12-25-17 05:54 PM
418 ... 678910 ...
tools
  1. bobshine's Avatar
    My memory is failing me... did BB patch the last major vulnerability?
    10-20-17 05:30 PM
  2. Invictus0's Avatar
    I agree, but for all we know, they could already be telling their enterprise clients exactly what the plan is. They don't really need to update the public if they are updating at risk companies directly. That said, this seems like the perfect moment to publicly affirm either that BB10 development has ceased altogether (though TBH I think they've already said that), with no patch for KRACK forthcoming, or that they are taking the extraordinary step of patching BB10 for this event, but that it will then be EOL.

    In any case, a lack of an official statement by the time that Android and Apple have released their patches IS an official statement, as far as I'm concerned. That's was the point of this post! :-)
    Like with BlueBorne, I would assume they would put out a general security advisory that covered all of their products and not something BB10 specific.

    My memory is failing me... did BB patch the last major vulnerability?
    Which vulnerability?
    10-20-17 05:33 PM
  3. DreadPirateRegan's Avatar



    Which vulnerability?

    Ahh man, set himself up for that one but he probably might not know Bluebourne didn't effect BB10 as I didn't for awhile myself unless we missed something or there were multiple...


     Passport SE  -Working wiDe in 2017+...
    10-20-17 05:47 PM
  4. Invictus0's Avatar
    Ahh man, set himself up for that one but he probably might not know Bluebourne didn't effect BB10 as I didn't for awhile myself unless we missed something or there were multiple...


     Passport SE  -Working wiDe in 2017+...
    Yeah I think the last major vulnerability (that made headlines anyway) that impacted BB10 was the initial Stagefright exploit via the runtime in 2015. There are still serious Stagefright exploits being found in Oreo but I'm not sure how many impact BB10 (if at all)
    10-20-17 06:27 PM
  5. bobshine's Avatar
    Yeah I think the last major vulnerability (that made headlines anyway) that impacted BB10 was the initial Stagefright exploit via the runtime in 2015. There are still serious Stagefright exploits being found in Oreo but I'm not sure how many impact BB10 (if at all)
    No there was one regarding internet protocoles or something like that
    10-20-17 06:48 PM
  6. Invictus0's Avatar
    No there was one regarding internet protocoles or something like that
    Heartbleed? That was in 2014.

    BlackBerry Ltd preps Heartbleed security updates for some BBM and email programs due to mobile threat | Financial Post
    10-20-17 07:21 PM
  7. Chuck Finley69's Avatar
    Does this mean I can stop worrying about Y2K exploits?
    10-20-17 07:28 PM
  8. Invictus0's Avatar
    Does this mean I can stop worrying about Y2K exploits?
    Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.
    10-20-17 07:44 PM
  9. i_plod_an_dr_void's Avatar
    You still can't patch stupid.
    Wait. What? They've been patching Android all these years, haven't they? (As for ios, well yes they think the ios user is)
    10-20-17 08:59 PM
  10. BB-JAM215's Avatar
    Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.
    Y2K was mostly a myth that created a lot of anxiety and profits for those who exploited that anxiety.
    10-20-17 09:21 PM
  11. Troy Tiscareno's Avatar
    Y2K was mostly a myth that created a lot of anxiety and profits for those who exploited that anxiety.
    It wasn't a myth - there were lots and lots of very real issues that needed to be fixed... and WERE fixed. But the risks were also exaggerated in some cases.
    StephanieMaks likes this.
    10-20-17 10:43 PM
  12. bobshine's Avatar
    There was something more recent... were they vulnerable to broadpwn?
    10-20-17 11:48 PM
  13. Invictus0's Avatar
    There was something more recent... were they vulnerable to broadpwn?
    I don't think so, searching their Knowledge Base for Broadcom only brings up results for BlackBerry Android.

    BlackBerry Knowledge Base

    I'm not sure if any BB10 devices actually use Broadcom chips though.
    10-21-17 12:55 AM
  14. EFats's Avatar
    That's my thinking. I mean, this seems to be one of those "direct target attack" kind of things.

    For this to be widespread, you'd have to start seeing strange vans parked every 200 feet down every street in every neighborhood in the country as they try to infiltrate every home and business wi-fi network there is.

    I don't think that would happen.
    .
    Well, if I just parked myself in Starbucks for half a day, that could net me a lot of victims. Only the idiots would be driving down the block trying to pick off one home at a time. It wouldn't take a lot to make it worthwhile...just one unencrypted email (we all encrypt our emails, right? right?) with some particularly juicy information is all it takes. Maybe YOU are careful, but if your recipient is not and replies back....
    With so many WiFi users around the world, the chance of any one user being picked off might be low, but do you really want to count on that as security?
    10-21-17 01:18 AM
  15. Shuswap's Avatar
    Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.
    I remember one trick for dealing with unpatched computers was to set the date back to Jan. 1, 1972. Then you'd be on the right day of the week, if not the right year. Since I had no Internet at the time, and couldn't download an update, that's what I did.

    Posted via CB10
    10-21-17 02:26 AM
  16. Enyigma's Avatar
    Y2K wasn't an exploit, it was a bug. You can actually still find old programs that suffer from it.
    Y2K was neither exploit or bug. It was the result of deliberate design of early computer code that saved precious memory by presuming two digits were sufficient to identify a year. The vulnerability was what would happen when the date stamp moved forward past midnight from 31/12/99 to 01/01/00. This had a more important impact on the financial world which still largely used COBOL in programming at the time. It certainly could lead to odd results in time-dependent applications (did a minute pass or 100 years?) but could not cause planes to fall out of the sky or missiles to launch as was widely feared.

    Exploits and bugs are the result of poorly designed code due to sloppiness or lack of due care such as KRACK, not a planned and deliberate design to achieve the result intended.
    10-21-17 08:17 AM
  17. app_Developer's Avatar
    Well, if I just parked myself in Starbucks for half a day, that could net me a lot of victims. Only the idiots would be driving down the block trying to pick off one home at a time. It wouldn't take a lot to make it worthwhile...just one unencrypted email (we all encrypt our emails, right? right?) with some particularly juicy information is all it takes. Maybe YOU are careful, but if your recipient is not and replies back....
    With so many WiFi users around the world, the chance of any one user being picked off might be low, but do you really want to count on that as security?
    But the thing is it's a non-trivial amount of work to actually get a session key in most cases. This doesn't make it easy to get the PSK, it just makes it *possible*. That's a huge difference. And in the case of the zero key, you're going to just get a couple of packets. The probability of those packets being an email or anything else remotely sensitive are quite low.

    Plus, remember most people send their emails using TLS. So you've still got to crack that as well.

    So even a whole day at a coffeeshop is very unlikely to net you anything at all, let alone anything of value.
    10-21-17 10:03 AM
  18. thurask's Avatar
    I don't think so, searching their Knowledge Base for Broadcom only brings up results for BlackBerry Android.

    BlackBerry Knowledge Base

    I'm not sure if any BB10 devices actually use Broadcom chips though.
    Some do.

    https://forums.crackberry.com/news-r...-names-828586/
    hehedeba and Invictus0 like this.
    10-21-17 01:16 PM
  19. eshropshire's Avatar
    But the thing is it's a non-trivial amount of work to actually get a session key in most cases. This doesn't make it easy to get the PSK, it just makes it *possible*. That's a huge difference. And in the case of the zero key, you're going to just get a couple of packets. The probability of those packets being an email or anything else remotely sensitive are quite low.

    Plus, remember most people send their emails using TLS. So you've still got to crack that as well.

    So even a whole day at a coffeeshop is very unlikely to net you anything at all, let alone anything of value.
    Will get you a little lighter in the wallet and some expense coffee. I think it funny when people post about security vulnerabilities on this site. Other than people stupid issues of setting password like 1234. Almost all other vulnerabilities take some serious knowledge of security protocols and programming knowledge to exploit. For Android or iOS many also require people to be stupid enough to root or jailbreak their phones.
    10-21-17 01:46 PM
  20. Invictus0's Avatar
    Interesting, I don't believe BlackBerry has commented on that. They have on BlueBorne though so I'm not sure what their criteria is.
    10-21-17 02:07 PM
  21. Rodrigo Lourenco's Avatar
    I think a lot of people would be shocked to know just how few people there are still using the platform. BlackBerry knows.
    Give us a number!? Please


    ☇ by Blackberry 
    10-21-17 02:14 PM
  22. Invictus0's Avatar
    Will get you a little lighter in the wallet and some expense coffee. I think it funny when people post about security vulnerabilities on this site. Other than people stupid issues of setting password like 1234. Almost all other vulnerabilities take some serious knowledge of security protocols and programming knowledge to exploit. For Android or iOS many also require people to be stupid enough to root or jailbreak their phones.
    Just because we don't hear about them doesn't mean they don't happen. Take Stagefright for example,

    https://www.androidheadlines.com/201...c-in-2017.html

    You also don't need to root or jailbreak a device to be impacted, in some case that's what the exploits do (and that's one of the things BB Android tries to protect against). Most users probably won't be impacted by exploits but for some security is certainly a consideration when buying a new phone.
    10-21-17 02:24 PM
  23. thurask's Avatar
    Interesting, I don't believe BlackBerry has commented on that. They have on BlueBorne though so I'm not sure what their criteria is.
    It is BCM43xx that is vulnerable, although the oldest chip tested by researchers is the BCM4339, which is only in some test platforms according to the previously linked thread. I'd have to look into the OS to check.
    10-21-17 02:25 PM
  24. conite's Avatar
    Give us a number!? Please


    ☇ by Blackberry 
    As I wrote, only BlackBerry knows, but I will try and guess.

    27 months ago, BB10 users peeked at 10 million.

    The average person keeps a smartphone for 22 months, so that instantly cuts the number to less than 5 million.

    I would also argue that the bleed rate on BB10 would be much higher than the average because of the whole "deal platform" thing. I would cut that number in half again to under 2.5 million.

    Now how many of these users actually USE the phone as a PRIMARY device? I would probably half the number again.

    So, I would guess 1-1.5 million users left, down to 500,000 by next summer. I think I'm being quite generous.
    10-21-17 03:52 PM
  25. Wmsi's Avatar
    This is from September this year:

    BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products

    I expect something similar regarding this new vulnerability.
    10-21-17 04:19 PM
418 ... 678910 ...

Similar Threads

  1. How secure really is the Keyone finger sensor
    By dorsetshaw in forum BlackBerry KEYone
    Replies: 19
    Last Post: 10-27-17, 09:53 PM
  2. KRACK WPA2 Vulnerability on BB10
    By EFats in forum BlackBerry 10 OS
    Replies: 8
    Last Post: 10-18-17, 02:38 PM
  3. how to stop auto download of mail attachment in hub
    By madh263362 in forum BlackBerry Android OS
    Replies: 2
    Last Post: 10-17-17, 09:51 AM
  4. KEYone Keyboard scrolling issue with ads on articles
    By Turborat in forum BlackBerry KEYone Support
    Replies: 0
    Last Post: 10-17-17, 08:56 AM
  5. Problem with finger sensor on may K1
    By mikimike2 in forum BlackBerry KEYone Support
    Replies: 1
    Last Post: 10-17-17, 06:49 AM
LINK TO POST COPIED TO CLIPBOARD