[app_Developer]

Actually you don't know that -- QNX is not Linux or FreeBSD, and might not have the common path that allows it to work on those devices...

While it's not exactly likely BlackBerry found and silently fixed this on QNX it's also not impossible.

You must therefore assume its vulnerable until told otherwise, but assuming and knowing are two different things.

If they implemented the spec correctly, it is vulnerable. That’s why every WiFi device on the planet is vulnerable to some degree or another. There is no magic QNX cloak that would make them the one exception.

Further, if they did discover this previously and fixed it, that would be completely asinine. The right thing would have been to fix it, and then announce the flaw to get the marketing and PR value (and literally save the planet from a serious flaw that could have been, or could still be, devastating)

At the very least, if they did fix it years ago, and now everyone knows about the flaw, then they should have said that today. Very loudly. The fact that they haven’t means that either (a) they are criminally stupid or (b) they actually implemented the standard correctly and have an issue they now need to fix.

[tickerguy]

The underlying code doesn't matter. That's not what's vulnerable. It's the secure connection between the router and the endpoint that's vulnerable for any unpatched implementation of the WPA2 protocol.

Posted with my trusty Z10

That is just flatly not true. I've looked at the patches for the various wpa_supplicant and ap code, and it's entirely possible that BlackBerry figured out there was an issue and addressed it, or if they wrote their own (instead of importing someone else's implementation) they didn't leave the same hole open.

Yes, I understand the spec "says" do "X". If a spec says "jump off a building", do you?

The probability is that it's vulnerable. However, that's not certain. In fact there are some clients (e.g. certain Android versions) that are more vulnerable due to specifics of their implementation.

"Gee, that's dumb, I'm not going to do that" doesn't create an obligation on a party to report it. I've run into that a few times in my professional career, and I've never run the flag up the pole; I like the advantage it confers to be "better" than the other guys.

[Troy Tiscareno]

Is there anyone left in Waterloo to patch it?

[app_Developer]

"Gee, that's dumb, I'm not going to do that" doesn't create an obligation on a party to report it. I've run into that a few times in my professional career, and I've never run the flag up the pole; I like the advantage it confers to be "better" than the other guys.

So if BB10 is immune to this issue, why have they not announced that this week? This would be such a huge, obvious win.

[Emaderton3]

So if BB10 is immune to this issue, why have they not announced that this week? This would be such a huge, obvious win.

Win? It's not like people are going to flock to BB10. I'm sure patches will be released timely for the popular platforms like they always do.

Posted via CB10

[BerryRipe]

Maybe this is why CB posted the latest survey to see what percentage of BB10 users are left. We out numbered Android/BlackBerry users so I'm thinking there will be a patch (hopefully).

Posted via CB10

[app_Developer]

Win? It's not like people are going to flock to BB10. I'm sure patches will be released timely for the popular platforms like they always do.

Posted via CB10

Not a win for BB10, a win for BlackBerry. They want to be known as the security experts. Imagine a press release that said “we carefully implement every protocol using our own code and our own careful analysis. In implementing WPA in QNX, we chose to implement only those parts of the key exchange protocol that we felt were safe. As a result, our QNX OS is the only operating system we know of that is totally immune to KRACK, which demonstrates our unwavering commitment and attention to detail in building the most secure experiences for our customers and partners.”

Of course this is all utter fantasy, because we all know BB10 is vulnerable to KRACK and they will fix it soon just like everyone else is.

[Emaderton3]

Not a win for BB10, a win for BlackBerry. They want to be known as the security experts. Imagine a press release that said “we carefully implement every protocol using our own code and our own careful analysis. In implementing WPA in QNX, we chose to implement only those parts of the key exchange protocol that we felt were safe. As a result, our QNX OS is the only operating system we know of that is totally immune to KRACK, which demonstrates our unwavering commitment and attention to detail in building the most secure experiences for our customers and partners.”

Of course this is all utter fantasy, because we all know BB10 is vulnerable to KRACK and they will fix it soon just like everyone else is.

I am not convinced they will patch it since they don't have any BB10 employees. And even if it wasn't vulnerable, no one will care.

Posted via CB10

[DreadPirateRegan]

Maybe this is why CB posted the latest survey to see what percentage of BB10 users are left. We out numbered Android/BlackBerry users so I'm thinking there will be a patch (hopefully).

Posted via CB10

Wow, Love it. Link? I didn't even participate and I count as fifty votes as I am super special with many devices!

 Passport SE  -Working wiDe in 2017+...

[Emaderton3]

Maybe this is why CB posted the latest survey to see what percentage of BB10 users are left. We out numbered Android/BlackBerry users so I'm thinking there will be a patch (hopefully).

Posted via CB10

Maybe Android users left the forums. . .

Posted via CB10

[BerryRipe]

Wow, Love it. Link? I didn't even participate and I count as fifty votes as I am super special with many devices!

 Passport SE  -Working wiDe in 2017+...

CrackBerry Poll: What type of BlackBerry are you using?

http://crackberry.com/crackberry-pol...-are-you-using

Hopefully it's not too late to participate.

Posted via CB10

[EFats]

Both BlackBerry and QNX are unknown
https://www.kb.cert.org/vuls/byvendo...&SearchOrder=4
QNX has had over a month at it.

It is entirely possible BlackBerry/QNX's implementation is not vulnerable, but I'd be surprised. As I understand it (and that's not much) it comes down to how one interprets the wording in the WPA2 spec and most interpretations leave it vulnerable. Given that nearly everyone else interpreted it the same way, I'd bet BB/QNX are vulnerable.

[Invictus0]

I am not convinced they will patch it since they don't have any BB10 employees. And even if it wasn't vulnerable, no one will care.

Posted via CB10

They still have BB10 developers on staff, they post on the developer support forums and there's the occasional update in the spotted OS thread on CrackBerry. BB10 still has government and enterprise clients, of course people would care.

[Nguyen1]

Why are we all speculating? Why not just ask BlackBerry? Or ask blaze or Kevin, who must have inside info?

Hey, I have a simple solution. Turn off wifi. Use data only on my passport. Data is unlimited anyway, and my passport uses far less of it than my wife's iphone.

Signature: Still typing away on my Passport SE!

[ahp87]

Can’t wait for 10.3.4

[Moon_Man]

Why are we all speculating? Why not just ask BlackBerry? Or ask blaze or Kevin, who must have inside info?

Hey, I have a simple solution. Turn off wifi. Use data only on my passport. Data is unlimited anyway, and my passport uses far less of it than my wife's iphone.

Signature: Still typing away on my Passport SE!

'Data is unlimited anyway' lol you are funny. Where I live you pay 20€ for like 2gb data a month. And unused data doesn't even carry over

Posted with my  BlackBerry Passport SE™

[Richard Buckley]

Not to under state the importance of patching endpoints, or my total lack of surprise that the Wi-Fi people have let us down again (remember WEP, WPS). Anyway, still looking at this, but here are some of the questions I'm asking:

How many of the hot spots accessed where exploitation of this is possible are even offering WPA and are already really sketchy to use without additional security? How much more sketchy is using them, even with a patched endpoint, now vs before?

How many of those are going to be patched, have ever been patched, are still running vulnerable code like DNSMasq?

Etc.

Edit:

So it turns out that access points don't need to be patched unless they are also Wi-Fi clients of another AP.

LeapSTR100-2/10.3.3.2205

[moonflyer]

I am not convinced they will patch it since they don't have any BB10 employees. And even if it wasn't vulnerable, no one will care.

Posted via CB10

Z-z-z, this seems to be the most possible turn of events. How disappointing...

[Dunt Dunt Dunt]

Why are we all speculating? Why not just ask BlackBerry? Or ask blaze or Kevin, who must have inside info?

Hey, I have a simple solution. Turn off wifi. Use data only on my passport. Data is unlimited anyway, and my passport uses far less of it than my wife's iphone.

Signature: Still typing away on my Passport SE!

That may work for you.... Unlimited data isn't the global standard though. There are many, especially in other markets where Wi-Fi is very important for their use. And I expect there are far more BB10 devices in use today in those markets. Most western markets have moved on from the older devices...

So you use your Passport less than your wife uses here iPhone, there is no surprise there. Sorry but data is data, there is no BlackBerry compression or data saving going on with BB10, your wife is just using more.

[Dunt Dunt Dunt]

Is there anyone left in Waterloo to patch it?

If it's just the WAP2 code... would think anyone could do it. Pull a couple of guys from QNX if they had to, or if it were more complex... they could ask Ford to loan them a few of those developers they sold them.

[bb10adopter111]

If it's just the WAP2 code... would think anyone could do it. Pull a couple of guys from QNX if they had to, or if it were more complex... they could ask Ford to loan them a few of those developers they sold them.

The larger issue is that carriers might not push it out so only enthusiasts who use autoloaders will receive it. This is similar to the problem with WiFi routers where, even when the patch is available, most vulnerable devices will never actually receive it.

This has the potential to be a multi-year fiasco for individual users and small businesses.

Posted with my trusty Z10

[Dunt Dunt Dunt]

The larger issue is that carriers might not push it out so only enthusiasts who use autoloaders will receive it. This is similar to the problem with WiFi routers where, even when the patch is available, most vulnerable devices will never actually receive it.

This has the potential to be a multi-year fiasco for individual users and small businesses.

Posted with my trusty Z10

Yeah I can see Carrier's that stopped selling BB10 devices two or three years ago... not wanting to bother with pushing out patches or dealing with the issues that always result from those updates.

Hopefully they can issue it more like the Android Patch... something available from BlackBerry World.

I suspect most of Enterprise and Small Business... has already or is already in the process of phasing out BB10. Patch or no Patch this will only speed up the process. Proable a few IT guys have already told their bosses they have everything under control but a few EOL BlackBerry devices that there has been no word from BlackBerry about... hoping to get the approval to expedite their replacements.

But yes there will be users around the world with no clue about this issue and if BlackBerry patches it or not. Someone was posting about their Z10 still running a very early version of BB10 the other day - some people don't update.

[A Noise Annoys]

Slightly off topic, sort of, but Windows is already patched and I got an update for my Linksys router this morning although I've yet to confirm it includes a patch.

[bb10adopter111]

Slightly off topic, sort of, but Windows is already patched and I got an update for my Linksys router this morning although I've yet to confirm it includes a patch.

It's shameful how slow mobile devices are with critical updates like this. The whole distributed model of responsibility for security patching is a major vulnerability.

In Linux, Mac OS and Windows, most issues are patched before they're widely known. With this bug, any reasonably intelligent person can research it, put together a hacking toolkit, and successfully exploit it for weeks before it will be addressed for the vast majority of users.

Posted with my trusty Z10

[Nguyen1]

That may work for you.... Unlimited data isn't the global standard though. There are many, especially in other markets where Wi-Fi is very important for their use. And I expect there are far more BB10 devices in use today in those markets. Most western markets have moved on from the older devices...

So you use your Passport less than your wife uses here iPhone, there is no surprise there. Sorry but data is data, there is no BlackBerry compression or data saving going on with BB10, your wife is just using more.

Sorry, yes you're right. In usa, data unlimited... but expensive. But I'm less worried about my phone than about the home setting. How will Krack affect the wifi on an Echo, for instance?

No data compression on passport, true, but I mostly use a 9900.

Signature: Still typing away on my Passport SE!