Blackberry/BES - Security?!?

Thursday 23rd March, 2006
I've recently been on a very steep Blackberry learning curve, actually not as steep as it first seemed.

We already had Blackberry and an old 2.2 BES in our organisation providing 2 dozen or so users with remote access to mail. This was originally deployed by the vendor with zero documentation so it's always been a little bit of a grey area in our infrastructure. When a requirement for BES4.0 came along I took the decision of deploying a fresh Blackberry infrastructure, learning and documenting along the way.

It's been an interesting journey to deployment with some very surprising bits, the main one being security.

What amazes me is that there's no security on the Blackberry Console. This is installed locally on the BES and anybody who has login access to the machine (OS admins, backup admins etc.) effectively has full BES admin rights. I see this as a major issue as there's no way of locking these people out and not even an audit trail for any changes they make.

On top of that, enabling a user for Blackberry is silent. An admin (or anybody logged in to the BES console) can setup a Blackberry for any user simply by setting an activation password. The user doesn't have to be informed of this in any way. So I may not have access to a user's mailbox but, with one click, I can setup a Blackberry that will not only contain their whole inbox, address book and contacts but also send/receive email on their behalf...again no audit trail.

For a device with such a reputation for being secure, the Blackberry/BES infrastructure is surprisingly full of holes.

Comments/Trackbacks [0]