[dvarnai]

Untrue - other manufacturers release updates handled by their own servers OTA. Nexus Devices. And Apple do it as you mentioned.

Additionally, updates could be available for download from the BlackBerry site (but aren't) or over BBW for Browser security issues (but aren't).

So, why? And whose fault is it?

Posted via CB10

The browser is just an apache Cordova app using a webview, the webkit engine is part of the core os. Also BlackBerry has its own ota servers, they don't rely on the carriers at all except for the green light. Also, remember heartbleed? BlackBerry was never vulnerable, as they were not using openssl at all. How do you know that they in fact use openssl for their browser? Freakattack.com doesn't prove the browser is vulnerable. Check the list of ciphers that are supported. Export ones are not there

Also why do you keep ignoring the fact that freakattack.com fails its own test?

BlackBerry Q10 SQN100-3

[kbz1960]

Where are your links proving that bb is immune and has no reason to fix it? And why is fixed in a new OS if they are immune to the attack according to you?

[dvarnai]

Where are your links proving that bb is immune and has no reason to fix it? And why is fixed in a new OS if they are immune to the attack according to you?

I'm not saying it's immune, I say the url (freakattack.com) doesn't prove it. Read the site, it says you are vulnerable if your list of chiphers contains any EXPORT ones. The list doesn't list any, yet the site says you are vulnerable. So what does it base it on? It's clearly not the list of ciphers.

BlackBerry Q10 SQN100-3

[kbz1960]

I know nothing about it other than I've read most have patched it and released patches to their users. My win 8.1 tablet doesn't fail. My bb does. What that means in the real world I don't know. But if it wasn't an issue for bb why are they patching it or bothering to?

[anon(6038817)]

Can you please show me the vulnerable cipher? The freak attack site does not show any export ciphers.

Or you'll blindly trust a website saying your browser is vulnerable yet if you read their manual way of checking whether you are vulnerable will tell you you are not, as the cipher that's vulnerable is not even on the list of the ones on your blackberry

BlackBerry Q10 SQN100-3

I have heard nothing from BlackBerry on this issue.

Unless you can link to an official statement from BlackBerry verifying that the BB10 browser is not vulnerable, I am assuming it is vulnerable.

[dvarnai]

I have heard nothing from BlackBerry on this issue.

Unless you can link to an official statement from BlackBerry verifying that the BB10 browser is not vulnerable, I am assuming it is vulnerable.

There's no official confirmation either and as far as we know that site might be looking at user agent for vulnerable webkit versions, which doesn't mean BlackBerry doesn't have its own set of patches in webkit, it just means the browser is based on that version. The list of ciphers doesn't contain the vulnerable cipher so the site is clearly unreliable for checking whether you are vulnerable or not. Blackberry has already evaded openssl vulnerabilities such as heartbleed, simply because BlackBerry uses its own crypto kernel. I don't say they are not using openssl for the browser but there's no proof either that they do, nor the site confirms that the vulnerability indeed exists in BlackBerry browser. The 25xx os that some guy has on the forums has a newer webkit version. If the site bases its detection on that, then it's explained why it says you are vulnerable yet we don't even have the vulnerable cipher

anyway all I'm saying is, something is clearly not right on that site, you can check for yourself. And there's also proof that BlackBerry doesn't use openssl everywhere either.

BlackBerry Q10 SQN100-3

[dvarnai]

Also, do you remember that site that verified you had some newer version of the tls protocol? That site said BlackBerry browser didn't. So either blackberry had REALLY outdated openssl, or it was using something else in the first place to provide tls

BlackBerry Q10 SQN100-3

[anon(6038817)]

I just used the FREAK Client Test Tool on freakattack.com using my BB10 browser (Q10 running 10.3.1).

It lists all the cipher suites your client uses and includes the following explanation:

Additionally, you can see what cipher suites your TLS library offers by loading this page. (If the list includes any EXPORT ciphers, your software is vulnerable.)

I clicked on that link, then I wrote the following email to their contact email address: [email protected]

Hello,

Thank you for providing such a great resource and utility for the FREAK vulnerability.

I just tested the browser on my BlackBerry phone running the BB10 OS version 10.3.1 and did not see any EXP0RT ciphers. Yet your website still says it is vulnerable. Can you look into this?

Here is the output: (I pasted the output here)

I quickly received the following reply:

The vulnerability in OpenSSL allows a browser to be tricked even if you don't offer Export Suites. If the test says you're vulnerable, then your browser was tricked down and was vulnerable.

So there you have it. The test is designed to try to trick your browser into using weakened encryption. If the test says your client is vulnerable, that means it was successful in forcing the weaker encryption.

The BB10 browser is vulnerable.

And I believe the fact that BlackBerry has not issued a statement on the matter further corroborates this.

[Deckard79]

There's no official confirmation either and as far as we know that site might be looking at user agent for vulnerable webkit versions, which doesn't mean BlackBerry doesn't have its own set of patches in webkit, it just means the browser is based on that version. The list of ciphers doesn't contain the vulnerable cipher so the site is clearly unreliable for checking whether you are vulnerable or not. Blackberry has already evaded openssl vulnerabilities such as heartbleed, simply because BlackBerry uses its own crypto kernel. I don't say they are not using openssl for the browser but there's no proof either that they do, nor the site confirms that the vulnerability indeed exists in BlackBerry browser. The 25xx os that some guy has on the forums has a newer webkit version. If the site bases its detection on that, then it's explained why it says you are vulnerable yet we don't even have the vulnerable cipher

anyway all I'm saying is, something is clearly not right on that site, you can check for yourself. And there's also proof that BlackBerry doesn't use openssl everywhere either.

BlackBerry Q10 SQN100-3

There's no official confirmation or otherwise. No patch. Nothing.

Again, for a company whose top priority is security this is a poor show.

This and many other incidents (security vulnerabilities raised by xsacha for example) have lead myself and many others on the forum to question whether BlackBerry can actually deliver upon their claims.

If a security threat appears we should see an immediate detailed press release informing us of the level of risk posed to BB10 users and what BlackBerry intend to do.

Posted via CB10

[oystersourced]

http://m.bbc.co.uk/news/technology-31840552

We can debate forever about the reasons as to why BlackBerry have not patched their browser however the fact remains millions of people read the BBC news website, BlackBerry position themselves as the secure environment, BlackBerry are the only company not to take public action. Unfortunately unless patches where made compulsory (like Sony PSN updates) then the vulnerability would exist somewhere on a BlackBerry device in the wild even after a patch has been pushed.

Posted via CB10

[Deckard79]

http://m.bbc.co.uk/news/technology-31840552

We can debate forever about the reasons as to why BlackBerry have not patched their browser however the fact remains millions of people read the BBC news website, BlackBerry position themselves as the secure environment, BlackBerry are the only company not to take public action. Unfortunately unless patches where made compulsory (like Sony PSN updates) then the vulnerability would exist somewhere on a BlackBerry device in the wild even after a patch has been pushed.

Posted via CB10

Which makes implementing an update system that allows a rapid delivery of security updates a massive priority for BlackBerry.

My worry is that all of their far-reaching claims will get exposed as total fiction. If this happens (and goes public), it's all over.

Posted via CB10

[Richard Buckley]

You'll never get 100% security or a solution that has no disadvantages or potential holes. Doesn't change the fact that a solution comparable to iMessage would be a huge boost in security compared to the ridiculous scrambling BBM uses. Apple could in theory be forced to change or reveal keys customers are using. Whereas it is a fact that a) Blackberry granted various governments/agencies access to BBM b) at least the Five Eyes can decrypt it. You get the difference between theory and practice?


LOL. No need for you to get arrogant as I already revealed that you're spreading false "facts".

You keep talking about the "ridiculous scrambling" BBM uses. I'm assuming you are talking about the fixed key DES3 encryption that all PIN to PIN based protocols use. BBM on BB10 does still use this cypher, probably for backward compatibility, but the whole bearer channel is carried on a TLS channel. So what exactly are you going on about? BBM traffic under BB10 is encrypted with TLS between the hand set and the server. Are you saying TLS is ridiculous scrambling?

Yes, it is well known that BB had to provide legal access to BIS based BBM traffic when presented a warrant. Do you think Apple or Google will behave any differently? So consumer BBM is available for legal access, but then so are all iMessage traffic. If you are concerned about this, then BlackBerry can provide you BBM Protected which is not available to them, or anyone else but the BES administration. They of course would have to respond to legal requests for the data, or face the consequences.

What false facts am I spreading?

[Maxxxpower]

You keep talking about the "ridiculous scrambling" BBM uses. I'm assuming you are talking about the fixed key DES3 encryption that all PIN to PIN based protocols use. BBM on BB10 does still use this cypher, probably for backward compatibility, but the whole bearer channel is carried on a TLS channel. So what exactly are you going on about? BBM traffic under BB10 is encrypted with TLS between the hand set and the server. Are you saying TLS is ridiculous scrambling?

Do you get the huge difference in security between TLS (Transport Layer Security) and an end-to-end encryption various other IMs are offering?

Yes, it is well known that BB had to provide legal access to BIS based BBM traffic when presented a warrant. Do you think Apple or Google will behave any differently? So consumer BBM is available for legal access, but then so are all iMessage traffic. If you are concerned about this, then BlackBerry can provide you BBM Protected which is not available to them, or anyone else but the BES administration. They of course would have to respond to legal requests for the data, or face the consequences.

You completely "forgot" to comment the hack (full access) of BIS by the five eyes and you ignore the fact that if BBM had implemented a true end-to-end encryption (how it should be), BB wouldn't be able to hand out any data.

What false facts am I spreading?

What about reading my postings?

[CubeDweller]

Well shoot,
I was ready to install BES to get secure BBM services via BBM Protected, both of which cost money on an annual basis, but I need a Windows machine with SQL Server? Really? No linux options? Windows security doesn't give me any warm and fuzzies either.

I may have to dig my iPhone out of the closet to have any semblance of security, between the BBM and FREAK issues on BlackBerry.
And now my wife, who had to download BBM for her iPhone, will have to pay every month to not see ads in the app?

I dunno BB, this is a funny way to keep/attract users.

[anon(6038817)]

Which makes implementing an update system that allows a rapid delivery of security updates a massive priority for BlackBerry.

My worry is that all of their far-reaching claims will get exposed as total fiction. If this happens (and goes public), it's all over.

Posted via CB10

I couldn't agree more.

For all its shortcomings, iOS is the only mobile platform that had a patch released within a week of the FREAK announcement to ALL devices capable of running its latest supported OS (which includes all models going back to the iPhone 4S, first released in October of 2011). And they were able to do it without waiting on the carriers.

Windows phone is still vulnerable and faces the same challenges BlackBerry does in distributing OS updates at the whim of the carriers. But once Microsoft releases Windows 10, it's widely assumed they will be able to update some individual components of the OS separately including the browser, because they will be treated like standalone apps not dependent on overall OS updates.

Google released a patch for Android, but only 3.3% of all Android devices are even running Lollipop! We all know the Android platform is an absolute security/privacy nightmare.

And then there's BlackBerry.

BlackBerry's one last claim to fame has been "privacy and security". It's all over their marketing materials, blogs, etc. John Chen mentions privacy and security in every interview, every presentation. This one incident has, for me, shattered the confidence I once had in those claims.

This is a serious vulnerability. Information transmitted over the internet via our browsers may not be secure if we happen to navigate to a compromised website. This is serious for all BB users, but especially for the enterprise/business customers BlackBerry has been focusing on over the past year. I'm willing to acknowledge BES servers may be immune, so any BB phones paired with a BES may be safe. But BlackBerry has not made any official statements, so all we can do is speculate.

But what about the millions of BB users like me who don't have a BES? Where's our privacy and security guarantee? When are we going to get a patch for this vulnerability from the company that constantly touts its best-in-class security and privacy standards?

I feel like I've been duped. And I definitely feel like an ***** now for recently publishing an article on a BB fan site about why BlackBerry's security/privacy standards are far above the rest.

There are many other issues I've been more than willing to be patient about as BB continues to turn things around. But this may be the straw that breaks the camel's back for me.

[BCITMike]

Apple released patches for iOS and Mac OS X as of yesterday. Windows released patches for Desktop versions of Windows today (Windows phones are likely still vulnerable).

But my best-in-class-for-security-and-privacy BlackBerry is still vulnerable. Oh, the irony.

And it's not like BB can just issue a patch worldwide like Apple can. In North America, they would have to go through the carriers to push an OS update. Most BB users in NA who bought their phones through a carrier are still waiting on 10.3.1 to drop.

I'm sorry, but I'm becoming a bit disillusioned with BlackBerry's "privacy and security" claims. (To say nothing of the fact that most BB security features are useless anyway unless the phone is paired with a BES.)

All I know is, my Q10 is vulnerable to FREAK, and iPhones are not. That's not a good feeling.

Logic fail. You say that the carriers need to test it before release, which takes weeks. Therefore, blackberry could have the update fixed first, you wouldn't know. Your complaint on blackberry response time is moot because of this.

"Hurry up and wait! "

Posted via CB10

[BCITMike]

BlackBerry could implement their own OTA updates without a reliance upon carriers (like other manufacturers and platforms), no?

They haven't, though. Which is a mistake for a company focusing on security as its prime concern.

Posted via CB10

No.

Posted via CB10

[Deckard79]

No.

Posted via CB10

Well explained.

Posted via CB10

[dvarnai]

Honestly my only problem is, that even though BlackBerry pushes updates directly to factory unlocked devices, there isn't even a leak for this bug yet for days we already know of an update that fixes this. That's the real shame even I agree on.

Maxxxpower: can you tell me which widely used IM has end-to-end encryption with per user keys? I highly doubt there's any widely used one, simply because if you lose your key and change device there's no way to retrieve history, contacts, etc. If all the private/public keys are stored on a remote server you are not any more protected than with an IM with a single shared key

BlackBerry Q10 SQN100-3

[anon(6038817)]

Logic fail. You say that the carriers need to test it before release, which takes weeks. Therefore, blackberry could have the update fixed first, you wouldn't know. Your complaint on blackberry response time is moot because of this.

"Hurry up and wait! "

Posted via CB10

It is true that most BB owners are dependent on carriers for updates.

However, if BB released an update tomorrow there would still be many BB10 phones that would get it right away. Unlocked BB10 phones sold via ShopBlackBerry get direct OS updates without carrier approval needed.

So if BB released an update, we'd know it, and it would be all over CrackBerry.

However, the 10.3.1 roll-out has been halted for most BB10 devices because of widespread reports of bugs. It's possible they could be building a FREAK patch into 10.3.1 before continuing the roll-out. But we don't know. Because BB hasn't officially said anything about it.

What we do know for sure is this:

1. BlackBerry phones are vulnerable to FREAK
2. BlackBerry has not officially acknowledged that their phones are vulnerable to FREAK
3. As of the time I write this post, BlackBerry has not issued a fix for FREAK
4. When BlackBerry does issue a fix, most BB10 phones will not get it right away because carriers have to test and approve it

Any way you slice it, this does not make BlackBerry look good.

[Deckard79]

Logic fail. You say that the carriers need to test it before release, which takes weeks. Therefore, blackberry could have the update fixed first, you wouldn't know. Your complaint on blackberry response time is moot because of this.

"Hurry up and wait! "

Posted via CB10

There's no 'logic fail' whatsoever - BlackBerry could, and should, bypass carrier approval to deliver fixes to critical vulnerabilities.

If another manufacturer can do this, there's no reason whatsoever why BlackBerry shouldn't have that capacity. This is particularly true for a company selling products primarily on the basis of strong security.

They might have produced an updated build containing a fix, they might not. Who knows (the fact that they haven't given their userbase the foggiest indication of what, if anything, they are doing leaves us guessing)?

'Hurry up and wait' seems an odd motto to apply when responding to current threats.


Posted via CB10

[oystersourced]

Logic fail. You say that the carriers need to test it before release, which takes weeks. Therefore, blackberry could have the update fixed first, you wouldn't know. Your complaint on blackberry response time is moot because of this.

"Hurry up and wait! "

Posted via CB10

That is wrong, if BlackBerry are to live up to their proclamations then they need to make sure that it's distributed in good time. If they can't follow through on the delivery then they should drop the view of being the secure, reliable business partner. BlackBerry need to have control over their OS update releases, or provide fixes from their website / link, without this ability they cannot react to security issues and so will always be vulnerable longer than is deemed acceptable.

Posted via CB10

[BCITMike]

Well explained.

Posted via CB10

Provide me with privileged contracts between BlackBerry and the providers and I will. I'm just pointing out that your assumption is incorrect, that BlackBerry could just do it if they wanted to. This is not the first time this topic has come up on crackberry.

[BCITMike]

That is wrong, if BlackBerry are to live up to their proclamations then they need to make sure that it's distributed in good time. If they can't follow through on the delivery then they should drop the view of being the secure, reliable business partner. BlackBerry need to have control over their OS update releases, or provide fixes from their website / link, without this ability they cannot react to security issues and so will always be vulnerable longer than is deemed acceptable.

Posted via CB10

What exactly is your idea of "good time"? It's all relative in that Apple came out with a release first. We all know they do **** poor testing.

[Deckard79]

Provide me with privileged contracts between BlackBerry and the providers and I will. I'm just pointing out that your assumption is incorrect, that BlackBerry could just do it if they wanted to. This is not the first time this topic has come up on crackberry.

Unless there's something contractual between BlackBerry and every single carrier (of which they have few left) specifically forbidding them from issuing security patches without prior carrier approval, that cannot be the case.

If this were an entire new operating system capable of rendering carrier software inoperable then perhaps (but then, carriers aren't bothering with BB10 apps to begin with).

If you're right then I'll be amazed as it makes very little sense.

Posted via CB10