Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Possibly Vulnerability on BES?

Status
Not open for further replies.
Jun 3, 2006
12
US
We recently had a user purchase his own Blackberry and was able to setup our company email on it without enterprise activation or any assistance from us. Possible vulnerability?
 
umm yeah. If you didn't add his Exchange account to your server (through BlackBerry Manager) then I would be very concerned. He probably set it up using Desktop Redirector, though.
 
No this is an existing user, he just went out and purchased a brand new Blackberry and setup our company email account on it without receiving enterprise activation from our BES. He did already have an Exchange account. What's the point of enterprise activation if users can bypass this and setup their email accounts on these devices.
 
Let me understand what you are saying. He purchased a new BB and swapped his sim from the old to the new? He did not change service providers or anything? Is that what you mean by "setup our company email account on it"?

 
Hi thanks for the response. Actually I wasn't directly involved with this issue but I work on the network team and was just concerned about the fact that if in fact this is something to worry about. I don't know if he switched sim from old to new, if he did would that explain it? I'm sorry let me get more information...
 
Reason I ask, if you are set up as we are, the activation info is lodged on the BES server and the user does not have to enter anything on the handheld to begin activation.

If a user buys a new unit (doesn't really matter the provider unless your BES restricts it somehow), that user can connect the unit via cable and tell Desktop Manager to swap PIN numbers. At that point, he can simply await the activation cycle and you would not be the wiser unless you happened to notice the different PIN associated with his account during an audit.

Even swapping SIMs would be optional (unless he was using a policy he did not want to lose, I'm not sure if the policy would transfer to the new PIN).

In this scenario, you may consider it a security concern, but if this is a valid user, I'd think it more as a company policy breach.



 
Good point FarscapeFan thanks for that explanation it helps understand a lot better.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top