[bobshine]

My memory is failing me... did BB patch the last major vulnerability?

[Invictus0]

I agree, but for all we know, they could already be telling their enterprise clients exactly what the plan is. They don't really need to update the public if they are updating at risk companies directly. That said, this seems like the perfect moment to publicly affirm either that BB10 development has ceased altogether (though TBH I think they've already said that), with no patch for KRACK forthcoming, or that they are taking the extraordinary step of patching BB10 for this event, but that it will then be EOL.

In any case, a lack of an official statement by the time that Android and Apple have released their patches IS an official statement, as far as I'm concerned. That's was the point of this post! :-)

Like with BlueBorne, I would assume they would put out a general security advisory that covered all of their products and not something BB10 specific.

My memory is failing me... did BB patch the last major vulnerability?

Which vulnerability?

[DreadPirateRegan]

Which vulnerability?

Ahh man, set himself up for that one but he probably might not know Bluebourne didn't effect BB10 as I didn't for awhile myself unless we missed something or there were multiple...


 Passport SE  -Working wiDe in 2017+...

[Invictus0]

Ahh man, set himself up for that one but he probably might not know Bluebourne didn't effect BB10 as I didn't for awhile myself unless we missed something or there were multiple...


 Passport SE  -Working wiDe in 2017+...

Yeah I think the last major vulnerability (that made headlines anyway) that impacted BB10 was the initial Stagefright exploit via the runtime in 2015. There are still serious Stagefright exploits being found in Oreo but I'm not sure how many impact BB10 (if at all)

[bobshine]

Yeah I think the last major vulnerability (that made headlines anyway) that impacted BB10 was the initial Stagefright exploit via the runtime in 2015. There are still serious Stagefright exploits being found in Oreo but I'm not sure how many impact BB10 (if at all)

No there was one regarding internet protocoles or something like that

[Invictus0]

No there was one regarding internet protocoles or something like that

Heartbleed? That was in 2014.

BlackBerry Ltd preps Heartbleed security updates for some BBM and email programs due to mobile threat | Financial Post

[Chuck Finley69]

Does this mean I can stop worrying about Y2K exploits?

[Invictus0]

Does this mean I can stop worrying about Y2K exploits?

Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.

[i_plod_an_dr_void]

You still can't patch stupid.

Wait. What? They've been patching Android all these years, haven't they? (As for ios, well yes they think the ios user is)

[BB-JAM215]

Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.

Y2K was mostly a myth that created a lot of anxiety and profits for those who exploited that anxiety.

[Troy Tiscareno]

Y2K was mostly a myth that created a lot of anxiety and profits for those who exploited that anxiety.

It wasn't a myth - there were lots and lots of very real issues that needed to be fixed... and WERE fixed. But the risks were also exaggerated in some cases.

[bobshine]

Heartbleed? That was in 2014.

BlackBerry Ltd preps Heartbleed security updates for some BBM and email programs due to mobile threat | Financial Post

There was something more recent... were they vulnerable to broadpwn?

[Invictus0]

There was something more recent... were they vulnerable to broadpwn?

I don't think so, searching their Knowledge Base for Broadcom only brings up results for BlackBerry Android.

BlackBerry Knowledge Base

I'm not sure if any BB10 devices actually use Broadcom chips though.

[EFats]

That's my thinking. I mean, this seems to be one of those "direct target attack" kind of things.

For this to be widespread, you'd have to start seeing strange vans parked every 200 feet down every street in every neighborhood in the country as they try to infiltrate every home and business wi-fi network there is.

I don't think that would happen.
.

Well, if I just parked myself in Starbucks for half a day, that could net me a lot of victims. Only the idiots would be driving down the block trying to pick off one home at a time. It wouldn't take a lot to make it worthwhile...just one unencrypted email (we all encrypt our emails, right? right?) with some particularly juicy information is all it takes. Maybe YOU are careful, but if your recipient is not and replies back....
With so many WiFi users around the world, the chance of any one user being picked off might be low, but do you really want to count on that as security?

[anon(8063781)]

Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.

I remember one trick for dealing with unpatched computers was to set the date back to Jan. 1, 1972. Then you'd be on the right day of the week, if not the right year. Since I had no Internet at the time, and couldn't download an update, that's what I did.

Posted via CB10

[Enyigma]

Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.

Y2K was neither exploit or bug. It was the result of deliberate design of early computer code that saved precious memory by presuming two digits were sufficient to identify a year. The vulnerability was what would happen when the date stamp moved forward past midnight from 31/12/99 to 01/01/00. This had a more important impact on the financial world which still largely used COBOL in programming at the time. It certainly could lead to odd results in time-dependent applications (did a minute pass or 100 years?) but could not cause planes to fall out of the sky or missiles to launch as was widely feared.

Exploits and bugs are the result of poorly designed code due to sloppiness or lack of due care such as KRACK, not a planned and deliberate design to achieve the result intended.

[app_Developer]

Well, if I just parked myself in Starbucks for half a day, that could net me a lot of victims. Only the idiots would be driving down the block trying to pick off one home at a time. It wouldn't take a lot to make it worthwhile...just one unencrypted email (we all encrypt our emails, right? right?) with some particularly juicy information is all it takes. Maybe YOU are careful, but if your recipient is not and replies back....
With so many WiFi users around the world, the chance of any one user being picked off might be low, but do you really want to count on that as security?

But the thing is it's a non-trivial amount of work to actually get a session key in most cases. This doesn't make it easy to get the PSK, it just makes it *possible*. That's a huge difference. And in the case of the zero key, you're going to just get a couple of packets. The probability of those packets being an email or anything else remotely sensitive are quite low.

Plus, remember most people send their emails using TLS. So you've still got to crack that as well.

So even a whole day at a coffeeshop is very unlikely to net you anything at all, let alone anything of value.

[thurask]

I don't think so, searching their Knowledge Base for Broadcom only brings up results for BlackBerry Android.

BlackBerry Knowledge Base

I'm not sure if any BB10 devices actually use Broadcom chips though.

Some do.

https://forums.crackberry.com/news-r...-names-828586/

[eshropshire]

But the thing is it's a non-trivial amount of work to actually get a session key in most cases. This doesn't make it easy to get the PSK, it just makes it *possible*. That's a huge difference. And in the case of the zero key, you're going to just get a couple of packets. The probability of those packets being an email or anything else remotely sensitive are quite low.

Plus, remember most people send their emails using TLS. So you've still got to crack that as well.

So even a whole day at a coffeeshop is very unlikely to net you anything at all, let alone anything of value.

Will get you a little lighter in the wallet and some expense coffee. I think it funny when people post about security vulnerabilities on this site. Other than people stupid issues of setting password like 1234. Almost all other vulnerabilities take some serious knowledge of security protocols and programming knowledge to exploit. For Android or iOS many also require people to be stupid enough to root or jailbreak their phones.

[Invictus0]

Some do.

https://forums.crackberry.com/news-r...-names-828586/

Interesting, I don't believe BlackBerry has commented on that. They have on BlueBorne though so I'm not sure what their criteria is.

[Rodrigo Lourenco]

I think a lot of people would be shocked to know just how few people there are still using the platform. BlackBerry knows.

Give us a number!? Please


☇ by Blackberry 

[Invictus0]

Will get you a little lighter in the wallet and some expense coffee. I think it funny when people post about security vulnerabilities on this site. Other than people stupid issues of setting password like 1234. Almost all other vulnerabilities take some serious knowledge of security protocols and programming knowledge to exploit. For Android or iOS many also require people to be stupid enough to root or jailbreak their phones.

Just because we don't hear about them doesn't mean they don't happen. Take Stagefright for example,

https://www.androidheadlines.com/201...c-in-2017.html

You also don't need to root or jailbreak a device to be impacted, in some case that's what the exploits do (and that's one of the things BB Android tries to protect against). Most users probably won't be impacted by exploits but for some security is certainly a consideration when buying a new phone.

[thurask]

Interesting, I don't believe BlackBerry has commented on that. They have on BlueBorne though so I'm not sure what their criteria is.

It is BCM43xx that is vulnerable, although the oldest chip tested by researchers is the BCM4339, which is only in some test platforms according to the previously linked thread. I'd have to look into the OS to check.

[conite]

Give us a number!? Please


☇ by Blackberry 

As I wrote, only BlackBerry knows, but I will try and guess.

27 months ago, BB10 users peeked at 10 million.

The average person keeps a smartphone for 22 months, so that instantly cuts the number to less than 5 million.

I would also argue that the bleed rate on BB10 would be much higher than the average because of the whole "deal platform" thing. I would cut that number in half again to under 2.5 million.

Now how many of these users actually USE the phone as a PRIMARY device? I would probably half the number again.

So, I would guess 1-1.5 million users left, down to 500,000 by next summer. I think I'm being quite generous.

[Wmsi]

This is from September this year:

BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products

I expect something similar regarding this new vulnerability.