zip by. If this is true anyway, which it seems hard to believe it could be since it's so blatant.

[emtunc]

Interesting why BBRY would act as a MITM - perhaps this is how it worked with BIS and they're still doing it this way?

Posted via CB10

[rcgZ10guy]

Dear NSA,

There is no other device on the planet that I feel more safe with than a BlackBerry. If you want to read my emails, please do... While you are at it, could you pay a bill or two that come across??


Thanks,

This guy


P.S. This thread is an unnecessary attempt to turn up the drama.

Posted via CB10

[emtunc]

Actually it would make sense if the device was a legacy BIS BBRY but the article states a BB10 device.

Posted via CB10

[mahva]

Understand one thing. Your credentials are entered on the BlackBerry which then connects to BlackBerry Server and then to your mail provider. Do you trust BlackBerry that much with your personal info? When I enter my data I want to be directly connected to Gmail, mail provider z or whomever. Everything else is a MITM attack

Posted via CB10

[trwrt]

If they're throwing your login credentials out on the internet in cleartext, it doesn't matter how much you trust BlackBerry. They are there for any random bad guy to scoop up.

[SDTRMG]

There is no difference, but BlackBerry is known for security not for sharing account details to NSA and all other.



I am not special, I am a Limited Edition using Tapatalk 4 beta

I don't believe this is what's happening, and if so I trust BlackBerry over apple, google and Microsoft. That's what BES is for on the business side anyway.

And please provide some type of link to your source please because for all I know your some dude sitting in a concrete basement with a tin foil hat on.

Posted via CB10

[ddddafadf]

AFAIK the NSA does NOT have access to the RIM servers. I'm more worried about a MITM attack sniffing for this during account setups. Imagine a rogue BB10 app that deletes your email accounts then waits for you to set them up again, waiting for the data to be sent to RIM and then taking it.

[thurask]

So instead of having the NSA intercept your data going to/from BBRY, have the NSA intercept your data going to Google/MSFT. Or they can ask Google or Microsoft.

[Mirk]

I�m not sure what to think here, but I can�t help but think there is something misleading about this write up.

If you set your phone to connect using SSL does it still do this? It would seem that it is claiming that regardless of the phones settings it will bypass it all by sending your info to BBRY servers which will then connect to your email server unencrypted, but its not perfectly clear. It further claims that BBRY are storing these login credentials, which naturally can not be verified. And it closes with a little bit of tin foil hat fear mongering, implying this assists the NSA in collecting all your personal data.

Considering BBRY track record with security this is a little much for me, perhaps a reliable source can verify this.

Also note: it claims it only does this for the account setup and not at anytime afterwards or for retrieving emails.

[sk8er_tor]

Understand one thing. Your credentials are entered on the BlackBerry which then connects to BlackBerry Server and then to your mail provider. Do you trust BlackBerry that much with your personal info? When I enter my data I want to be directly connected to Gmail, mail provider z or whomever. Everything else is a MITM attack

Posted via CB10

Isn't that how the leaked 10.1 works? When you add a Gmail account, it actually loads up a Gmail website and that's where you enter your password.

To follow up on the OP, I would like to have proof that BlackBerry is storing the password on their servers. As far as I know, they only use your email address in order to determine the IMAP/POP/SMTP settings. It makes absolutely no sense for BlackBerry to store a user's password on BlackBerry 10.

[SDTRMG]

This is also already changed on a version on 10.1 which im running, you know log right into the site and grant permission to the device.





Posted via CB10

[mahva]

Let me clear a few things up. Nsa= espionage on all foreign intelligence, all.
Frank Rieger, the guy I linked to is the spokesperson for the CCC in Germany. Basically the place where Julian Assange and Daniel Domscheidt Berg first introduced wikileaks to the World. The CCC is the biggest Hacker club in Germany and even advises the Germany government on security issues. Do your own research. You heard it here first. Don't get me wrong I love my BlackBerry but better safe than sorry.

Remember one thing: if you did not set ssl, it's game over. This might still be the case since it is mitm.
BES can be different game.

Posted via CB10

[bobshine]

The way BlackBerry is using the email setup has security experts raising alarm bells.
Frank Rieger, spokesperson for the Chaos communication club is calling on all people to stop using BlackBerry's email setup since BlackBerry stores all login Infos on their servers thus granting the NSA and other security agency's access to your email account.

BlackBerry needs to immediately address those concerns since they are not authorized to keep my password and login name. They are violating the law and can be held responsible.

Quote:
"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween ?namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the ?Five Eyes?, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client shouldonlyconnect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP68.171.232.33 (or others from RIM netblock"

When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween ?namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the ?Five Eyes?, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client shouldonlyconnect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP68.171.232.33 (or others from RIM netblock
Blackberry 10 macht E-Mail-Passworte f�r NSA und GCHQ zugreifbar | Knowledge Brings Fear

Posted via CB10

are you saying i should stop using Gmail, Hotmail.. Facebook... Linkedin? they all have not only my log in credentials but also access to all my emails!

[CherokeeMarty]

Who cares about sending your login info in the clear? All of my email accounts are SSL/TSL anyway. The big boys such as Google, Yahoo, Apple, Microsoft,etc, have all allowed the NSA into their systems so your login info is pointless. The info acquisition is not through the front door (your account), but through the back door (all accounts directly).

A pointless thread.

[SDTRMG]

This is also already changed on a version on 10.1 which im running, you know log right into the site and grant permission to the device.





Posted via CB10

I'll repost so you see this has changed (if true).

Posted via CB10

[auditman]

OP means NSA is violating the law? Thats hilarious!

[mahva]

Your decision. You cannot complain any longer if somebody else reads, edits, writes or deletes anything in your name. You have been warned.

Posted via CB10