Research In Motion – Inexcusable Vulnerability!

Over ten days ago, Frank Rieger wrote an article about suspicious traffic he noticed while using his BlackBerry 10 device. When using his BlackBerry to check email, he saw that the bundled email application transmitted his POP and IMAP email credentials to an unfamiliar IP address. After looking at the traffic more closely, he determined that his credentials were being sent to 68.171.232.33, a server owned by Research In Motion (RIM) hosted in Canada. This happened without his consent, without opting into that level of information sharing, and without enabling any configuration option that would cause it. Unfortunately for BlackBerry users, this is the tip of the iceberg.

Shortly after the user’s credentials are sent to the RIM server, it will connect back to your configured mail server and authenticate with your IMAP and/or POP credentials. If your mail server is not configured with SSL/TLS, then the credentials will be sent from RIM to your mail server in cleartext.  Anyone with the capability to monitor the user’s network, any interim router, or the network of RIM is able to capture these credentials.  All of this is performed without warning to the user, and does not appear to be documented in any fashion.  This is an inexcusable vulnerability.  By most vulnerability database standards, this is considered to be a vendor backdoor. In this case, rather than a backdoor on the BlackBerry device, RIM appears to have created an avenue to provide backdoor access to your mail server instead.

Due to the feedback Rieger received, he added not only clarification to the issue reminding readers that this was not about “PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM”, but included his own smtpd and dovecot logs to demonstrate what was happening. Rieger made it clear that the credential transmission happens only after you enter your private IMAP and/or POP credentials into the default BlackBerry 10 email client. This happens without any special configuration, and without any special contract or service with RIM.

A day after Rieger’s discovery, Heise Online wrote an article about it and had their own security expert Marc Heuse confirm it. Based on the article, Heise Online also reached out to Research In Motion to confirm the finding. RIM’s first reply essentially says that they cannot comment on the monitoring of public communicat (e.g. PRISM) and that they have no backdoor in their platform. The second update appears to shift responsibility on the user, saying that if they use the advanced options, this does not occur. Of course, the simple mail setup procedure is designed so that most users rely on it to quickly configure mail settings. A majority of users will use this option. In a separate comment to Threatpost, RIM claims the credentials are only used during account setup and that they are not stored by RIM. Further, they claim that credentials are sent to RIM using TLS. This appears to be validation from RIM, that credentials are sent, and dodges the question of the default configuration sending in cleartext.

According to the BlackBerry end-user software license agreement, section 4 and 11 make it clear that the user is responsible for the security between the device and their own BES server. There is no mention that information will be sent back to RIM, or attempt to hold the user responsible for such transmissions.

Due to the severity of this issue, and the apparent lack of mainstream press, Risk Based Security (RBS) has reached out to clients and some contacts, including the Federal Bureau of Investigations (FBI) warning them of the potential privacy and security issue. The RBS-funded Open Sourced Vulnerability Database has created OSVDB entry 95728 to cover this issue. RBS customers can see this information along with additional technical information in the VulnDB portal under VulnDB entry 95728.