Could you explain the whole kerfuffle involving BlackBerry's email system logging user credentials and sending them in cleartext? My company has a large percentage of BlackBerry users, and I'm trying to assess the potential threat. Is there any way to protect our BlackBerry devices?
Ask the Expert
Email your questions about application security and platform security to Michael Cobb now! (All questions are anonymous)
In July 2013, Frank Rieger, a spokesperson for the Chaos Computer Club, posted observations he made when setting up the email client packaged in a BlackBerry 10 smartphone using its Discovery Service. He found that when POP or IMAP email account credentials were entered for the first time, they were sent to servers owned by BlackBerry Ltd. This is quite a serious claim, as a phone vendor has no right to collect and use account credentials without explicit user consent. Many would call this a BlackBerry backdoor, but is that correct?
While it's not a backdoor into a BlackBerry device, it could provide backdoor access into a BlackBerry user's email account. Given the current unease over the extent of the PRISM program, this routing of user credentials to BlackBerry is a concern. Traceroute showed that in some instances packets were routed to BlackBerry's servers in Canada via the U.K. and the U.S. As the Blackberry Discovery Service doesn't provide any warnings that this data transfer occurs, the majority of users leveraging it to set up their email will never be aware of this privacy issue.
A statement from BlackBerry confirmed that users' email credentials are sent from their smartphone to BlackBerry's servers via SSL or TLS, but denied the existence of a backdoor and asserted that the Discovery Service does not store email usernames and passwords. According to BlackBerry, these user credentials are used only during the setup of the email account to communicate and connect with the mail server to simplify the setup process by allowing BlackBerry to configure the various options for server names, ports, protocols and server options. This process is covered in the Terms and Conditions statement that users accept when they start using the device.
To bypass the Discovery Service setup process and its Terms and Conditions, you can use the Advanced Configuration option to manually enter all required server configuration information. A better implementation would be for the smartphone to complete the configuration of the correct email settings.
The lesson to learn from this situation is that it's important to always read the fine print when trusting devices and services with sensitive data. Sections 4 and 11 of the BlackBerry end-user software license agreement make it clear that the user is responsible for security between the device and the BlackBerry Enterprise Server. However, it's not explicitly clear that user credentials will be sent to BlackBerry. Therefore, despite what any legal terms and conditions state, you should always perform your own risk analysis of any new Internet-connected devices by capturing and monitoring which data is sent.
In his observations, Rieger stated that if a mail server is not configured to use SSL or TLS, the credentials will be sent from BlackBerry to its mail server in cleartext. This is true. But note that this is also the case when users connect to retrieve email unless the email server is specifically configured to use SSL or TLS. Providers such as Gmail, Hotmail, Facebook and LinkedIn all store and are able to access a user's emails, so deleting any email accounts set up on a BlackBerry 10 device is a little extreme. However, there are alternative email programs that can run on a BlackBerry 10, such as the open-source K-9 Mail, and the issue can be tracked using the Open Sourced Vulnerability Database, under entry 95728.
This was first published in January 2014