Last month, BlackBerry made headlines during the unraveling of the widespread NSA surveillance debacle. Working with the NSA, the UK’s GCHQ had allegedly intercepted data off of BlackBerry devices from G20 delegates in 2009.
BlackBerry later issued a statement denying any “back-door” given to governments. However, a new report reveals that BlackBerry 10 has a small feature with quite possibly huge repercussions.
Using the email client for POP and IMAP, your complete account information including user name and password are sent to BlackBerry’s servers without warning, without notice, without option to turn off this behavior.
Once you’ve setup the email accounts, you’ll see successful attempts to connect to the mail server for IMAP and SMTP from IP address 188.8.131.52, with the user name and password to the account you just set up. This IP address belongs to BlackBerry in Canada, with routes also in Britain and USA.
Recent leaks from whistleblower Eric Snowden have shown revelations that Canada is allegedly a member of the “Five Eyes”, which is an extremely close cooperation program under the NSA that joins with the British GCHQ and other corresponding sniffer services in Australia, and New Zealand.
The report gives this detailed synopsis of the issue at hand with BlackBerry 10 email:
When you enter your POP / IMAP email credentials into a BlackBerry 10 phone they will be sent to BlackBerry without your consent or knowledge. A server with the IP 184.108.40.206 Which is in the Research In Motion (RIM) in Canada netblock will instantly connect to your mail server and log in with your credentials. If you do not have forced SSL / TLS Configured on your mail server, your credentials will be sent in the clear by BlackBerry’s server for the connection. BlackBerry now has your e-mail credentials stored in its database. Should you delete your e-mail accounts from any BlackBerry 10 device immediately, change the email password and resort to use of alternative mail program like K9Mail.
Clarification: this issue is not about PIN messaging, BBM, push messaging or any other BlackBerry service where you expect your credentials are sent to RIM. This only happens if you enter your own private IMAP / POP credentials into the standard BlackBerry 10 email client without having any kind BER, special configuration or any explicit contract or service relationship with BlackBerry. Should the client only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to their server without explicit user consent and then on top of did connect back to the mail server with them.ADVERTISEMENT
If these accusations are true, it could mean that private IMAP / POP credentials could be made readily available to governments requesting user data from BlackBerry. Resulting in the government gaining direct access to your private email.
We’ve reached out to BlackBerry for a response on the matter and, if found to be true, as to the purpose of harvesting such data. This was their response:
“While we cannot comment on media reports regarding alleged government surveillance of telecommunications traffic, we remain confident in the superiority of BlackBerry’s mobile security platform for customers using our integrated device and enterprise server technology. Our public statements and principles have long underscored that there is no “back door” pipeline to that platform. Our customers can rest assured that BlackBerry mobile security remains the best available solution to protect their mobile communications.”
As background information, BlackBerry has a defined set of lawful access principles publicly available here. You may notice, this is the same statement they issued in regard to the first allegations of aiding the GCHQ.
The report additionally states you can apparently produce your own experiment to view the results:
- Set up your own mail server with full logging
- Create throw-away IMAP account
- Enter IMAP account credentials into BlackBerry 10 device, note time
- Check mail with BlackBerry
- Look in the log files for IP 220.127.116.11 (or others from RIM netblock)
Why do you think BlackBerry might want your email’s full credentials to keep stored in their databases?