Skip to main content

BlackBerry 10 makes email passwords for NSA and GCHQ accessible


http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Ffrank.geekheim.de%2F%3Fp%3D2379&act=url

Summary in english:
When you enter your POP / IMAP email credentials into a BlackBerry 10 phone theywill be sent to BlackBerry without your consent or knowledge. A server with the IP 68.171.232.33 Which is in the Research In Motion (RIM) in Canada netblock will instantly connect to your mail server and log in with your credentials. If you do not have forced SSL / TLS Configured on your mail server, your credentials will be sent in the clear by BlackBerry's server for the connection. BlackBerry Malthus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween - Namely the NSA and GCHQ as Documented by the recent Edward Snowden leaks. Canada is a member of the "Five Eyes", the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume thatthey have access to RIM's databases. Should you delete your e-mail accounts from any BlackBerry 10 device immediately, change the email password and resort to use of alternative mail program like K9Mail.
Clarification: this issue is not about PIN messaging, BBM, push messaging or any other BlackBerry service where did you expect your credentials are sent to RIM. This only happens if you enter your own private IMAP / POP credentials into the standard 10 BlackBerry email client without having any kind BER, special configuration or any explicit contract or service relationship with BlackBerry. Should the client only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of did connect back to the mail server with them.
Recipe for own experiment:
1 set up your own mail server with full logging
2 create throw-away IMAP account
3 enter IMAP account credentials into BlackBerry 10 device, note time
4 checkmail with BlackBerry
5 look in the log files for IP 68.171.232.33 (or others from RIM netblock)
Update:
Since some diehard Blackberry friends doubted the veracity of this discovery here are example log files from dovecot and smtpd. The original domain has been Replaced with "mymailserver.org" and the IP with "217.xxx.xxx.xxx".
I started Configuring the mail account 13:46. As can be seen CLEARLY, long before there is a successful connect from my mobile operator E-Plus (46.115.99.217) did shouldhave happened in the very first place, the BlackBerry server 68.171.232.33 connected back to my mail server apparently trying to figure out the correct configuration for the account, as soon as I had entered user, password and mail server name. And it sucessfully logged in with my email credentials after figuring out the correct SSL / TLS configuration.

Comments

Post a Comment

Popular posts from this blog

The Difference Between LEGO MINDSTORMS EV3 Home Edition (#31313) and LEGO MINDSTORMS Education EV3 (#45544)

http://robotsquare.com/2013/11/25/difference-between-ev3-home-edition-and-education-ev3/ This article covers the difference between the LEGO MINDSTORMS EV3 Home Edition and LEGO MINDSTORMS Education EV3 products. Other articles in the ‘difference between’ series: * The difference and compatibility between EV3 and NXT ( link ) * The difference between NXT Home Edition and NXT Education products ( link ) One robotics platform, two targets The LEGO MINDSTORMS EV3 robotics platform has been developed for two different target audiences. We have home users (children and hobbyists) and educational users (students and teachers). LEGO has designed a base set for each group, as well as several add on sets. There isn’t a clear line between home users and educational users, though. It’s fine to use the Education set at home, and it’s fine to use the Home Edition set at school. This article aims to clarify the differences between the two product lines so you can decide which
1 comment
Read more

Let’s ban PowerPoint in lectures – it makes students more stupid and professors more boring

https://theconversation.com/lets-ban-powerpoint-in-lectures-it-makes-students-more-stupid-and-professors-more-boring-36183 Reading bullet points off a screen doesn't teach anyone anything. Author Bent Meier Sørensen Professor in Philosophy and Business at Copenhagen Business School Disclosure Statement Bent Meier Sørensen does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. The Conversation is funded by CSIRO, Melbourne, Monash, RMIT, UTS, UWA, ACU, ANU, ASB, Baker IDI, Canberra, CDU, Curtin, Deakin, ECU, Flinders, Griffith, the Harry Perkins Institute, JCU, La Trobe, Massey, Murdoch, Newcastle, UQ, QUT, SAHMRI, Swinburne, Sydney, UNDA, UNE, UniSA, UNSW, USC, USQ, UTAS, UWS, VU and Wollongong.
Post a Comment
Read more

Logic Analyzer with STM32 Boards

https://sysprogs.com/w/how-we-turned-8-popular-stm32-boards-into-powerful-logic-analyzers/ How We Turned 8 Popular STM32 Boards into Powerful Logic Analyzers March 23, 2017 Ivan Shcherbakov The idea of making a “soft logic analyzer” that will run on top of popular prototyping boards has been crossing my mind since we first got acquainted with the STM32 Discovery and Nucleo boards. The STM32 GPIO is blazingly fast and the built-in DMA controller looks powerful enough to handle high bandwidths. So having that in mind, we spent several months perfecting both software and firmware side and here is what we got in the end. Capturing the signals The main challenge when using a microcontroller like STM32 as a core of a logic analyzer is dealing with sampling irregularities. Unlike FPGA-based analyzers, the microcontroller has to share the same resources to load instructions from memory, read/write the program state and capture the external inputs from the G
Post a Comment
Read more