With KRACK We'll Find Ou if BB10 is OFFICIALLY End-of-life
- I will ask you since you usually have thee answers bro.
In laymen terms for some of us: How could this exploit effect us hypothetically on a BB10 device if vulnerable and, well, being exploited? What can, would they typically do with this as I already know wed have to be on a WPA2 WiFi which is prett,standard everywhere as far as I know as WAS the basic but most secure, I'm on it right now? My home/personal what could happen. I am not running no damn proxy.
I think this will help allot of us decide and understand.. thanks @conite
Dread
Passport SE -Working wiDe in 2017+...
Not only can he listen to the traffic, but he can forge fake data and install malware or ransonware on your device.
This is bad. Very bad.10-20-17 10:20 AMLike 0 - A hacker can interfere with the initial handshake between your device and a wifi router which allows him the ability to decrypt the traffic you are exchanging over the network. The attacker doesn't even have to be on the network himself.
Not only can he listen to the traffic, but he can forge fake data and install malware or ransonware on your device.
This is bad. Very bad.
So they would have to create the ransom ware for BB10 first as far as we know none exist? The handshake happens continuously even after omen is signed onto the WPA2 and can only happen during that time frame or at anytime signed onto the network? Is there a way to fix this from your home routers network itself to secure home status at least or nope? I'm nervous guys! Cobalt, may have to wait a bit longer bud. Sorry! Remember from the city of brotherly love here! Lots of people equals lots of hackers!
I know enough to know it's serious. Grrr.
So with the other stuff in this thread yesterday and blackberry's definition of EOL, it's still not confirmed, right? By BlackBerry themselves?.. how much can it cost for them to really release this patch even if release it somehow in BBW unless that is not possible. I missed that part of the thread.
Passport SE -Working wiDe in 2017+...10-20-17 10:23 AMLike 0 -
- It will be called BB11 to really shut everyone up! If I was on the other end, that's what id do. I would seriously release a patch though as to many government officials and people still depending on them. For security none the less! They must! Did anybody call or write to them?....
Passport SE -Working wiDe in 2017+...10-20-17 10:28 AMLike 0 - I called in for the ART fix and they said they only had (when really dug deep) one other caller saying something similar. I believed them and found that absurd! If ya not a "caller" don't complain if no fix comes, imo. Anyway, with ART ' I explained very well.... Could of been chance but two days after (after weeks of chatting about it via CB with all u fine folks) the ART bug was corrected and released within BlackBerry world so it's a known fact they don't follow us here which honestly is or at least was not the smartest. I'd have a team dedicated to just tracking stuff over here if not just for the free consensus, etc. Maybe TLC will not that they can help with BB10's issue but JS... Be nice. Call, I am going to! They do answer via the janitors closet. Usually a woman! The more calls and explanations how it can ruin the reputation and brand, the better chance..
Passport SE -Working wiDe in 2017+...10-20-17 10:31 AMLike 0 - Hey, this WPA2 been rock solid for how long? Is it a sign generation Z is indeed going to be even Smarter or probably moreso that it's "EOL" hah, as in its been around to long and everything is fallible as if someone been trying to "Krack" this in their mommy's basement for a decade! They cracked our code guys and big league at that! Also, the bluebourne right prior.....JS.
Passport SE -Working wiDe in 201710-20-17 10:34 AMLike 0 - Thanks,
So they would have to create the ransom ware for BB10 first as far as we know none exist? The handshake happens continuously even after omen is signed onto the WPA2 and can only happen during that time frame or at anytime signed onto the network? Is there a way to fix this from your home routers network itself to secure home status at least or nope? I'm nervous guys! Cobalt, may have to wait a bit longer bud. Sorry! Remember from the city of brotherly love here! Lots of people equals lots of hackers!
I know enough to know it's serious. Grrr.
So with the other stuff in this thread yesterday and blackberry's definition of EOL, it's still not confirmed, right? By BlackBerry themselves?.. how much can it cost for them to really release this patch even if release it somehow in BBW unless that is not possible. I missed that part of the thread.
Passport SE -Working wiDe in 2017+...
The router has nothing to do with it.
Isn't it enough that he can listen to all of your traffic without worrying about the malware part?10-20-17 10:37 AMLike 0 -
I'd be super embarrassed Bro!
#Tentacles man, just saying.. HaHaHaHaHa
Passport SE -Working wiDe in 2017+...10-20-17 10:39 AMLike 0 - Hey, this WPA2 been rock solid for how long? Is it a sign generation Z is indeed going to be even Smarter or probably moreso that it's "EOL" hah, as in its been around to long and everything is fallible as if someone been trying to "Krack" this in their mommy's basement for a decade! They cracked our code guys and big league at that! Also, the bluebourne right prior.....JS.
These KRACK attacks are pretty hard to do in practice. So I don't think the sky is falling. In our own labs we've been testing this and those guys are telling me that in the WPA_supplicant 2.4 case (the most serious case according to the media), the device loses the connection to the actual router when the key is reset. So it then tries to reconnect and you can keep repeating the attack, but you have to get the timing exactly right to get anything of real value from the user.
In the WPA_supplicant 2.6 case they found what I consider to be a much more serious issue, which is that you can silently alter packets. And you can do that forever.
The media is focusing on the 2.4 case because it sounds dramatic (ZOMG the key goes to all zeros!), but I actually think the flaw in Nougat and Oreo is worse in real life. The 2.4 all-zero PSK case fails hard, but it fails fast.
But again, it's going to be really hard for a bad guy to do anything really harmful at any kind of scale with this, IMO. It's a serious flaw, and it should be fixed, and it's not purely theoretical, but it's not like people are out there reading everyone's WiFi traffic around the world today. It's not that easy to exploit this.10-20-17 10:57 AMLike 0 - I called in for the ART fix and they said they only had (when really dug deep) one other caller saying something similar. I believed them and found that absurd! If ya not a "caller" don't complain if no fix comes, imo. Anyway, with ART ' I explained very well.... Could of been chance but two days after (after weeks of chatting about it via CB with all u fine folks) the ART bug was corrected and released within BlackBerry world so it's a known fact they don't follow us here which honestly is or at least was not the smartest. I'd have a team dedicated to just tracking stuff over here if not just for the free consensus, etc. Maybe TLC will not that they can help with BB10's issue but JS... Be nice. Call, I am going to! They do answer via the janitors closet. Usually a woman! The more calls and explanations how it can ruin the reputation and brand, the better chance..
Passport SE -Working wiDe in 2017+...
But yeah, it's can't hurt for people to call and voice their concern.... If you find a working support number, you might want to post it.10-20-17 11:24 AMLike 0 - As far as I understand, if you connect to a wi-fi network that has been compromised, you still have a way to know if the data you are about to transfer is safe or not, by paying attention to the green "https://" on the address bar. At least this is valid when browsing, I'm not sure how safe is to use apps that have a login.10-20-17 11:35 AMLike 0
- It's a cat and mouse game. There are actually no omniscient people in cryptography or standards development or architecture or software development. I see some people on linkedin this week with amazing powers of hindsight and a lot of chest-thumping, but in reality we all know even the biggest experts make mistakes. It's a complicated field with serious firepower on the other side. If you have 1,000 developers on your team, somebody is making a bug right this second.
These KRACK attacks are pretty hard to do in practice. So I don't think the sky is falling. In our own labs we've been testing this and those guys are telling me that in the WPA_supplicant 2.4 case (the most serious case according to the media), the device loses the connection to the actual router when the key is reset. So it then tries to reconnect and you can keep repeating the attack, but you have to get the timing exactly right to get anything of real value from the user.
In the WPA_supplicant 2.6 case they found what I consider to be a much more serious issue, which is that you can silently alter packets. And you can do that forever.
The media is focusing on the 2.4 case because it sounds dramatic (ZOMG the key goes to all zeros!), but I actually think the flaw in Nougat and Oreo is worse in real life. The 2.4 all-zero PSK case fails hard, but it fails fast.
But again, it's going to be really hard for a bad guy to do anything really harmful at any kind of scale with this, IMO. It's a serious flaw, and it should be fixed, and it's not purely theoretical, but it's not like people are out there reading everyone's WiFi traffic around the world today. It's not that easy to exploit this.
Passport SE -Working wiDe in 2017+...10-20-17 11:45 AMLike 0 - But again, it's going to be really hard for a bad guy to do anything really harmful at any kind of scale with this, IMO. It's a serious flaw, and it should be fixed, and it's not purely theoretical, but it's not like people are out there reading everyone's WiFi traffic around the world today. It's not that easy to exploit this.
For this to be widespread, you'd have to start seeing strange vans parked every 200 feet down every street in every neighborhood in the country as they try to infiltrate every home and business wi-fi network there is.
I don't think that would happen.
Seems like there's are plenty of high profile targets out in the world that would be potential victims of something like this before the typical home router in a quiet suburban neighborhood gets picked off. I know my own router losses it's reach halfway down my own driveway. And, by then, my phone sees 6 other networks anyway.10-20-17 11:47 AMLike 0 - http://business.financialpost.com/te...t-android-push
That last part is interesting because they talking about suporting security on bb10
Posted via CB1010-20-17 12:11 PMLike 0 - As far as I understand, if you connect to a wi-fi network that has been compromised, you still have a way to know if the data you are about to transfer is safe or not, by paying attention to the green "https://" on the address bar. At least this is valid when browsing, I'm not sure how safe is to use apps that have a login.10-20-17 01:31 PMLike 0
- It doesn't matter which band you are on, this is a problem with the WPA2 spec itself plus some additional problems in specific implementations.DreadPirateRegan likes this.10-20-17 01:55 PMLike 1
-
Companies will apply patches from their existing vendors, such as Cisco, and fire vendors that don't meet their expectations.
Posted with my trusty Z1010-20-17 02:02 PMLike 0 - That's my thinking. I mean, this seems to be one of those "direct target attack" kind of things.
For this to be widespread, you'd have to start seeing strange vans parked every 200 feet down every street in every neighborhood in the country as they try to infiltrate every home and business wi-fi network there is.
I don't think that would happen.
Seems like there's are plenty of high profile targets out in the world that would be potential victims of something like this before the typical home router in a quiet suburban neighborhood gets picked off. I know my own router losses it's reach halfway down my own driveway. And, by then, my phone sees 6 other networks anyway.
And then, as someone else pointed out, after you do all of that you still have the issue that many times the connection is itself TLS, and so what you can now see is still encrypted. Of course, that's still information that might be useful, but it's not like you can harvest a lot of content that way.
And when the phone gets new session keys, you start all over.10-20-17 02:26 PMLike 0 - That's my thinking. I mean, this seems to be one of those "direct target attack" kind of things.
For this to be widespread, you'd have to start seeing strange vans parked every 200 feet down every street in every neighborhood in the country as they try to infiltrate every home and business wi-fi network there is.
I don't think that would happen.
Seems like there's are plenty of high profile targets out in the world that would be potential victims of something like this before the typical home router in a quiet suburban neighborhood gets picked off. I know my own router losses it's reach halfway down my own driveway. And, by then, my phone sees 6 other networks anyway.
For companies, especially those in government or critical infrastructure, or who value their intellectual property, KRACK is a very serious vulnerability.
Many of my clients are simply disabling WiFi internally and telling employees not to use any work-related endpoints on WiFi anywhere until they've been patched.
Posted with my trusty Z1010-20-17 03:15 PMLike 0 - Taught that was back in 2015 right after the LEAP was released..... Any group the deployed BB10 in 2016, after BlackBerry basically ended development and told 3rd party developers that - bet that IT guy is looking for a new job.
But yes I'm sure there are a number of BB10 devices out there, and a number of IT Administrators trying to check all the boxes on their hardware vulnerabilities to CRACK.... and wondering when BlackBerry will let them know the status of their products. I'm just thinking that if it really came down to not patching BB10, it wouldn't be a big of an uproar as some here might think.
GMP splashes out £10.7m to kit out officers with smart phones and tablets - Manchester Evening News
For secure use customers I doubt it really mattered that mainstream development had ended in 2015.
If BB10 is vulnerable to KRACK and BlackBerry decides to leave it unpatched (and it would be a pretty major vulnerability to leave unpatched) I'm sure that would cause more than a few headaches for IT admins that still manage BB10 devices. Why would they trust any BlackBerry service after that?anon(10218918) likes this.10-20-17 03:20 PMLike 1 - Exactly, they must patch. They owe it to the people! ****, they owe it to themselves and TCL.
Passport SE -Working wiDe in 2017+...anon(8679041) and anon(10218918) like this.10-20-17 03:35 PMLike 2 - For consumers, the risk is much less serious than the Equifax fiasco
For companies, especially those in government or critical infrastructure, or who value their intellectual property, KRACK is a very serious vulnerability.
Many of my clients are simply disabling WiFi internally and telling employees not to use any work-related endpoints on WiFi anywhere until they've been patched.
Posted with my trusty Z10
Passport SE -Working wiDe in 2017+...10-20-17 03:37 PMLike 0 - It was 2016,
GMP splashes out £10.7m to kit out officers with smart phones and tablets - Manchester Evening News
For secure use customers I doubt it really mattered that mainstream development had ended in 2015.
If BB10 is vulnerable to KRACK and BlackBerry decides to leave it unpatched (and it would be a pretty major vulnerability to leave unpatched) I'm sure that would cause more than a few headaches for IT admins that still manage BB10 devices. Why would they trust any BlackBerry service after that?
Posted via CB1010-20-17 03:39 PMLike 0 - I agree, but for all we know, they could already be telling their enterprise clients exactly what the plan is. They don't really need to update the public if they are updating at risk companies directly. That said, this seems like the perfect moment to publicly affirm either that BB10 development has ceased altogether (though TBH I think they've already said that), with no patch for KRACK forthcoming, or that they are taking the extraordinary step of patching BB10 for this event, but that it will then be EOL.
In any case, a lack of an official statement by the time that Android and Apple have released their patches IS an official statement, as far as I'm concerned. That's was the point of this post! :-)DreadPirateRegan likes this.10-20-17 04:13 PMLike 1
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
With KRACK We'll Find Ou if BB10 is OFFICIALLY End-of-life
« replace battery on Passport?
|
Newbie with failing / non-working native BB10 apps - WhatsApp etc »
Similar Threads
-
How secure really is the Keyone finger sensor
By dorsetshaw in forum BlackBerry KEYoneReplies: 19Last Post: 10-27-17, 08:53 PM -
KRACK WPA2 Vulnerability on BB10
By EFats in forum BlackBerry 10 OSReplies: 8Last Post: 10-18-17, 01:38 PM -
how to stop auto download of mail attachment in hub
By madh263362 in forum BlackBerry Android OSReplies: 2Last Post: 10-17-17, 08:51 AM -
KEYone Keyboard scrolling issue with ads on articles
By Turborat in forum BlackBerry Android OSReplies: 0Last Post: 10-17-17, 07:56 AM -
Problem with finger sensor on may K1
By mikimike2 in forum BlackBerry Android OSReplies: 1Last Post: 10-17-17, 05:49 AM
LINK TO POST COPIED TO CLIPBOARD