- Reading the official release for the bug, I saw no mention of QNX or BB10. QNX would be the one to watch out for as it seems to be a kernel related issue in the other *nix's. Since QNX is used in a lot of car infotaiment centers, you'll get info of it being vulnerable long before BB10.
That's not to say that it isn't vulnerable, just nothing published. Check the cve's.
Posted via CB10Last edited by BronzeBeard; 09-14-17 at 03:26 PM.
1122334455667788 likes this.09-13-17 07:56 PMLike 1 -
Hacking a BB10 is not a concern. Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.
Posted via CB10anon(8679041) likes this.09-14-17 12:21 PMLike 1 - Depends on the amount of code share with QNX in cars. Considering the main concern is a bluetooth worm that takes 10seconds to infect and does not require handshakes, authorizations, or even active connections, vehicles (thus QNX) would be a primary target. And most likely that would extend to BB10 devices.
Hacking a BB10 is not a concern. Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.
Posted via CB10
Is there an article on this I can read? As in the virus/bug?..
Do they know the origins yet? Russia? China or American?
Anyway, I'd like to read about It then contact blackberry. It's hilarious (in a sad way) when the runtime bug on BB10 occurred long ago. Everyone came here and complained but when I got thru to Blackberry they said only one other complaint was issued and was fixed in two day from that call as in official released fix in BBW.
At the same time was odd it seemed blackberry never paid attention to the consensus/trends whatever you want to call it by scouring the Web or at least crackberry. So it seemed! I think with TCL this may be different beings CBK said about the K1 with extra gig of ram and double the storage - then poof, there it was!...
Passport SE via Native CB10 .bar09-14-17 03:01 PMLike 0 -
Is there an article on this I can read? As in the virus/bug?..
Do they know the origins yet? Russia? China or American?Last edited by BronzeBeard; 09-14-17 at 03:26 PM.
DreadPirateRegan likes this.09-14-17 03:12 PMLike 1 - The main thing is to keep bluetooth turned off unless you're using it. But sadly a lot of things, such as cars, you can't turn systems bluetooth off. Likewise, other products, like my father's stereo, you have no idea if they're vulnerable. As it's unlikely any EOL embedded Linux products will ever get firmware updates. While these products don't have data on them, they can be used to spread such a worm to other products that do. Like an EOL android tablet, etc.
Ask and ye shall receive: https://www.armis.com/blueborne/ There is a youtube video for lay people, a bit more details for technical people, and CVS numbers for anyone who wants to dig into it further.
It's a whitepaper by an IoT security company. Luckily nothing is out in the wild yet. But, like every disclosure, eventually a blackhat group will use the bug to hit unpatched systems (remember wannacry a couple months ago?), or extend the bug to other vendors that the research group didn't find or look at. (Which is why I keep mentioning cars, when was the last time you had your center console radio's firmware updated? )
Seriously though, aren't those updates automatic by now?
Well I guess not unless it's a connected car..
When that becomes standard it will be scary as I remember Avira showed (I think nissan) how they can hack a car and slammed the brakes at a convention once. Spooky!
Love Avira..
I prefer to drive my car and truck myself. LOL..
Maybe in the year 2500 somebody will laugh at this comment above, if it still exist.
Passport SE via Native CB10 .bar09-14-17 03:19 PMLike 0 -
- Bla1zeCB OGAin't no one fixing the BT in your vehicle even if it is vulnerable unless..
- Your vehicle is newer and it's a plug and play fix.
Also, you're all barking up the wrong tree anyway with the QNX talk. 99% of QNX stuff is issued to the automobile companies and they place whatever crap front end they want on it. In other words, it's up to them to fix it, not QNX/BlackBerry.DreadPirateRegan likes this.09-15-17 01:51 AMLike 1 -
Even if there were vulnerabilities in BB10... BlackBerry simple can't afford to go back and fix it, look at how long 10.3.3 took, how buggy it ended up being....
And why would they, not like they'll lose future hardware customer if they don't.09-15-17 07:59 AMLike 0 -
-
One little nitpick. Bluetooth stack is not front end, it's implemented as down low as the driver level in QNX. In Linux, the issue is in the kernel, as drivers are implemented in the kernel. Since we have that information, we know it's a low level implementation issue which most likely stems from the driver implementations for bluetooth.
You are correct in that auto manufacturers are responsible for the front ends of their systems. But I highly doubt any of them who are licensing QNX are going to write their own drivers for standard protocols/hardware from scratch. If they were going to do have to do all that work, they would just roll their own OS and save the licensing fees.
No, the bluetooth stack for QNX in all likelihood comes from the same source, Blackberry. If it isn't included in the license for QNX, then BB will custom write drivers/stack for automakers. But a smart company isn't going to rewrite it entirely over and over for the different customers/platform. They'll just do the specific platform code they need, and reuse the rest. The joys of compiled languages.
So yes, if QNX is vulnerable, BB10 is absolutely vulnerable. That is all that I am saying. We'll know if BB10 is vulnerable when/if news of QNX car systems being vulnerable comes out. Since BB10 is dead, no one will do such testing on it. But they will on cars.
Considering all three major platforms are vulnerable, it is safe to assume QNX/BB10 is as well. They will never do public testing of either of these two operating systems since BB10 is dead and QNX is not a consumer OS. I'm sure the auto manufacturers/BB already know.
As for me, I could care less. Bluetooth is disabled on all my devices (Except playstation 3 controller), my car doesn't have bluetooth, my next car won't even have a computer.09-15-17 09:43 AMLike 0 - TL;DR
BlackBerry has previously investigated the impact to its products and determined that BlackBerry powered by Android smartphones were affected.
In response to the issues detailed in the Android Security Bulletin — September 2017, an updated software build to remediate these issues has been included in the September Security Maintenance Release (SMR). The updated software build can be identified by an Android security patch level of September 1st 2017 or later and is available as follows:...
BlackBerry 10 smartphones
BlackBerry has investigated the impact to its products and determined that BlackBerry 10 smartphones are not affected.
BlackBerry OS smartphones
BlackBerry has investigated the impact to its products and determined that BlackBerry OS smartphones are not affected.09-15-17 04:49 PMLike 0 - But then lawyers will look for Deep Pockets and as many Deep Pockets as they can find so as soon as the lawyers get their hands on their gigantic class action group they will sue everybody Insight that has cash... I don't think it's that useful or advisable to widely advertised that a company has a large amount of cash on hand because somebody is going to want it...09-15-17 05:29 PMLike 0
-
You have to remember the QNX is a microkernel architecture. That means that the kernel does very little and that, unlike monolithic kernels, drivers don't run with high levels of privilege. An arbitrary code execution vulnerability in the Linux (which includes Android), Windows or iOS kernel are so dangerous because the code runs with kernel privilege. In a microkernel system almost nothing runs with kernel privilege. So even if the code has vulnerabilities it is mitigated. But beyond that drivers run in their own address space which limits what the malware has to work with to build shell code.
But on top of that, even as good as QNX code was before they were bought by BlackBerry, after the purchase it was tightened up even more. Unfortunately the last BlackBerry smartphone I will ever use sits on my desk in front of me now. It is very telling; BBOS not affected (even though EOL), BB10 not affected, iOS 10 (and later releass of iOS 9) not affected, everyone else has to scramble to get patched if they can -- even BB Android. This is just one more indication to me that while new BlackBerry branded smartphones may have many desirable features, best in class security is not one of them.Invictus0 likes this.09-15-17 09:05 PMLike 1 -
You have to remember the QNX is a microkernel architecture. That means that the kernel does very little and that, unlike monolithic kernels, drivers don't run with high levels of privilege. An arbitrary code execution vulnerability in the Linux (which includes Android), Windows or iOS kernel are so dangerous because the code runs with kernel privilege. In a microkernel system almost nothing runs with kernel privilege. So even if the code has vulnerabilities it is mitigated. But beyond that drivers run in their own address space which limits what the malware has to work with to build shell code.
But on top of that, even as good as QNX code was before they were bought by BlackBerry, after the purchase it was tightened up even more. Unfortunately the last BlackBerry smartphone I will ever use sits on my desk in front of me now. It is very telling; BBOS not affected (even though EOL), BB10 not affected, iOS 10 (and later releass of iOS 9) not affected, everyone else has to scramble to get patched if they can -- even BB Android. This is just one more indication to me that while new BlackBerry branded smartphones may have many desirable features, best in class security is not one of them.09-15-17 09:05 PMLike 0 - Perhaps this is why Verizon was so quick to push the September 5 security patch to the Priv. Hard to imagine that they actually give a darn.09-15-17 09:49 PMLike 0
- You have to remember the QNX is a microkernel architecture. That means that the kernel does very little and that, unlike monolithic kernels, drivers don't run with high levels of privilege. An arbitrary code execution vulnerability in the Linux (which includes Android), Windows or iOS kernel are so dangerous because the code runs with kernel privilege. In a microkernel system almost nothing runs with kernel privilege. So even if the code has vulnerabilities it is mitigated. But beyond that drivers run in their own address space which limits what the malware has to work with to build shell code.
Posted via CB1009-15-17 10:35 PMLike 0 - Which I never forgot. I minored in OS and work with low level mips implementation on a daily bases. Never once did I say QNX or BB10 was vulnerable. I never mentioned that QNX would have privilege escalation or remote code execution issues. I only simply suggested that we know it's a driver issue due to the information provided by the report about Linux. And if QNX was ever mentioned to be vulnerable, then BB10 would be. (Third party would be more interested in testing QNX than a dead OS like BB10, but BlackBerry did us a favor and checked everything.) The topic was then side tracked by the conversation about who writes the bluetooth stack. Not the onion layers of a microkenel OS. (Which I did mention IF there was a vulnerability, it would be in the driver layer. I never mentioned the kernel layer.) So directing this at me is a bit silly.
Posted via CB10...
You are correct in that auto manufacturers are responsible for the front ends of their systems. But I highly doubt any of them who are licensing QNX are going to write their own drivers for standard protocols/hardware from scratch. If they were going to do have to do all that work, they would just roll their own OS and save the licensing fees.
No, the bluetooth stack for QNX in all likelihood comes from the same source, Blackberry. If it isn't included in the license for QNX, then BB will custom write drivers/stack for automakers. But a smart company isn't going to rewrite it entirely over and over for the different customers/platform. They'll just do the specific platform code they need, and reuse the rest. The joys of compiled languages.
So yes, if QNX is vulnerable, BB10 is absolutely vulnerable. That is all that I am saying. We'll know if BB10 is vulnerable when/if news of QNX car systems being vulnerable comes out. Since BB10 is dead, no one will do such testing on it. But they will on cars.
Considering all three major platforms are vulnerable, it is safe to assume QNX/BB10 is as well. They will never do public testing of either of these two operating systems since BB10 is dead and QNX is not a consumer OS. I'm sure the auto manufacturers/BB already know.
......
Depends on the amount of code share with QNX in cars. Considering the main concern is a bluetooth worm that takes 10seconds to infect and does not require handshakes, authorizations, or even active connections, vehicles (thus QNX) would be a primary target. And most likely that would extend to BB10 devices.
Hacking a BB10 is not a concern. Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.
...
I had been planning a post along those lines for a while as it seemed to me that this thread was getting filled up with hyperbole. Your post, following all these others, and the release of a statement from BlackBerry seemed to be the proper time.BoneMatrix likes this.09-16-17 07:23 AMLike 1 - I'm sorry if you found my reply overly critical, or feel it incorrectly singled you out. I have highlighted some passages in quotes from your other posts that I find particularly problematic for a professional discussing a vulnerability in advance of the statements from those responsible.
I had been planning a post along those lines for a while as it seemed to me that this thread was getting filled up with hyperbole. Your post, following all these others, and the release of a statement from BlackBerry seemed to be the proper time.
Let's break down the quotes you highlighted:
No, the bluetooth stack for QNX in all likelihood comes from the same source, Blackberry.
So yes, if QNX is vulnerable, BB10 is absolutely vulnerable.
We'll know if BB10 is vulnerable when/if news of QNX car systems being vulnerable comes out. Since BB10 is dead, no one will do such testing on it.
Considering all three major platforms are vulnerable, it is safe to assume QNX/BB10 is as well.
(thus QNX) would be a primary target. And most likely that would extend to BB10 devices.
Assuming there is an exploit in QNX that allowed remote code execution, you don't believe it would be in BB10?
Are you assuming the two OS's can't share python programs?
Again, you have to wrap your head around the fact we're talking about an "assumption". A "hypothetical". I doubt you can wrap your head around forward thinking like that. (Passive aggressive shot, I know. But I'm pretty much done here.)
Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.
You may not like hyperbole. But this is a forum of a dead platform. And nothing you highlighted of mine turned out to be false. Nearly everything either had a conditional or a probability adverb or a publicly stated assumption of a possibility. The last highlight of yours being the only one that didn't, but it is working off an assumption of infection, which is what this whole security paper is about. Would you rather have no discussion take place? OK, that's fine by me. I don't need to waste my time with it. Enjoy!Last edited by BronzeBeard; 09-16-17 at 08:55 AM.
09-16-17 08:32 AMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
Bluetooth blueborne hack
Similar Threads
-
BB HUB app notifications don't work in car using bluetooth
By LK-Wes in forum More for your BlackBerry 10 Phone!Replies: 1Last Post: 09-27-17, 09:58 AM -
Bluetooth Vulnerability
By Ethynil in forum BlackBerry Android OSReplies: 17Last Post: 09-19-17, 12:30 AM -
Bluetooth volume issues after Sept update
By architectyuan in forum BlackBerry KEYoneReplies: 2Last Post: 09-09-17, 02:36 AM -
Bluetooth contact sharing
By seibo in forum BlackBerry DTEK60Replies: 1Last Post: 09-07-17, 08:43 AM -
Bluetooth Battery Drain
By Matt_V1 in forum BlackBerry KEYoneReplies: 0Last Post: 09-06-17, 12:18 PM
LINK TO POST COPIED TO CLIPBOARD