KRACK WPA2 Vulnerability on BB10

Printable View

10-16-17, 11:18 PM
EFats

KRACK WPA2 Vulnerability on BB10

Does anyone have any updates on this?
Original source is here:
https://www.krackattacks.com/

Link to vulnerability notes from that document is here:
https://www.kb.cert.org/vuls/byvendo...&SearchOrder=4

For BlackBerry, it says the status is unknown, butnotification was October 13, just before the weekend and there is no update yet.
QNX is also an unknown but notification date was end of August so it's been a while.

Given that virtually every other big vendor is affected, I would be surprised if BlackBerry is not since it sounds like it is tied to one of the recommendation/implementation of the spec.

Will be interesting to see how BlackBerry will respond given that there are still enterprise customers using BlackBerry
10-16-17, 11:27 PM
EFats

So it seems the Playbook uses 4-way handshake
Troubleshooting Wi-Fi and networking on the BlackBerry PlayBook
which seems to be at the heart of the problem. Unless BlackBerry does something interesting, more likely than not we will be affected. However, realistically, I think you need BOTH our phones and the WiFi router to be patched to be secured. We'll see...
10-16-17, 11:56 PM
thurask

Short of BlackBerry putting out some statement about the effect, the lack of proof of concept means nobody here can test their BB10/BBOS/PBOS devices just yet.
10-16-17, 11:59 PM
Invictus0

I wouldn't be surprised if some of the vulnerabilities impacted BB10 as that's the case for other platforms, I guess we'll just have to wait for them to post an advisory.

https://ca.blackberry.com/enterprise...-response-team
10-17-17, 01:58 AM
Troy Tiscareno

I can't do anything about people's phones or other devices, but I patched the Ubiquiti WiFI access points for 38 customers (well over 100 APs in over 40 locations) in 30 minutes today. Cloud administration and fast response from Ubiquiti sure worked out nicely!
10-17-17, 05:47 PM
TheAmazingHarold

Good to know as that's what we use. Thought about tweeting BlackBerry support but they're completely useless when it comes to BB10 in my experience. Wouldn't be surprised if they just said "buy one of our new android powered devices".
10-17-17, 08:15 PM
ppeters914

1 Attachment(s)

Originally Posted by Troy Tiscareno

I can't do anything about people's phones or other devices, but I patched the Ubiquiti WiFI access points for 38 customers (well over 100 APs in over 40 locations) in 30 minutes today. Cloud administration and fast response from Ubiquiti sure worked out nicely!

Attachment 430650
10-18-17, 01:34 PM
anon(10321802)

Unless BlackBerry releases a statement to the contrary, the safest assumption is that BB10 and older devices are all vulnerable.
10-18-17, 01:38 PM
app_Developer

Originally Posted by Newfangled

Unless BlackBerry releases a statement to the contrary, the safest assumption is that BB10 and older devices are all vulnerable.

Having read the paper and gotten a couple of briefings finally, there are a few different related vulnerabilities. So there are varying degrees here.

But, yes, I would assume BB10 is at least vulnerable to the GSK re-install attack. Every device they tested was vulnerable to that one, because a correct implementation of the spec makes you vulnerable. Some devices were vulnerable to other attacks as well.