BlackBerry is refuting a claim made by a German researcher that private email credentials are sent by the new BlackBerry 10 mobile devices to the company without consent, possibly in the clear, and that they’re also stored without permission.
Frank Rieger said that when users enter their POP/IMAP credentials on the device, they’re transmitted to Research In Motion and a server on their network will connect to the user’s mail server with the credentials.
“If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by BlackBerry’s server for the connection,” he wrote on the Knowledge Brings Fear blog. “Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing in between.”
BlackBerry said the credentials are used only during account setup and that BlackBerry does not store them; also, the credentials are transmitted to the RIM servers using TLS, a representative of BlackBerry told Threatpost.
“BlackBerry’s Discovery Service uses credentials provided by the user to communicate and connect with the mail server. This process is done to simplify the setup allowing BlackBerry to configure the various options for server names, ports, protocols and server options,” said Kara Yi, Senior Manager, Enterprise Communications for BlackBerry. “This process is covered in the Terms and Conditions that the user accepts when they start using the device. Users can bypass the Discovery Service by using the Advanced Configuration option to manually enter all of the required server configuration information.”
Rieger recommends users delete their email accounts from BlackBerry 10 devices immediately and change their email passwords. BlackBerry does not make the same recommendation.
“The Discovery Service is only used in the initial email account setup. If a user changes their password there is no involvement of the Discovery Service,” Yi said.
Rieger said the issue is limited only to when users enter private email credentials into the BlackBerry 10 email client.
“The client should only connect directly to your mail server and nowhere else,” he said. “A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.”
Rieger provided log files from an email server he runs that show an IP address from RIM’s netblock in Canada trying to connect to his mail server, which it successfully did once Rieger entered his credentials into the device.
“It logged in successfully with my e-mail credentials after figuring out the correct SSL / TLS configuration,” he wrote.
Image courtesy Martin Hajek