[bb10adopter111]

It seems BlackBerry isn't the only company keeping mum on whether it will update KRACK for older devices. I have a ticket logged with Apple engineering, who have promised me a response one way or the other on a KRACK patch for iOS 9.3.5 (iPad 3). The engineer who is my point of contact says he is still awaiting a response from the engineering lead and that he expects to get one.

I imagine the answer will be, "No." But a verbal no would be a lot better than BB's silent no.



Posted with my trusty Z10

[Chuck Finley69]

It seems BlackBerry isn't the only company keeping mum on whether it will update KRACK for older devices. I have a ticket logged with Apple engineering, who have promised me a response one way or the other on a KRACK patch for iOS 9.3.5 (iPad 3). The engineer who is my point of contact says he is still awaiting a response from the engineering lead and that he expects to get one.

I imagine the answer will be, "No." But a verbal no would be a lot better than BB's silent no.



Posted with my trusty Z10

Post response when you get a chance. iPad mini is running same 9.3.5

[CaptainSuperb]

$299 for a new ipad 4 mini 128Gb which is the newest they have. In the world of tablets that is pretty great value IMO. 2-3 years from now if will stop getting updates and im sure i would have gotten my moneys worth. Hell I actually have had it a year already and its paid for its $300 already

I managed to buy an iPad 4 mini 128GB recently for about the same in British pounds (£300), it was a refurb though. It is a beautiful device, although an Android with similar specs would cost less. An iPhone with equivalent storage (128GB) would cost a lot more than a bigger iPad though.

Side note: I don't see a lot of very significant architectural difference between iOS 11 and 10, or even earlier versions for that matter. I'd think something like the Wifi handshake protocol implementation is a technical detail that doesn't change much between OS versions?

[howarmat]

$100 a year for a device I use once every other week is too much for me. Even if Apple supports it for five years, which is their track record, it's too expensive for my needs. I'm not cheap. My high-end laptop costs $4,500, because I use it constantly to make a living, but a tablet for me is an occasional use video appliance.

Posted with my trusty Z10

I guess that is the thing, most people use devices far more than 1 time every 2 weeks. I use it probably avg 30-40 hours of week use on it between video, web surfing and work stuff.

For your use sure its not as good, i expected alot more use than you seem to indicate. For you an cheap FIRE HD is probably great and like $50

[app_Developer]

I just realized 2 of our TVs at home are on WiFi and need to be. I don't know if they are vulnerable. I'm not worried about KRACK, because the more I hear about it the more I realize it's not a serious real world vulnerability to me. The amount of data that could potentially be harvested from my TV using KRACK is so ridiculously useless that if someone actually KRACK'd our TV, I'd probably just go outside and shake their hand and give them a coffee.

But it does raise an important question about lifecycles of those things. I don't personally use phones for more than a year, and I get a new iPad every other year on average.

TVs are different, though. I don't replace TV's for years. Our blu-ray player is on WiFi also. I don't get one of those every year. Our music server is on WiFi (that one is patched already though). So what does this mean for things like that?

[joeldf]

Yeah, wi-fi has become so ubiquitous that a lot of things you don't initially think of use it. My older son's 3DS and Wii-U, my younger son's DSi, and Wii (hand-me-downs from the older son). The DirecTV needs the wi-fi to do on-demand stuff, two Blu-ray players, Amazon FireTV stick, along with 4 phones, an iPad, a first gen Kindle Fire (still works), 3 computers (there's a fourth, but it's direct ethernet connected to my router), and one school provided MacBook.

Theoretically, would every one of these devices need fixing?

[bobshine]

It seems BlackBerry isn't the only company keeping mum on whether it will update KRACK for older devices. I have a ticket logged with Apple engineering, who have promised me a response one way or the other on a KRACK patch for iOS 9.3.5 (iPad 3). The engineer who is my point of contact says he is still awaiting a response from the engineering lead and that he expects to get one.

I imagine the answer will be, "No." But a verbal no would be a lot better than BB's silent no.



Posted with my trusty Z10

From memory, Apple had patched critical security threats on their EOL devices in the past. They may actually do it this time. Have faith!

[bb10adopter111]

I guess that is the thing, most people use devices far more than 1 time every 2 weeks. I use it probably avg 30-40 hours of week use on it between video, web surfing and work stuff.

For your use sure its not as good, i expected alot more use than you seem to indicate. For you an cheap FIRE HD is probably great and like $50

My plan to keep an old iPad around is better than buying a FIRE device. It's good for me to be able to test Websites on iPad Safari now and then.

Posted with my trusty Z10

[bb10adopter111]

I just realized 2 of our TVs at home are on WiFi and need to be. I don't know if they are vulnerable. I'm not worried about KRACK, because the more I hear about it the more I realize it's not a serious real world vulnerability to me. The amount of data that could potentially be harvested from my TV using KRACK is so ridiculously useless that if someone actually KRACK'd our TV, I'd probably just go outside and shake their hand and give them a coffee.

But it does raise an important question about lifecycles of those things. I don't personally use phones for more than a year, and I get a new iPad every other year on average.

TVs are different, though. I don't replace TV's for years. Our blu-ray player is on WiFi also. I don't get one of those every year. Our music server is on WiFi (that one is patched already though). So what does this mean for things like that?

You've nailed the issue, and this is going to multiply exponentially with IoT. We shouldn't have to buy all new electronics, including entertainment, appliances, thermostats, home Security systems, etc. When a security protocol has a new vulnerability discovered.

This is something that either industry is going to have to take care of, or governments will do it for them through regulation.

Posted with my trusty Z10

[cyberdoggie]

This is the reply I received from BlackBerry Help one day ago, when inquiring about the KRACK vulnerability of BB10 :

BlackBerry® is aware that on October 16, 2017, details were reported about an industry-wide vulnerability in the WPA and WPA2 protocols, as used in Wi-Fi®, which has been identified as "KRACK" and comprises 10 separate CVEs. BlackBerry is diligently working to investigate the impact of the vulnerability on BlackBerry and BlackBerry QNX products, resolve the issue as quickly as possible, and communicate the findings and resolution to our customers. Thanks

[bb10adopter111]

This is the reply I received from BlackBerry Help one day ago, when inquiring about the KRACK vulnerability of BB10 :

BlackBerry® is aware that on October 16, 2017, details were reported about an industry-wide vulnerability in the WPA and WPA2 protocols, as used in Wi-Fi®, which has been identified as "KRACK" and comprises 10 separate CVEs. BlackBerry is diligently working to investigate the impact of the vulnerability on BlackBerry and BlackBerry QNX products, resolve the issue as quickly as possible, and communicate the findings and resolution to our customers. Thanks

Thanks. Happy that they are acknowledging the issue. It might turn out the the fix for BB10 will use an implementation common to other QNX platforms, in which case it MIGHT be pushed to BB10 as well, with relatively little extra effort. All speculation at this point, but that's all we can do until we here more.

I really hope there is an emergency patch, because I have 3 devices that I still love to use that I'd like to use with secure WiFi only.

Posted with my trusty Z10

[bobshine]

This is the reply I received from BlackBerry Help one day ago, when inquiring about the KRACK vulnerability of BB10 :

BlackBerry is aware that on October 16, 2017, details were reported about an industry-wide vulnerability in the WPA and WPA2 protocols, as used in Wi-Fi, which has been identified as "KRACK" and comprises 10 separate CVEs. BlackBerry is diligently working to investigate the impact of the vulnerability on BlackBerry and BlackBerry QNX products, resolve the issue as quickly as possible, and communicate the findings and resolution to our customers. Thanks

“Blackberry” product is their Android phones, and QNX products is their car infotainment. Don’t think it included BB10.

[app_Developer]

I wonder how many of their car systems act as WiFi clients?

[bb10adopter111]

“Blackberry” product is their Android phones, and QNX products is their car infotainment. Don’t think it included BB10.

Very possibly, but that doesn't alter my original point, which that NOT addressing the KRACK vulnerability in BB10 will be a clear statement that BB10 support has ended. Most of us understood that no more updates or investments were planned, but the only statements from BlackBerry implied some level of continued "support."

If fixing a comprehensive vulnerability that breaks secure WiFi doesn't meet the requirements for any minimal level of security support, then it's hard to imagine that BlackBerry would ever do anything more for BB10 under any circumstances.

Posted with my trusty Z10

[Invictus0]

“Blackberry” product is their Android phones, and QNX products is their car infotainment. Don’t think it included BB10.

They've already commented on its status for BlackBerry Android and on their new website BlackBerry 10 is still listed under their products tab.

I am curious why it's taking so long for QNX though, isn't that their most widely used product (by installs)?

[anon(8063781)]

They've already commented on its status for BlackBerry Android and on their new website BlackBerry 10 is still listed under their products tab.

I am curious why it's taking so long for QNX though, isn't that their most widely used product (by installs)?

Just speculating, but perhaps the Android fix was easier because someone else did the heavy lifting? With anything QNX-based, I would have to assume that BlackBerry will be developing and testing the fix themselves.


Posted via CB10

[bb10adopter111]

Just speculating, but perhaps the Android fix was easier because someone else did the heavy lifting? With anything QNX-based, I would have to assume that BlackBerry will be developing and testing the fix themselves.


Posted via CB10

If we're speculating, they could be in negotiations with one or more key customers to pay for the patch development. It would only take a single defense or clandestine agency that is a committed user to make this a viable scenario. I always wondered who it was that demanded (and likely paid for) 10.3.3 with its NAIP certification!

Posted with my trusty Z10

[eshropshire]

If we're speculating, they could be in negotiations with one or more key customers to pay for the patch development. It would only take a single defense or clandestine agency that is a committed user to make this a viable scenario. I always wondered who it was that demanded (and likely paid for) 10.3.3 with its NAIP certification!

Posted with my trusty Z10

I am pretty sure BlackBerry had contracted with an NAIP certification company back in 2015 assuming it would not take 18 months to certify BB10. By the end I doubt they needed the certification, but continued the process because they had already paid for the testing.

I know world wide I have one BB10 corporate customer left and this one is in Europe (they are now far into their mobile migration plan). We told them last year we were longer supporting BB10 (after we met with BlackBerry). This was before BlackBerry made their public announcement about getting out of hardware.

[bb10adopter111]

I am pretty sure BlackBerry had contracted with an NAIP certification company back in 2015 assuming it would not take 18 months to certify BB10. By the end I doubt they needed the certification, but continued the process because they had already paid for the testing.

I know world wide I have one BB10 corporate customer left and this one is in Europe (they are now far into their mobile migration plan). We told them last year we were longer supporting BB10 (after we met with BlackBerry). This was before BlackBerry made their public announcement about getting out of hardware.

Thanks for the detail. I really was just speculating. That's the best explanation for the odd NAIP certification timing I've heard. I would be mildy surprised if anyone was still heavily invested in maintaining BB10's security certifications, but if the fix is as relatively simple as I've been led to believe, it might only take one or two devoted customers with a reasonable budget to develop the patch.

Wishful thinking? Definitely. But not totally absurd.

Posted with my trusty Z10

[bobshine]

They've already commented on its status for BlackBerry Android and on their new website BlackBerry 10 is still listed under their products tab.

I am curious why it's taking so long for QNX though, isn't that their most widely used product (by installs)?

QNX is mostly in car infotainment systems and they are seldom connected to wifi. Most of the time they come with a SIM card and connects to LTE

[Richard Buckley]

QNX is mostly in car infotainment systems and they are seldom connected to wifi. Most of the time they come with a SIM card and connects to LTE

There are ten CVEs associated with Krack. Just because no one has, as yet, found a path to exploiting Wi-Fi masters doesn't mean it isn't there and they shouldn't be doing exactly what that message said that they were doing.

LeapSTR100-2/10.3.3.2205

[bb10adopter111]

But that doesn't mean that car systems don't offer WiFi hotspots implemented with QNX which would be vulnerable to KRACK exploits and would need to be patched.

[app_Developer]

But that doesn't mean that car systems don't offer WiFi hotspots implemented with QNX which would be vulnerable to KRACK exploits and would need to be patched.

What would that patch be? The only vulnerabilities described in the KRACK paper and the CVEs are client side (supplicant) vulnerabilities.

The patches can only address the issues actually described in these CVEs, which are not relevant to hotspots.

[bb10adopter111]

What would that patch be? The only vulnerabilities described in the KRACK paper and the CVEs are client side (supplicant) vulnerabilities.

The patches can only address the issues actually described in these CVEs, which are not relevant to hotspots.

If that's true, then you're right. I had been told that the best way to address the vulnerability in some cases was modifying the protocol on both ends.

Posted with my trusty Z10

[Richard Buckley]

Supplicant is a position in the protocol, not necessarily a description of a piece of hardware. Most devices which we normally associate with the client function can also provide the server function, and most that provide the server function can also be supplicants. Even if that is not a documented function the code is probably in the stack. All Wi-Fi capable systems and devices will have to be patched or the users will have to accept the possibility of furniture vulnerabilities when people find out how to exploit unpatched supplicant code in servers.

LeapSTR100-2/10.3.3.2205