[baadaa]

Summary in english:

When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween � namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the �Five Eyes�, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP 68.171.232.33 (or others from RIM netblock)

Source Blackberry 10 macht E-Mail-Passworte f�r NSA und GCHQ zugreifbar | Knowledge Brings Fear
Sorry, I am lurking for your some time now. I need to make an account for this. I feel betrayed.

[ESCON]

F�r meine alte Bold BIS anbingdung habe ich denen auch alle meine Daten geben m�ssen... Und solange 80% der Leute gmail oder �hnliches nutzen ist doch eh egal... ?

[Palerider89]

well that is interesting! Thanks for the link!

[Branta]

Not reproduced in a quick test here, all the IP addresses were identifiable as legitimate but my server forces encryption so this might be a blocking factor. OTOH anyone running with zero encryption as described has zero security anyway.

I did identify some RIM addresses earlier in the log - legitimate and known to be caused by new mail passing to a BIS device. I can't help wondering if legal traffic to/from legacy devices might have triggered a false suspicion about BB10 devices.

[Cozz4ever]

I'm almost positive all email info is encrypted within the servers. Even Blackberry couldn't give out the info if they tried.

[jerome78]

I think the problem is not the encryption within the servers.

BBRY is using and storing your access information without your permissions.
Normally these information are stored locally on the device. So your mail-app is using these information to create a direct connection to the mail-server. No 3rd-party necessary.

What actually happened is the following:
1. you setup your mail-account
2. these information are sent to BBRY (unnecessary)
3. BBRY uses these information to check your mail-account (unnecessary and in the most countries illegal without your permission)

So BBRY has full access to your mails (private or work data)

[Kris Simundson]

http://forums.crackberry.com/showthread.php?t=829659

Please use this thread already open