[anon(10321802)]

Only you can assess your security needs. But before you do you should think about what you are using to make that decision and how reliable those metrics are. I will address one that keeps coming up, but no one gives it critical thought.

Frequent patches are necessary for security. Do you remember where that came from? Mainly Microsoft who after claiming that XP was the most secure couldn't keep up with the vulnerabilities in the system without going to a regular patch schedule. Othes climbed on and now it is accepted without, it seems any critical thought. To keep it short we have traded good software development practice for feature and bug rich code with rapid patching that one previous poster aptly called the red queen's race. We have been swindled. I have been developing high security, mission critical, security software since 1985. I have never been involved in a rapid patching cycle because we have very few bugs and almost all of them are mitigated by the depth of the security and defensive nature of the code. My employer values correct, secure and durable over frivolous features.

I had a chance to review the Wi-Fi protocol documents, some of the patches and how some devices managed to stay invulnerable because they were not implemented according to the specifications. Anyone coding the software who had knowledge of how cryptography works, and why would you not have someone like that coding this software, would have known that the specifications would result in a loss of cryptographic protection. I can say quite confidently that I would not have coded it per the specifications, but very much like what the patched code is like. I can say that because an equally bad cryptographic specification came across my desk not long ago and I refused to code it as written.

I don't know what happened in the QNX Wi-Fi driver, we will have to see. But I wouldn't be surprised if it was written in a safe way rather than as specified. As we know both patched, broken per the spec and broken in novel ways are all interoperable.

Unlike you I am not concerned by infrequent patches in the absence of evidence of the requirement. What does concern me is a monthly patch cycle that never makes any progress. But as I said, only you can decide what is safe enough for you.

LeapSTR100-2/10.3.3.2205

I think I understand where you're coming from. In a perfect world, software would be written in such a way that it doesn't require constant security patching and bug fixing.

But what reason do we have to believe that BB10 doesn't require it? Their software is closed-source, so all we have to go on is whatever they tell us...or don't tell us. I think BlackBerry's dearth of updates for BB10 has more to do with the fact that it's a deprecated OS that is no longer being actively developed or supported, not because it's any more "hardened" or impervious to emerging security threats than any other mobile OS.

When it comes to security, until we hear otherwise from BlackBerry/QNX, the safest assumption is that BB10 is vulnerable, is it not?

I certainly don't have the programming expertise or experience you do, but I'm not willing to stake my digital safety on a guess or a hunch that WiFi encryption protocols were implemented contrary to widely-used specifications. Your hunch may be right, but that's all it is - a hunch.

I really hope BlackBerry/QNX does confirm that they implemented the WiFi standard securely - contrary to the prevailing specifications. If they do, my faith in their pre-Android phones will have been restored, somewhat.

Edited to add: this is all moot, however, as I am currently using a Moto E4 with a patch level of May 2017, so I know for a fact this phone is vulnerable, whereas BB10 is still a big question mark. Maybe a big question mark would be preferable right now.

[anon(10321802)]

That's not necessarily true, vulnerabilities are found in small platforms all the time. There were reported vulnerabilities in Windows Phone and Tizen this year for example. A good patching schedule certainly helps but it's not the greatest indicator for how secure an OS is. Windows Phone and Android both receive monthly patches yet I think many would argue the former is more secure.

At this point your best bet for a secure platform that's actively supported is iOS.

Assuming iOS 11 is indeed jailbreak-proof, I would be inclined to agree. But that remains to be seen.

[bobshine]

Who do you mean that already patched it?


Posted with my trusty Z10

iOS in their 11.1 beta. Most probably coming out in a couple of weeks

[Invictus0]

Assuming iOS 11 is indeed jailbreak-proof, I would be inclined to agree. But that remains to be seen.

Yeah it's certainly not perfect and for the reasons that Richard Buckley outlined above it's [likely] no BBOS or BB10 but it's probably the best option we have at this point.

iOS in their 11.1 beta. Most probably coming out in a couple of weeks

In my example I was referring to Microsoft/Windows.

They pushed the fix live last week for most, if not all, of their active platforms.

[app_Developer]

It will be interesting to see what BB says about this. When Blueborne was announced, BB announced their all clear (for BB10 and BBOS) about a week later.

I still think if they saw problems with the standard years ago, there was a missed opportunity there to bring it to the attention of the standards group. Other leaders in our industry do this all the time. This is how these groups work, especially in areas of security. As banks, we participate in these, too, and we always expect our technology company partners to behave in good faith and not willfully hide massive vulnerabilities that they found in the standard.

We do the same with ATMs and bank branches and our apps. If we see vulnerabilities we fix them, but then we *also* report them to our peers. It's the right thing to do, and we get a ton of value from the other top banks sharing that data with us and with our tech partners. We're all safer as a result.

[The_Passporter]

Just wondering what the odds are if someone is using a BB10 phone and all the WIFI routers that you decide to use have been patched, that your phone would be hacked.

Posted via CB10

[app_Developer]

Just wondering what the odds are if someone is using a BB10 phone and all the WIFI routers that you decide to use have been patched, that your phone would be hacked.

So my understanding is that of all the KRACK group of attacks, the most pervasive vulnerability is wrt GSK re-install. So if (IF!) BB10 is vulnerable to that attack and if (again IF!) that's the only vulnerability, then it doesn't really matter if the router is patched or not. The phone would still be vulnerable to that particular attack. That's also true for the PSK case. Patching a router won't solve those issues for the phones (it is necessary to patch the routers if they are themselves clients to some upstream router)

But again there are a few different related vulnerabilities here. We don't know, until BB tells us, if BB10 is vulnerable to 1 or 0 or 3 of them.

[evodevo69]

They have DoD clients and other government contracts in place for another few years I thought?

I can see them patching this for those clients only, for all clients, or not at all.

I'd be surprised if they didn't patch it at all if there was a need for it.

[bb10adopter111]

iOS in their 11.1 beta. Most probably coming out in a couple of weeks

OK. Both Android and iOS have patches come in out within weeks. But no Mobile phones ha e been patches so far.

Posted with my trusty Z10

[Emaderton3]

Just wondering what the odds are if someone is using a BB10 phone and all the WIFI routers that you decide to use have been patched, that your phone would be hacked.

Posted via CB10

It doesn't sound like the vulnerability necessarily allows direct hacking of your phone.

Posted via CB10

[anon(10321802)]

OK. Both Android and iOS have patches come in out within weeks. But no Mobile phones ha e been patches so far.

Posted with my trusty Z10

Microsoft patched Windows 10 Mobile phones before they announced KRACK publicly.

[app_Developer]

They have DoD clients and other government contracts in place for another few years I thought?

I can see them patching this for those clients only, for all clients, or not at all.

I'd be surprised if they didn't patch it at all if there was a need for it.

If you mean US DoD, how many BB10 phones did they ever actually buy?

[A Noise Annoys]

Just got a tweet back from @blackberryhelps that basically said they only found out about this vulnerability yesterday.

Posted via CB10

[anon(10321802)]

Just got a tweet back from @blackberryhelps that basically said they only found out about this vulnerability yesterday.

Posted via CB10

I've seen reports that say tech companies and vendors were made aware of it as early as July and as late as the end of August.

[thurask]

I've seen reports that say tech companies and vendors were made aware of it as early as July and as late as the end of August.

They were probably informed then, but their background notifications didn't work.

[bobshine]

Even if there’s a patch to BB10, I doubt that carriers will push them out

[Richard Buckley]

As I said, you have to decide what is best for you. There is only so much I can tell you.

I think I understand where you're coming from. In a perfect world, software would be written in such a way that it doesn't require constant security patching and bug fixing.

Not a perfect world. I don't work in a perfect world, I do work in one where the priorities are different. When/if the average consumer changes their priorities the software giants will change as well, but not before.

But what reason do we have to believe that BB10 doesn't require it? Their software is closed-source, so all we have to go on is whatever they tell us...or don't tell us. I think BlackBerry's dearth of updates for BB10 has more to do with the fact that it's a deprecated OS that is no longer being actively developed or supported, not because it's any more "hardened" or impervious to emerging security threats than any other mobile OS.

This isn't going to help you much, but the software community in Canada is quite small. If you work in a particular segment of the industry long enough you get to know who the players are. And eventually you get to recognize who the true professionals are and where their priorities lie. I realize that doesn't help you much. But remember BlueBorne, not that long ago? How about HeartBleed. The OpenSSL library BlackBerry loaded on BB10 was vulnerable, but that was only there for developers who didn't want to put in the minimal effort to use the BlackBerry/Certicom cryptography libraries that weren't. You could even use the OpenSSL API with the BB/Certicom libraries, quite easy.

When it comes to security, until we hear otherwise from BlackBerry/QNX, the safest assumption is that BB10 is vulnerable, is it not?

That depends what you do based on that assumption. If you move to an Android device running the code that nulls the crypto key so everyone can see your traffic, not just the attacker that wouldn't be safest. So I'm going to go with no. Assuming all companies can't code properly because a few big ones are especially bad at is isn't a wise move, in my opinion.

I certainly don't have the programming expertise or experience you do, but I'm not willing to stake my digital safety on a guess or a hunch that WiFi encryption protocols were implemented contrary to widely-used specifications. Your hunch may be right, but that's all it is - a hunch.

How about you stake your digital safety on the fact that if an attacker gets the code before everyone is patched, and can get in a position to deploy it against you and it works before your device estalishes a WPA2 connection, pretty much the worst thing that happens is the connection is not WPA2 but open unencrypted Wi-Fi like a Starbucks, McDonalds, etc. I don't know how you feel about open Wi-Fi, or what protective measures you use with them, but that is the situation you would be in.

I really hope BlackBerry/QNX does confirm that they implemented the WiFi standard securely - contrary to the prevailing specifications. If they do, my faith in their pre-Android phones will have been restored, somewhat.

Edited to add: this is all moot, however, as I am currently using a Moto E4 with a patch level of May 2017, so I know for a fact this phone is vulnerable, whereas BB10 is still a big question mark. Maybe a big question mark would be preferable right now.

That is thinking like a security professional.

The big take away is that there is a lot of smoke, and at the moment not much fire.

ROCA on the other hand might end up eating everyone's lunch while they worry about KRACK.
ROCA - Exploit Worse Than KRACK - Puts Millions of Crypto Keys at Risk

[EFats]

I think I understand where you're coming from. In a perfect world, software would be written in such a way that it doesn't require constant security patching and bug fixing.

But what reason do we have to believe that BB10 doesn't require it? Their software is closed-source, so all we have to go on is whatever they tell us...or don't tell us. I think BlackBerry's dearth of updates for BB10 has more to do with the fact that it's a deprecated OS that is no longer being actively developed or supported, not because it's any more "hardened" or impervious to emerging security threats than any other mobile OS.

When it comes to security, until we hear otherwise from BlackBerry/QNX, the safest assumption is that BB10 is vulnerable, is it not?

Security patches should be released as needed, not necessarily on regular schedules. If regular schedules start to make sense, I think that is suggesting you have A LOT of vulnerabilities being discovered all the time.

Don't take BlackBerry's word that BB10 is secure, check the vulnerability announcements. These come out from a 3rd parties and say which platform has which known vulnerabilities. There are plenty of sites which maintain databases of this stuff and it looks like BlackBerry has much fewer than most others. Of course it is entirely possible people are hammering on BlackBerry and not revealing the holes, however, when you look back at the list of vulnerabilities when BlackBerry was at its peak and had most of the marketshare, those numbers are still low.

In this particular instance, I would agree that the safest assumption is that BB10 is vulnerable. but also unfortunately, not everything is in BlackBerry's hands. It sounds like if the router you are connected to is unpatched, then you are vulnerable as well.

[eshropshire]

They have DoD clients and other government contracts in place for another few years I thought?

I can see them patching this for those clients only, for all clients, or not at all.

I'd be surprised if they didn't patch it at all if there was a need for it.

I have not seen any BB10 at the DoD. I have not checked lately, but also did not see it on the approved purchase list.

[Wmsi]

I would hope that this is the kind of thing that would be discussed at a security summit. BlackBerry happens to be hosting one in London next week. Anyone going?

https://us.blackberry.com/enterprise...-summit/london

[Richard Buckley]

In this particular instance, I would agree that the safest assumption is that BB10 is vulnerable. but also unfortunately, not everything is in BlackBerry's hands. It sounds like if the router you are connected to is unpatched, then you are vulnerable as well.

Actually because the protocol is asymmetric the problem is on the client side. So is your access point connects to another using Wi-Fi, itself a client of another router, then it would need to be patched, but if not then there is no vulnerabilities in the router.

LeapSTR100-2/10.3.3.2205

[Richard Buckley]

I have not seen any BB10 at the DoD. I have not checked lately, but also did not see it on the approved purchase list.

Which DoD? There are still lots of DoD users, and other government department users of BlackBerry BB10 devices here.

LeapSTR100-2/10.3.3.2205

[AmritD]

They were probably informed then, but their background notifications didn't work.

Laughed at this for a good 10 mins *rotfl*

Posted via CB10

[Wmsi]

According to this, BlackBerry were notified 6 days ago:

https://www.kb.cert.org/vuls/id/CHEU-AS4JN5

[Chuck Finley69]

I have not seen any BB10 at the DoD. I have not checked lately, but also did not see it on the approved purchase list.

I know US military DISA personnel were still using BB10 and even BBOS in very limited secured devices as of few months ago. Don't know about new device requests.