|
|
07-02-2010, 09:57 AM
|
#1
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
BIS security flaw?
Please Login to Remove!
So if I lose my BB and a thief enters the password wrong 10 times it:
- Wipes *all* my private data (including all cached passwords or whatever - BBM, Facebook, Browser cookies, etc), right? But afterwards:
- Does it still prompt for the OLD password, or let thief set a new one?
- If the thief can set a new one, it DOESN'T force BIS password reset as well, does it?
So the BB will then start picking up my private BIS mail, and allow the thief to impersonate me until I manage to get to the BIS to kill off the BB, right?
I can set a PIN on the SIM which would save data being pulled on my plan, but another SIM with a BB plan used by the thief would still expose my email to them, right?
Last edited by wibbly; 07-02-2010 at 09:59 AM..
|
Offline
|
|
07-02-2010, 11:24 AM
|
#2
|
Grumpy Moderator
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: SGS7
Carrier: Verizon
Posts: 27,948
|
With no service books. So there is no BIS connection...
|
Offline
|
|
07-02-2010, 11:27 AM
|
#3
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
But what's to stop the service books just uploading to the device again?
|
Offline
|
|
07-02-2010, 11:30 AM
|
#4
|
Grumpy Moderator
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: SGS7
Carrier: Verizon
Posts: 27,948
|
It doesn't work that way.
They have to be pushed.
|
Offline
|
|
07-02-2010, 12:13 PM
|
#5
|
Appleinator
Join Date: Nov 2005
Location: New Hampshire
Model: App6+
OS: AJBR549
PIN: Ask
Carrier: ATT & Verizon
Posts: 20,038
|
And if you report i t as lost/stolen and also delete the PIN and IMEI from your BIS account, no email will be pushed either.
|
Offline
|
|
07-02-2010, 01:05 PM
|
#6
|
CrackBerry Addict
Join Date: Jul 2008
Location: UK
Model: 9800
OS: 6.0.0.337
PIN: S = Ouch
Carrier: Orange UK
Posts: 717
|
Wirelessly posted (8520 (5.0.0.411))
The service books would have to be pushed from Bis, which you wouldn't do. Therefore there is no real flaw.
|
Offline
|
|
07-08-2010, 01:39 PM
|
#7
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
Quote:
Originally Posted by NJBlackBerry
It doesn't work that way.
They have to be pushed.
|
And what stops them being pushed again after the wipe? If there's a SIM in there with a BB service on it, they'll simply get pushed won't they? If not, why not?
|
Offline
|
|
07-08-2010, 03:27 PM
|
#8
|
Grumpy Moderator
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: SGS7
Carrier: Verizon
Posts: 27,948
|
It's not automatic.
|
Offline
|
|
07-08-2010, 03:33 PM
|
#9
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
Wirelessly posted (8900)
I've never had to 'ask' for service books to be sent on a BlackBerry that has none. They get pushed periodically anyway, and always when a BlackBerry first contacts the BlackBerry infrastucture. What's different in this case, and why?
|
Offline
|
|
07-08-2010, 03:36 PM
|
#10
|
Grumpy Moderator
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: SGS7
Carrier: Verizon
Posts: 27,948
|
Only AFTER you have made a connection to either the BES (Enterprise Activation) or BIS (by creating your e-mail accounts and passwords). They do not get pushed by magic.
There is no conspiracy, smoking gun or security flaw here.
|
Offline
|
|
07-08-2010, 03:39 PM
|
#11
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
Wirelessly posted (8900)
Sure. Just trying to understand how it works. I'm on a BIS and everting is working... Then my BlackBerry get's wiped due to 10 bad passwords... BIS account is still there and associated with my BlackBerry... So what stops the BlackBerry getting the service books again and start getting my email?
|
Offline
|
|
07-08-2010, 03:41 PM
|
#12
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
Wirelessly posted (8900)
... I'd try it, but I don't want to wipe my BlackBerry :-S
|
Offline
|
|
07-08-2010, 03:55 PM
|
#13
|
BlackBerry God
Join Date: Jul 2005
Location: Florida Panhandle
Model: BBPP
OS: 10.3.3
Carrier: T-Mobile USA
Posts: 14,081
|
Wirelessly posted
Let me play devil's advocate. Say I find a locked blackberry that has been misplaced by an owner that has the device on BIS, and the owner has not reported the loss and removed the device from BIS. I then max out the password attempts, causing the device to wipe, then do a battery pull and register the device on the network, following the first two steps specified to re-send service books. Isn't it possible the service books would be sent either on the battery pull or on the registration? Maybe not, but possible? If not, I don't know if I would be able to re-send service books from the setup app, or not, but I could try. If at that point the service books were not sent, then there would be no BIS service to the device.
But I don't see that as a flaw. There are plenty of normal innocent instances where you find yourself with your own device that is essentially in the same condition as a wiped device. What do you want to do, have to call somebody and submit to the third degree when you want to switch devices or upgrade the OS?
The lesson is don't screw around and not contact your service provider if you lose your blackberry.
__________________
- Ira
|
Offline
|
|
07-08-2010, 04:10 PM
|
#14
|
CrackBerry Addict
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
|
Wirelessly posted (8900)
I would want either the BlackBerry password not to be removed in the wipe, or a requirement to log into the BIS (from the device, with the BIS user credentials) before servive books were sent.
in my humble opinion a wiped device that then continues to display mail and allow mail to be sent in my name IS a risk, albeit until I manually kill off the BIS account.
|
Offline
|
|
07-08-2010, 04:21 PM
|
#15
|
BlackBerry God
Join Date: Jul 2005
Location: Florida Panhandle
Model: BBPP
OS: 10.3.3
Carrier: T-Mobile USA
Posts: 14,081
|
Wirelessly posted
I don't know why the password lock is cleared on a security wipe, unless it's a beneficial feature for the user or ultimate device owner (i.e. employer) who for whatever reason doesn't know the password but legitimately owns the device. I'm just speculating. But I've never seen this as that big a deal worth worrying about. I can get online or have somebody delete my email accounts from BIS or remove the device from BIS with virtualluy no delay. Seems like a good balance between security and convenience to me. But difference of opinion is ok. What better device is there is this were in your top 2 or 3 concerns?
__________________
- Ira
Last edited by aiharkness; 07-08-2010 at 04:22 PM..
|
Offline
|
|
07-11-2010, 12:23 AM
|
#16
|
Talking BlackBerry Encyclopedia
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
|
When I have wiped the device there is no mail. I have always had to manually set it up by logging into the BIS. Without the Username they canxxx8217;t login (for the BIS you can select xxx8220;forgot passwordxxx8221; and since they now have your PIN it will be sent to your email xxx8211; would that be enough to xxx8220;pushxxx8221; the email to the phone??? I donxxx8217;t think soxxx8230; that is simply a generated email xxx8211; xxx8220;generatedxxx8221; emails donxxx8217;t recreate your account on the BB.
I personally have never been able to get a wiped phone to receive mail from a BIS account without logging into the BIS and deleting the email accounts and setting them up again xxx8211; creating the push needed.
As long as you keep control of the BIS xxx8211; I believe you win. Even if they get the password they don't have the username.
When you delete your AT&T email through the BIS and set it up again (which I have had to do numerous times for wipes and restores) that delete actually KILLS your AT&T account. That is why you canxxx8217;t set it up as xxx8220;existingxxx8221; you have to do it as if it were a xxx8220;newxxx8221; account. Obviously it doesnxxx8217;t kill your Yahoo/Gmail/Hotmail xxx8211; but it does AT&T. Which actually works in your favor here. You would log into the BIS and delete the account xxx8211; now this jerk may have your BB but he wonxxx8217;t have your emailxxx8230;
Actually I think BB has the best security. The wipe after 10 is perfect xxx8211; as well as the ability to put xxx8220;contactxxx8221; info right on the front in case a good Samaritan finds itxxx8230; I have had that happen xxx8211; found a BB right on the sidewalk xxx8211; I was grateful I was able to call the lady.
I have one smartphone where I have my contact info xxx8220;tapedxxx8221; on the back in case I lose it xxx8211; how pathetic is thatxxx8230;
Interesting topicxxx8230;
Sandy
Last edited by The Sand; 07-11-2010 at 12:24 AM..
|
Offline
|
|
07-11-2010, 05:41 PM
|
#17
|
Talking BlackBerry Encyclopedia
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
|
Today I had to help my sister wipe her boyfriend's phone (Settings/Options/Security/General - hit menu and wipe hand held) - he is on Verizon. After she wiped all she had to do was select "Email setup" and she was ALREADY IN the BIS - his gmail was just sitting there because it's through the BIS. But in order to "push" that gmail account to the phone she had to delete it and then re-set it up - and without the Gmail password you couldn't do that. But still...
So Verizon is running differently than AT&T -with AT&T you have to log into the BIS in order to set up or edit email - at least I have had to that every time I have wiped.
So it appears all "Carriers" don't run the same way here...
Sandy
|
Offline
|
|
07-11-2010, 05:52 PM
|
#18
|
Talking BlackBerry Encyclopedia
Join Date: Oct 2008
Location: Los Angeles, CA
Model: 9810
OS: 7.0.1355
PIN: N/A
Carrier: AT&T
Posts: 357
|
Okay, I thought more about this and this is why - Verizon is CDMA and AT&T is GSM. GMS carriers are activated by the SIM were CDMA (as of this point are not - except the new R-UIM which is only available in Asia.)
I can change devices and put my SIM in different phones and Blackberry's and activate myself. Not so CDMA... thus the "prompt" for login on a GSM phone. There is no point on a CDMA device - they are not "interchangeable.")
There's the difference...
Sandy
|
Offline
|
|
|
|