[tipplex]

Will there be a bluetooth security patch? Against this ciricital security issue?

Posted via CB10

[Invictus0]

Is BB10 vulnerable to it? There was an update in the Spotted OS thread a few weeks ago, for all we know it could be related.

[BronzeBeard]

Reading the official release for the bug, I saw no mention of QNX or BB10. QNX would be the one to watch out for as it seems to be a kernel related issue in the other *nix's. Since QNX is used in a lot of car infotaiment centers, you'll get info of it being vulnerable long before BB10.

That's not to say that it isn't vulnerable, just nothing published. Check the cve's.

Posted via CB10

[mf1982]

Who's actually going to put any effort into hacking any of our few dozen BB10 devices left out there??

Posted via CB10

[BronzeBeard]

Who's actually going to put any effort into hacking any of our few dozen BB10 devices left out there??

Posted via CB10

Depends on the amount of code share with QNX in cars. Considering the main concern is a bluetooth worm that takes 10seconds to infect and does not require handshakes, authorizations, or even active connections, vehicles (thus QNX) would be a primary target. And most likely that would extend to BB10 devices.

Hacking a BB10 is not a concern. Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.

Posted via CB10

[DreadPirateRegan]

Depends on the amount of code share with QNX in cars. Considering the main concern is a bluetooth worm that takes 10seconds to infect and does not require handshakes, authorizations, or even active connections, vehicles (thus QNX) would be a primary target. And most likely that would extend to BB10 devices.

Hacking a BB10 is not a concern. Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.

Posted via CB10

Good thing I don't use Bluetooth. I would think BB would issue a patch for BB10 (If needed as they know folks are still here) if not only to contain it as you make a great point there..

Is there an article on this I can read? As in the virus/bug?..

Do they know the origins yet? Russia? China or American?

Anyway, I'd like to read about It then contact blackberry. It's hilarious (in a sad way) when the runtime bug on BB10 occurred long ago. Everyone came here and complained but when I got thru to Blackberry they said only one other complaint was issued and was fixed in two day from that call as in official released fix in BBW.

At the same time was odd it seemed blackberry never paid attention to the consensus/trends whatever you want to call it by scouring the Web or at least crackberry. So it seemed! I think with TCL this may be different beings CBK said about the K1 with extra gig of ram and double the storage - then poof, there it was!...



 Passport SE  via Native CB10 .bar

[BronzeBeard]

Good thing I don't use Bluetooth. I would think BB would issue a patch for BB10 (If needed as they know folks are still here) if not only to contain it as you make a great point there..

The main thing is to keep bluetooth turned off unless you're using it. But sadly a lot of things, such as cars, you can't turn systems bluetooth off. Likewise, other products, like my father's stereo, you have no idea if they're vulnerable. As it's unlikely any EOL embedded Linux products will ever get firmware updates. While these products don't have data on them, they can be used to spread such a worm to other products that do. Like an EOL android tablet, etc.

Is there an article on this I can read? As in the virus/bug?..

Ask and ye shall receive: https://www.armis.com/blueborne/ There is a youtube video for lay people, a bit more details for technical people, and CVE numbers for anyone who wants to dig into it further.

Do they know the origins yet? Russia? China or American?

It's a whitepaper by an IoT security company. Luckily nothing is out in the wild yet. But, like every disclosure, eventually a blackhat group will use the bug to hit unpatched systems (remember wannacry a couple months ago?), or extend the bug to other vendors that the research group didn't find or look at. (Which is why I keep mentioning cars, when was the last time you had your center console radio's firmware updated? )

[DreadPirateRegan]

The main thing is to keep bluetooth turned off unless you're using it. But sadly a lot of things, such as cars, you can't turn systems bluetooth off. Likewise, other products, like my father's stereo, you have no idea if they're vulnerable. As it's unlikely any EOL embedded Linux products will ever get firmware updates. While these products don't have data on them, they can be used to spread such a worm to other products that do. Like an EOL android tablet, etc.


Ask and ye shall receive: https://www.armis.com/blueborne/ There is a youtube video for lay people, a bit more details for technical people, and CVS numbers for anyone who wants to dig into it further.


It's a whitepaper by an IoT security company. Luckily nothing is out in the wild yet. But, like every disclosure, eventually a blackhat group will use the bug to hit unpatched systems (remember wannacry a couple months ago?), or extend the bug to other vendors that the research group didn't find or look at. (Which is why I keep mentioning cars, when was the last time you had your center console radio's firmware updated? )

Not since 1979 when Oldsmobile sent the last update.

Seriously though, aren't those updates automatic by now?

Well I guess not unless it's a connected car..

When that becomes standard it will be scary as I remember Avira showed (I think nissan) how they can hack a car and slammed the brakes at a convention once. Spooky!

Love Avira..

I prefer to drive my car and truck myself. LOL..

Maybe in the year 2500 somebody will laugh at this comment above, if it still exist.

 Passport SE  via Native CB10 .bar

[ppeters914]

Which is why I keep mentioning cars, when was the last time you had your center console radio's firmware updated? )

And just where /how would one do that?


Posted via CB10 / AT&T /Z10 STL100-3 /10.3.3.2205

[Bla1ze]

Ain't no one fixing the BT in your vehicle even if it is vulnerable unless..

- Your vehicle is newer and it's a plug and play fix.

Also, you're all barking up the wrong tree anyway with the QNX talk. 99% of QNX stuff is issued to the automobile companies and they place whatever crap front end they want on it. In other words, it's up to them to fix it, not QNX/BlackBerry.

[Dunt Dunt Dunt]

Good thing I don't use Bluetooth. I would think BB would issue a patch for BB10 (If needed as they know folks are still here) if not only to contain it as you make a great point there..

 Passport SE  via Native CB10 .bar

BBOS has a number of known vulnerabilities.... it hasn't been patched.

Even if there were vulnerabilities in BB10... BlackBerry simple can't afford to go back and fix it, look at how long 10.3.3 took, how buggy it ended up being....

And why would they, not like they'll lose future hardware customer if they don't.

[wingnut666]

lawsuits.

Posted via CBX

[BronzeBeard]

Also, you're all barking up the wrong tree anyway with the QNX talk. 99% of QNX stuff is issued to the automobile companies and they place whatever crap front end they want on it. In other words, it's up to them to fix it, not QNX/BlackBerry.

One little nitpick. Bluetooth stack is not front end, it's implemented as down low as the driver level in QNX. In Linux, the issue is in the kernel, as drivers are implemented in the kernel. Since we have that information, we know it's a low level implementation issue which most likely stems from the driver implementations for bluetooth.

You are correct in that auto manufacturers are responsible for the front ends of their systems. But I highly doubt any of them who are licensing QNX are going to write their own drivers for standard protocols/hardware from scratch. If they were going to do have to do all that work, they would just roll their own OS and save the licensing fees.

No, the bluetooth stack for QNX in all likelihood comes from the same source, Blackberry. If it isn't included in the license for QNX, then BB will custom write drivers/stack for automakers. But a smart company isn't going to rewrite it entirely over and over for the different customers/platform. They'll just do the specific platform code they need, and reuse the rest. The joys of compiled languages.



So yes, if QNX is vulnerable, BB10 is absolutely vulnerable. That is all that I am saying. We'll know if BB10 is vulnerable when/if news of QNX car systems being vulnerable comes out. Since BB10 is dead, no one will do such testing on it. But they will on cars.

Considering all three major platforms are vulnerable, it is safe to assume QNX/BB10 is as well. They will never do public testing of either of these two operating systems since BB10 is dead and QNX is not a consumer OS. I'm sure the auto manufacturers/BB already know.

As for me, I could care less. Bluetooth is disabled on all my devices (Except playstation 3 controller), my car doesn't have bluetooth, my next car won't even have a computer.

[Richard Buckley]

TL;DR

BlackBerry has previously investigated the impact to its products and determined that BlackBerry powered by Android smartphones were affected.

In response to the issues detailed in the Android Security Bulletin — September 2017, an updated software build to remediate these issues has been included in the September Security Maintenance Release (SMR). The updated software build can be identified by an Android security patch level of September 1st 2017 or later and is available as follows:...

BlackBerry 10 smartphones

BlackBerry has investigated the impact to its products and determined that BlackBerry 10 smartphones are not affected.

BlackBerry OS smartphones

BlackBerry has investigated the impact to its products and determined that BlackBerry OS smartphones are not affected.

https://techsecurity.news/2017/09/bl...erry-products/

[BronzeBeard]

Thanks Richard for that link.

QNX customers should contact their Bluetooth stack vendor for guidance.

Guess I owe Bla1ze a semi-apology since apparently there are some QNX's out in the wild with non-BB bluetooth stacks.

[furieux]

my PRIV is safe too... does this affect the Passport ?

[furieux]

Who's actually going to put any effort into hacking any of our few dozen BB10 devices left out there??

Posted via CB10

Too bad...

[furieux]

lawsuits.

Posted via CBX

But then lawyers will look for Deep Pockets and as many Deep Pockets as they can find so as soon as the lawyers get their hands on their gigantic class action group they will sue everybody Insight that has cash... I don't think it's that useful or advisable to widely advertised that a company has a large amount of cash on hand because somebody is going to want it...

[furieux]

Will there be a bluetooth security patch? Against this ciricital security issue?

Posted via CB10

Maybe they'll hope most affected cars will go to the crusher beforehand...

[Richard Buckley]

Thanks Richard for that link.





Guess I owe Bla1ze a semi-apology since apparently there are some QNX's out in the wild with non-BB bluetooth stacks.

Judging how any particular installation is a very complex task which requires specialized knowledge and experience. I have experience with QNX and took QNX OS security and configuration course that was taught by their lead kernel developer. I suspected that any fully BlackBerry/QNX installation would be safe, so I'm not surprised that BB10 doesn't need any patches.

You have to remember the QNX is a microkernel architecture. That means that the kernel does very little and that, unlike monolithic kernels, drivers don't run with high levels of privilege. An arbitrary code execution vulnerability in the Linux (which includes Android), Windows or iOS kernel are so dangerous because the code runs with kernel privilege. In a microkernel system almost nothing runs with kernel privilege. So even if the code has vulnerabilities it is mitigated. But beyond that drivers run in their own address space which limits what the malware has to work with to build shell code.

But on top of that, even as good as QNX code was before they were bought by BlackBerry, after the purchase it was tightened up even more. Unfortunately the last BlackBerry smartphone I will ever use sits on my desk in front of me now. It is very telling; BBOS not affected (even though EOL), BB10 not affected, iOS 10 (and later releass of iOS 9) not affected, everyone else has to scramble to get patched if they can -- even BB Android. This is just one more indication to me that while new BlackBerry branded smartphones may have many desirable features, best in class security is not one of them.

[Richard Buckley]

Thanks Richard for that link.





Guess I owe Bla1ze a semi-apology since apparently there are some QNX's out in the wild with non-BB bluetooth stacks.

Judging how any particular installation may be vulnerable is a very complex task which requires specialized knowledge and experience. I have experience with QNX and took QNX OS security and configuration course that was taught by their lead kernel developer. I suspected that any fully BlackBerry/QNX installation would be safe, so I'm not surprised that BB10 doesn't need any patches. But I still had to wait for the experts before I could be sure.

You have to remember the QNX is a microkernel architecture. That means that the kernel does very little and that, unlike monolithic kernels, drivers don't run with high levels of privilege. An arbitrary code execution vulnerability in the Linux (which includes Android), Windows or iOS kernel are so dangerous because the code runs with kernel privilege. In a microkernel system almost nothing runs with kernel privilege. So even if the code has vulnerabilities it is mitigated. But beyond that drivers run in their own address space which limits what the malware has to work with to build shell code.

But on top of that, even as good as QNX code was before they were bought by BlackBerry, after the purchase it was tightened up even more. Unfortunately the last BlackBerry smartphone I will ever use sits on my desk in front of me now. It is very telling; BBOS not affected (even though EOL), BB10 not affected, iOS 10 (and later releass of iOS 9) not affected, everyone else has to scramble to get patched if they can -- even BB Android. This is just one more indication to me that while new BlackBerry branded smartphones may have many desirable features, best in class security is not one of them.

[misterabrasive]

Perhaps this is why Verizon was so quick to push the September 5 security patch to the Priv. Hard to imagine that they actually give a darn.

[BronzeBeard]

You have to remember the QNX is a microkernel architecture. That means that the kernel does very little and that, unlike monolithic kernels, drivers don't run with high levels of privilege. An arbitrary code execution vulnerability in the Linux (which includes Android), Windows or iOS kernel are so dangerous because the code runs with kernel privilege. In a microkernel system almost nothing runs with kernel privilege. So even if the code has vulnerabilities it is mitigated. But beyond that drivers run in their own address space which limits what the malware has to work with to build shell code.

Which I never forgot. I minored in OS and work with low level mips implementation on a daily bases. Never once did I say QNX or BB10 was vulnerable. I never mentioned that QNX would have privilege escalation or remote code execution issues. I only simply suggested that we know it's a driver issue due to the information provided by the report about Linux. And if QNX was ever mentioned to be vulnerable, then BB10 would be. (Third party would be more interested in testing QNX than a dead OS like BB10, but BlackBerry did us a favor and checked everything.) The topic was then side tracked by the conversation about who writes the bluetooth stack. Not the onion layers of a microkenel OS. (Which I did mention IF there was a vulnerability, it would be in the driver layer. I never mentioned the kernel layer.) So directing this at me is a bit silly.





Posted via CB10

[Richard Buckley]

Which I never forgot. I minored in OS and work with low level mips implementation on a daily bases. Never once did I say QNX or BB10 was vulnerable. I never mentioned that QNX would have privilege escalation or remote code execution issues. I only simply suggested that we know it's a driver issue due to the information provided by the report about Linux. And if QNX was ever mentioned to be vulnerable, then BB10 would be. (Third party would be more interested in testing QNX than a dead OS like BB10, but BlackBerry did us a favor and checked everything.) The topic was then side tracked by the conversation about who writes the bluetooth stack. Not the onion layers of a microkenel OS. (Which I did mention IF there was a vulnerability, it would be in the driver layer. I never mentioned the kernel layer.) So directing this at me is a bit silly.





Posted via CB10

...
You are correct in that auto manufacturers are responsible for the front ends of their systems. But I highly doubt any of them who are licensing QNX are going to write their own drivers for standard protocols/hardware from scratch. If they were going to do have to do all that work, they would just roll their own OS and save the licensing fees.

No, the bluetooth stack for QNX in all likelihood comes from the same source, Blackberry. If it isn't included in the license for QNX, then BB will custom write drivers/stack for automakers. But a smart company isn't going to rewrite it entirely over and over for the different customers/platform. They'll just do the specific platform code they need, and reuse the rest. The joys of compiled languages.



So yes, if QNX is vulnerable, BB10 is absolutely vulnerable. That is all that I am saying. We'll know if BB10 is vulnerable when/if news of QNX car systems being vulnerable comes out. Since BB10 is dead, no one will do such testing on it. But they will on cars.

Considering all three major platforms are vulnerable, it is safe to assume QNX/BB10 is as well. They will never do public testing of either of these two operating systems since BB10 is dead and QNX is not a consumer OS. I'm sure the auto manufacturers/BB already know.
...

...
Depends on the amount of code share with QNX in cars. Considering the main concern is a bluetooth worm that takes 10seconds to infect and does not require handshakes, authorizations, or even active connections, vehicles (thus QNX) would be a primary target. And most likely that would extend to BB10 devices.

Hacking a BB10 is not a concern. Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.
...

I'm sorry if you found my reply overly critical, or feel it incorrectly singled you out. I have highlighted some passages in quotes from your other posts that I find particularly problematic for a professional discussing a vulnerability in advance of the statements from those responsible.

I had been planning a post along those lines for a while as it seemed to me that this thread was getting filled up with hyperbole. Your post, following all these others, and the release of a statement from BlackBerry seemed to be the proper time.

[BronzeBeard]

I'm sorry if you found my reply overly critical, or feel it incorrectly singled you out. I have highlighted some passages in quotes from your other posts that I find particularly problematic for a professional discussing a vulnerability in advance of the statements from those responsible.

I had been planning a post along those lines for a while as it seemed to me that this thread was getting filled up with hyperbole. Your post, following all these others, and the release of a statement from BlackBerry seemed to be the proper time.

You can be as anal as you want, but I am not here representing any professional causes, and I'm talking to lay people in my spare time.

Let's break down the quotes you highlighted:

No, the bluetooth stack for QNX in all likelihood comes from the same source, Blackberry.

Do you know every QNX license and who makes their Bluetooth stacks? No? Nor do I, thus the adverbials of probability "in all likelihood". I did apologize for this statement after the official presser, as BB mentions other Bluetooth vendors, but that does not make the statement entirely false.

So yes, if QNX is vulnerable, BB10 is absolutely vulnerable.

"If" is a conditional. Means it can be true or not true. If it is true, then there is a very high probability it would be true on BB10. You can disagree with that, but there is no way for you to prove otherwise. Where as I could prove that by finding a single vulnerability that effects both.

We'll know if BB10 is vulnerable when/if news of QNX car systems being vulnerable comes out. Since BB10 is dead, no one will do such testing on it.

I am eternally a pessimist, I'm surprised BlackBerry actually took the time to test the issue as far back as BBOS. Then again, since they're not effected they could use this as PR to show how secure their OSes are. Anyway, I was proven correct with this quote. We learned that BB10 was not vulnerable the same time we learned that QNX isn't.

Considering all three major platforms are vulnerable, it is safe to assume QNX/BB10 is as well.

Again, "It is safe to assume" has an adverbials of probability. Doesn't make it true or false. It is always best for people to assume their systems are compromised and plan for the worst when large scale security issues are abound. Running around with BT enabled when you're not using it is bad opsec. Before the press release you had an adverbial of probability in mind that BB10 is not vulnerable. To quote you: " I suspected that any fully BlackBerry/QNX installation would be safe". I prefer to err on the side of caution when it comes to these things. Unlike you, I partook in discussion about the topic (purpose of this place), rather than spitting out my thoughts after it was proven. You can single me out all you like after you have been proven correct. That's fine by me.

(thus QNX) would be a primary target. And most likely that would extend to BB10 devices.

So in the event of a Bluetooth worm that spreads without pairing, you believe BB10 would be targeted over QNX? Because to me, most car's don't receive software updates, and are more constantly around other bluetooth devices (cars/phones). Thus they're a better vector to spread your malware. There is also a lot more Fords than BB10 phones.

Assuming there is an exploit in QNX that allowed remote code execution, you don't believe it would be in BB10?

Are you assuming the two OS's can't share python programs?

Again, you have to wrap your head around the fact we're talking about an "assumption". A "hypothetical". I doubt you can wrap your head around forward thinking like that. (Passive aggressive shot, I know. But I'm pretty much done here.)

Spreading the worm from a BB10 device to all other bluetooth devices in your house, work, and life is.

Which is what this vulnerability can do on other platforms. Before the BB report came out, it was unknown IF BB systems had this issue. You have an assumption it was not. I have the similar assumption, but I tell people to assume it. Because it's better to be on the safe side when it comes to an unknown and wide spread issue. Of course, I could keep my mouth shut and let this place die a little more. Fine by me.

You may not like hyperbole. But this is a forum of a dead platform. And nothing you highlighted of mine turned out to be false. Nearly everything either had a conditional or a probability adverb or a publicly stated assumption of a possibility. The last highlight of yours being the only one that didn't, but it is working off an assumption of infection, which is what this whole security paper is about. Would you rather have no discussion take place? OK, that's fine by me. I don't need to waste my time with it. Enjoy!