[brookie229]

This thread is getting old---I think it's safe to say BB is not going to address the problem, OP. Big surprise! /s

[bb10adopter111]

This thread is getting old---I think it's safe to say BB is not going to address the problem, OP. Big surprise! /s

I still think that's a very possible outcome, but I am inured to wait until the end of November before feeling "safe" to say anything. If we assume (for argument's sake) that BlackBerry would be willing to fix it if it was feasible and wouldn't break the bank, then they still would need to complete both a technical assessment and a project management/financial assessment of the fix.

Since we can be sure it's not a top line priority for them, and would I would think the back and forth between engineers and business managers could easily take a few weeks, or even a couple of months before a decision would be finalized. I'm still a little intrigued by the fact that they just pushed an unexpected patch out a couple of weeks ago.

But, while we might not agree on exactly what the cutoff point is, we agree that the chance of a fix declines as time passes from this point forward.

Posted with my trusty Z10

[conite]

I still think that's a very possible outcome, but I am inured to wait until the end of November before feeling "safe" to say anything. If we assume (for argument's sake) that BlackBerry would be willing to fix it if it was feasible and wouldn't break the bank, then they still would need to complete both a technical assessment and a project management/financial assessment of the fix.

Since we can be sure it's not a top line priority for them, and would I would think the back and forth between engineers and business managers could easily take a few weeks, or even a couple of months before a decision would be finalized. I'm still a little intrigued by the fact that they just pushed an unexpected patch out a couple of weeks ago.

But, while we might not agree on exactly what the cutoff point is, we agree that the chance of a fix declines as time passes from this point forward.

Posted with my trusty Z10

To me, whether they update or not should be an easy decision. It comes down to if they have any legal obligations to do so (ie: contracts that are still in force).

[brookie229]

To me, whether they update or not should be an easy decision. It comes down to if they have any legal obligations to do so (ie: contracts that are still in force).

Exactly. But I have a feeling we are getting mighty close to the end of those legal obligations.

[Invictus0]

QNX is mostly in car infotainment systems and they are seldom connected to wifi. Most of the time they come with a SIM card and connects to LTE

Perhaps but QNX is still used for more than just cars (embedded systems, medical devices, etc) and it's BlackBerry's flagship OS, these delays don't reflect well IMO.

[bb10adopter111]

To me, whether they update or not should be an easy decision. It comes down to if they have any legal obligations to do so (ie: contracts that are still in force).

That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

Posted with my trusty Z10

[conite]

That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

Posted with my trusty Z10

¯\_(ツ)_/¯

[johnny_bravo72]

That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

Posted with my trusty Z10

Placebo update? 😀

[Troy Tiscareno]

Perhaps but QNX is still used for more than just cars (embedded systems, medical devices, etc) and it's BlackBerry's flagship OS, these delays don't reflect well IMO.

1. BB10 is not QNX (it uses QNX as its foundation, but 90% of the code is specific to BB10).

2. None of those devices you named are likely WiFi clients - many probably aren't networked at all - so most are probably unaffected anyway.

So, not fixing something that isn't a problem for those devices is hardly going to "reflect poorly" on BB.

[Invictus0]

1. BB10 is not QNX (it uses QNX as its foundation, but 90% of the code is specific to BB10).

2. None of those devices you named are likely WiFi clients - many probably aren't networked at all - so most are probably unaffected anyway.

So, not fixing something that isn't a problem for those devices is hardly going to "reflect poorly" on BB.

1. I didn't say it was QNX but QNX does have its own WiFi driver and it's possible BB10 may be using it.

2. We don't know the use case for every QNX device or industry and realistically it shouldn't matter. BlackBerry as an OS provider would simply have to report or patch the flaw and make it available to QNX users who would decide on integration and deployment themselves.

Medical devices certainly do use WiFi and BlackBerry demonstrated hacking one over it a few years ago.

https://www.healthmgttech.com/fatal-...ckberry-summit

Edit: http://blackberry.qnx.com/en/solutio.../medical/index

[Richard Buckley]

That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

Posted with my trusty Z10

According to BlackBerry and CERT BlackBerry was only notified mid October. Compared to those companies that were notified in the summer that isn't a very long time.

LeapSTR100-2/10.3.3.2205

[StephanieMaks]

I still believe if they had decided to fix it they'd have said something by now.

The ongoing silence wrt BB10 to me means either they have yet to even make a decision, or they've decided to do nothing and say nothing and let BB10 'support' run out the clock before quietly adding it to the list of EOL products.

Likewise if BB10 wasn't vulnerable in the first place, they'd have mentioned that somewhere by now. It doesn't cost much to make a blog post or send a tweet.

As to why the last update was released after such a long delay, at this point I believe BB10 is so low on their list of priorities they flat out forgot. Like, someone turned on the BB10 machine to look into the KRACK thing and discovered 'Oh yeah, there's an update waiting. Send.' <jk>

[app_Developer]

According to BlackBerry and CERT BlackBerry was only notified mid October. Compared to those companies that were notified in the summer that isn't a very long time.

I noticed that, too. I wonder why they were notified so late?

[wingnut666]

why would "the security company" need to be notified by another entity....LOL krackberry. buffoons.

Posted via CBX

[conite]

why would "the security company" need to be notified by another entity....LOL krackberry. buffoons.

Posted via CBX

After 10 years, a WPA2 vulnerability was discovered. Then everyone was notified.

"KRACK (Key Reinstallation Attack) is a severe replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017"

[bb10adopter111]

I still believe if they had decided to fix it they'd have said something by now.

The ongoing silence wrt BB10 to me means either they have yet to even make a decision, or they've decided to do nothing and say nothing and let BB10 'support' run out the clock before quietly adding it to the list of EOL products.

Likewise if BB10 wasn't vulnerable in the first place, they'd have mentioned that somewhere by now. It doesn't cost much to make a blog post or send a tweet.

As to why the last update was released after such a long delay, at this point I believe BB10 is so low on their list of priorities they flat out forgot. Like, someone turned on the BB10 machine to look into the KRACK thing and discovered 'Oh yeah, there's an update waiting. Send.'

This is pretty much how I have thought about it, with one additional speculative nuance:

If there still is anyone left who feels some responsibility for the security of BB10, which I think is likely, that person/small team may be advocating internally for a fix. If the scope of the work is easily digestible within the existing operating budget, they might get a green light, but the work might progress slowly with no announcement unless the fix was absolutely confirmed to be done.

My experience working in large companies is that people generally want to do the best they can for customers within their constraints, so that solutions with a small scope that can be implemented by existing teams with existing resources can get approved if the teams advocate for it.

The essential question is whether there is still any kind of BB10 team left at BlackBerry with the skills to develop and deploy a relatively small fix for the vulnerable WPA2 components. If there is, it's not like there are any other items on the to do list! But if there aren't, I don't see it happening.



Posted with my trusty Z10

[Invictus0]

I noticed that, too. I wonder why they were notified so late?

And what's interesting is QNX was notified in August when almost all other vendors were,

https://www.kb.cert.org/vuls/id/CHEU-AQNN3H

[brookie229]

None of those devices you named are likely WiFi clients - many probably aren't networked at all - so most are probably unaffected anyway.

Disagree with this statement in that many medical devices are indeed connected both wirelessly and wired, and I might add, very unsecure. It wasn't that long ago that BB had a demo on wireless vital sign monitors that were easily hacked along with infusion pumps.

[bb10adopter111]

Disagree with this statement in that many medical devices are indeed connected both wirelessly and wired, and I might add, very unsecure. It wasn't that long ago that BB had a demo on wireless vital sign monitors that were easily hacked along with infusion pumps.

The IoT world is already omnipresent. There are millions of IoT sensors and other devices that are vulnerable, many of which are in critical infrastructure. With QNX, this is a large component of Blackberry's future business opportunity, and they certainly know they need to handle it very well.

It's amazing to me how many people blithely install IoT items in their lives and business with an irrational assumption that they are safe, when in fact they are vulnerable and largely unregulated and untested.

For example, anyone with an IoT speaker in their bedroom should realize that it would in most cases be relatively easy to record anything that happens there!

Posted with my trusty Z10

[app_Developer]

It's amazing to me how many people blithely install IoT items in their lives and business with an irrational assumption that they are safe, when in fact they are vulnerable and largely unregulated and untested.

For example, anyone with an IoT speaker in their bedroom should realize that it would in most cases be relatively easy to record anything that happens there!

Posted with my trusty Z10

How is it relatively easy to record?

[bb10adopter111]

How is it relatively easy to record?

If it's an interactive speaker, it already has a microphone and protocols for analog to digital conversion and sending sound over the network. All that remains is to redirect that data somewhere else.

Sure, they are "secured" by the manufacturers, but that's not a guarantee that they don't have unidentified vulnerabilities or, in the case of KRACK, known ones.

Posted with my trusty Z10

[app_Developer]

If it's an interactive speaker, it already has a microphone and protocols for analog to digital conversion and sending sound over the network. All that remains is to redirect that data somewhere else.

Sure, they are "secured" by the manufacturers, but that's not a guarantee that they don't have unidentified vulnerabilities or, in the case of KRACK, known ones.

Posted with my trusty Z10

Ok, no guarantees of course. But there is a sea between “no guanantees” and “easy to intercept”

[bb10adopter111]

Ok, no guarantees of course. But there is a sea between “no guanantees” and “easy to intercept”

The significance of the risk depends on several factors:

1) The effort required to use an exploit
2) The value of the information (or the impact of a loss of control of its confidentiality, integrity or availability)
3) The motivations and capabilities of the actors involved.


Posted with my trusty Z10

[Richard Buckley]

why would "the security company" need to be notified by another entity....LOL krackberry. buffoons.

Posted via CBX

Because responsible disclosure means that the vulnerabilities are not released at the same time to everyone. The whole world was notified October 16th, some companies were notified in August.

LeapSTR100-2/10.3.3.2205

[wingnut666]

Because responsible disclosure means that the vulnerabilities are not released at the same time to everyone. The whole world was notified October 16th, some companies were notified in August.

LeapSTR100-2/10.3.3.2205

so they were asleep at the switch....not very 'secure'.

Posted via CBX