German researcher Frank Rieger has discovered that BlackBerry is transmitting user names and passwords from its internal servers to external email servers in plain text when BlackBerry 10 users setup email accounts using the BlackBerry 10 email Discovery Service.
The problem, which Rieger is calling a backdoor which could be used by the NSA, is that when a BlackBerry 10 user configures a new email account the smartphone sends the email credentials to an internal server at BlackBerry which in turn contacts the user’s email server. If the user’s email server isn’t configured to force the use of SSL/TLS then the BlackBerry server defaults to plain text (without trying an encrypted connection). The result is that the user credentials are send by BlackBerry’s internal server to the user’s email server in plain text.
There are two concerns here. One is that BlackBerry’s internal servers used for the Discovery Service hasn’t been configured to use SSL/TLS at all times and only fall back to plain text if no alternative is available (or maybe better still to reject accounts without SSL/TLS). The other worry is that BlackBerry is storing user credentials for external mail services on its servers without notifying the user.
Although BlackBerry initially denied any such actions by its servers, it has now acknowledged that this does happen and suggests that its customers should use the advanced options during account setup to bypass the discovery service. It also has tried to reassure its customers that the credentials are only used during the setup process and that they are not stored by BlackBerry afterwards. According to BlackBerry when the credentials are sent from the BlackBerry 10 smartphone to its internal servers TLS is used, but it has neglected to comment on the configuration of the discovery service software and why its uses plain text.
As a result of Frank’s findings security firm Risk Based Security has reached out to its clients and various contacts, including the FBI warning them of the potential privacy and security issue.