04-09-2008 10:01 PM
I was just wondering if anybody noticed the rather large security hole in the BB8320 UMA service:
I am using a BB8320
Vendor ID: 100
App Version 188.8.131.52 (327)
T-Mobile USA service
When you enable SIM PIN on the device, the device's UMA data service ignores the fact there has not been a SIM PIN entered. Upon cold powerup, the SIM PIN password dialog comes up. If a WiFi network that is on the preferred network list is nearby, UMA will associate with the WiFi network for BIS data services.
At this point, any e-mail messages that need to be downloaded are pushed to the device.
Now, obviously removing the SIM card gives a data thief unfettered access to CURRENT data on a device.
This UMA glitch allows a data thief to easily gain access to FUTURE data on a device unless more device security is put in place.
Since @home and HotSpot are on the list of approved networks, a data thief could fairly easily:
1. Take a UMA 8320 with SIM PIN to a T-mobile store or Starbucks, wherever a T-mo HotSpot may be
2. Turn the device on, let it stop at the SIM PIN screen, and wait for it to auto-associate with the WiFi network and start a data tunnel with the BIS servers
3. Wait for new e-mail messages to download to the device
4. Then, turn the device off, remove the SIM card and reboot
5. They now have access to current e-mail message on the stolen BB8320.
With UMA service disabled, the device behaves correctly, and does not start up an EDGE data session until AFTER entering the SIM PIN. Just like all previous BBs (8700, 8100, et. al.)
No data service authorization should take place until the SIM card is properly unlocked as this circumvents proper SIM card security.