The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols
-
Edit: And one more thought. 1.0.1 through 1.0.1e are only vulnerable if compiled with heartbeat support on. Since heartbeat is designed to provide better service for DTLS it is entirely reasonable for BlackBerry to have not compiled that feature in.BCITMike likes this.04-09-14 10:37 AMLike 1 -
EDIT: Also, they could be using a different library for some of their own binaries, like webkit. All we can see is what's available when establishing a connection.
I was only able to test the Android side, but someone could release a tool to check the native side.
EDIT: On Android, only 4.1.1 is vulnerable in the 4.x branch, but since apps can include their own libs, some may be vulnerable.Last edited by ofutur; 04-10-14 at 01:40 PM.
kbz1960 likes this.04-10-14 11:34 AMLike 1 - You are correct, the library is included so that apps can use it to establish secure connections. That's what makes BlackBerry 10 potentially vulnerable, if it has the heartbeat function enabled. An attacker would be able to access the memory space given to the app which connects to the rogue server.
No, but it doesn't matter. Let's say the browser is vulnerable. An attacker could see which sites you're browsing and steal your logins/passwords if you've got other tabs opened. Worse, they might be able to get the client certificate you're using to securely connect to an company server.
You're right and that's something with may mean that BlackBerry 10.2.1 is safe.
I was only able to test the Android side, but someone could release a tool to check the native side.Last edited by Richard Buckley; 04-10-14 at 01:47 PM. Reason: Confirmed sim browser is not using host SSL library.
04-10-14 01:44 PMLike 0 - I don't understand, is this an attempt to paranoid us into not using our BlackBerry's? I don't really understand much about Internet security protocols, nor am I a business professional so even if someone were to hack my BlackBerry, all they would get would be access to the $5 in my bank account and my facebook password.04-10-14 02:30 PMLike 0
- Unless the bug allows for leakage of the system memory, or other process memory and not just the process memory of the vulnerable program then that would be correct. If the latter, then an attacker would only be able to access the affected process. Third party browsers should not be used to access the corporate intraweb unless they have been vetted and approved. A proper BES configuration would take care of this for the work side of balance.
And my example was about attacking the standard browser's process, which contains plenty of private information, depending on what you're using it for, not some 3rd party solution. There is enough material on the web right now to understand what's possible.
People on BES would probably be safer since the work browser runs in a separate process, but I don't think BB10 supports memory partitioning yet.
I have a natural distrust of people who claim IT security cred but shoot first and ask questions later. You don't need to wait until someone writes a native tool. Just browse to ssllabs.com I've attached the results from the BlackBerry Browser on the simulator. If I get time I will post the results from my actual hardware later. To test the OpenSSL you only need to find a third party browser that uses it and perform the test. A little bit of research before making allegations can do wonders to protect your reputation.
I didn't have the time to write an app and BlackBerry offers a limited set of binaries that we can use, so I'll let someone else write a tool. I scanned services locally and couldn't find one which was vulnerable.
I have no idea what you're trying to say with that ssllabs test/screenshot04-10-14 02:52 PMLike 0 - I don't understand, is this an attempt to paranoid us into not using our BlackBerry's? I don't really understand much about Internet security protocols, nor am I a business professional so even if someone were to hack my BlackBerry, all they would get would be access to the $5 in my bank account and my facebook password.
Now, BlackBerry should update their crypto libraries to better protect content encrypted in transit, but it's not like criminal organisations are actively exploiting the weaknesses described in the OP today, unlike what's happening this week with hackers busy scanning the Internet to collect as many passwords as they can.
Best not to do anything "important" on the Internet this week, using any browser, unless you've heard from the service you want to connect to.04-10-14 03:06 PMLike 0 - There will always be weaknesses to expose, and there will always be people trying to exploit them. The Internet is a leaky boat. Patch one hole, another one eventually pops up.04-10-14 03:47 PMLike 0
- Ever heard of shared memory?
And my example was about attacking the standard browser's process, which contains plenty of private information, depending on what you're using it for, not some 3rd party solution. There is enough material on the web right now to understand what's possible.
People on BES would probably be safer since the work browser runs in a separate process, but I don't think BB10 supports memory partitioning yet.
IT security cred has nothing to do with raising awareness about a very serious bug which may affect BB10 users browsing the web, just like any affected company took responsibility and contacted their customers to let them know of what is going on, even if they were not affected.
I didn't have the time to write an app and BlackBerry offers a limited set of binaries that we can use, so I'll let someone else write a tool. I scanned services locally and couldn't find one which was vulnerable.
I have no idea what you're trying to say with that ssllabs test/screenshotBlackBerry 10 uses OpenSSL 1.0.1e and is vulnerable...
SSLLabs is a very credible professionally run SSL suite test site, among other things. The screen shot I posted shows that the SSL used by the BB10 browser is not vulnerable because it supports only up to TLS 1.0 and therefore not the handshake extention.
What you are doing is no different than the press who claim that 66% of the web is vulnerable simply because a browser that uses OpenSSL has that market share. The truth is the handshake protocol is of little value to a webserver, or a smart phone. The Android runtime you tested seems to not have handshake compiled in. The majority of webservers that were initially reported as vulnerable were reported as such based only on the version of OpenSSL they were running, not whether they had handshake enabled. None of my servers have been vulnerable because while I use OpenSSL, I was not running vulnerable versions. The actual count of vulnerable sites is closer to 25%. Still not good, but not the end of the word.
If you want to rais awarness try speaking from facts rather than assumptions.
Edit: here is the SSLLabs results for a Z10 running 10.2.1. Also not vulnerable to heartbleed.
Attachment 262122BCITMike likes this.04-10-14 04:12 PMLike 1 - This may look like it is true, but many of the vulnerabilities can be avoided by (as SunMicrosystems always advised) don't upgrade gratuitously and don't install features you don't need and are't going to use. Following this last rule means that my servers, BlackBerry's BB10 browser and most of the internet that is using OpenSSL isn't vulnerable.04-10-14 04:15 PMLike 0
-
With something that big, I'd rather raise awareness before having all the facts than feeling sorry later on. BlackBerry does security differently. It's possible they've turned on the heartbeat feature in order to try and increase the level of protection against timing attacks.04-10-14 05:28 PMLike 0 - No, shared memory is something you specifically enable. It is a scheme to share data between specific processes.
I think it would be best to leave shared memory out of the arguments.
I haven't dug into the guts of the BlackBerry browser, so I will stay out of that argument. But I can tell you I've updated openSSL on my desktop linux PC twice since Saturday.
Posted via CB1004-10-14 06:45 PMLike 0 -
You said the browser might be safer because it is a separate process, but all apps are separate process so why is the browser different?
I'm saying that it could be. You're not bringing proof that it isn't... Neither is BlackBerry. We'll have to wait for their full assessment to know for sure. I'm just glad that they've patched some servers and revoked/replaced their certificates.
Ssllabs was mentoned in the OP..., but now I finally understand what you were trying to say... and that's correct, the browser is not vulnerable. We only need to find out about the libraries and apps now.
We don't need to find that out. If you read my post with the reply from BBSIRT you know that they are looking into it and will take action if required. That would probably be responsible disclosure to vendors who are using it, if it is vulnerable.
If you want to test OpenSSL there must be a third party browser in BlackBerry World that uses the OpenSSL library. Find it, install it and go to SSLLABS.
BlackBerry does security differently. It's possible they've turned on the heartbeat feature in order to try and increase the level of protection against timing attacks.
Posted via CB1004-10-14 07:13 PMLike 0 - The main news section of Crackberry has a message from BlackBerry that bb10 is not effected.
http://crackberry.com/blackberry-add...-vulnerability
Posted via CB10vrud and anon(2729369) like this.04-10-14 08:09 PMLike 2 - The main news section of Crackberry has a message from BlackBerry that bb10 is not effected.
BlackBerry addresses OpenSSL Heartbleed vulnerability | CrackBerry.com
Posted via CB10
So I hope now it is settled.
They do have issues with some products, but BB10 isn't among them.04-10-14 08:59 PMLike 0 - Anyone who trusts Wikipedia (where anyone can post anything about anything) for factual information may want to conduct research that doesn't include Wikipedia. Just my opinion.
@BruvvaPete :Channel: C0012176F. Live well04-10-14 10:00 PMLike 0 - Running a linux box is like a news service on exploits. I see the updates roll out and then the press gets them about two days later. This is the first one I recall where the press knew about the bug before the linux patch rolled out.
I presume the person or organization that finds the exploit give the linux maintainers some head notice.
Posted via CB1004-10-14 10:38 PMLike 0 -
Posted via CB1004-10-14 11:06 PMLike 0 - Perhaps with the newer SSL versions bug, and BlackBerry using "dated" protocols we were not as exposed as others are. Just a thought!
Life is simple, we are the ones that complicate it !!! Z10STL100-3/10.2.1.2947/2235 on AT&T04-10-14 11:36 PMLike 0 - Honestly, one of the major reasons I've stuck with this company is for their security and if you truly care about that you'd take this in a more serious way. I don't think this is something people should be personalized for it's something to be talked about, this guy brought up a good point and explained it thoroughly enough. This is not something that can't be fixed and instead of being pissed at the OP maybe you should contact BlackBerry instead with the keyboard rage. Everyone using a BB10 phone/browser should have the best security for it's a huge selling point and obviously important to the people who own it. I'm just saying this anger should be aimed at the company.
Posted via CB10
You are right that security is important. It is also important not to assert vulnerability in the absence of the facts. That you believe that there is a reason to direct anger at BlackBerry over this is an indication of how damaging that can be. For one thing it can focus attention away from where it really needs to be.
Posted via CB1004-11-14 04:20 AMLike 0 -
But that was all hypothetical, in case the browser was vulnerable, but since it's stuck at TLS 1.0, there is no problem there.
The results from SSLLabs is proof.
We don't need to find that out. If you read my post with the reply from BBSIRT you know that they are looking into it and will take action if required. That would probably be responsible disclosure to vendors who are using it, if it is vulnerable.
If you want to test OpenSSL there must be a third party browser in BlackBerry World that uses the OpenSSL library. Find it, install it and go to SSLLABS.
As for apps, the test you suggest won't give any meaningful results since what most 3rd party browsers do is change the shell only, just like the native browser, which used to be an HTML5 app.
It's not trivial to attack apps though, unless they act as local servers, as they have to be fooled into connecting to a rogue server. That's probably why BlackBerry is not too worried about BBM being vulnerable on other platforms.
Yeah, let's stick with Windows XP, just in case nasty bugs crawl in Windows 804-11-14 04:57 AMLike 0 - The OP is about TLS1.0. Nothing has changed there, BlackBerry needs to upgrade. I then raised my concerned about a newly discovered flaw in the library used, which luckily didn't affect BlackBerry 10, but did affect some of their products.04-11-14 05:01 AMLike 0
-
Heartbleed on the other hand is an example of why one should not rush to adopt new features unless they are needed. I wonder how many systems that are vulnerable to heartbleed actually need the heartbeat extension. One of the reasons my users and I don't have to be concerned about the systems I manage is that for the past two years we have been using OpenSSL 0.9.8 of various sub-versions that track the bug fixes of 1.0.1 but lack the addition features we don't need, like heatbeat.
BlackBerry is not perfect. It will be interesting to see, as time moves on, what the specifics behind the vulnerable products are. But if it comes down to believing that BlackBerry needs to do something because you say they do, or looking at BlackBerry's track record and concluding that they in fact know what they are doing, I'm going to have to side with BlackBerry on this one. There are choices in the market. If having TLS 1.2 on their smartphone is important enough to someone, they can exercise their freedom of choice. At the end of the day BB10 is not vulnerable to any of the things you sought to raise awareness of. People should not loose sight of that.04-11-14 06:18 AMLike 0 -
i respect you and have learned a lot from several of your posts, so while your other observations on TLS1.0 may be true, that was an assumption that should not have been made.anon(2729369) likes this.04-11-14 06:32 AMLike 1 - I don't understand, is this an attempt to paranoid us into not using our BlackBerry's? I don't really understand much about Internet security protocols, nor am I a business professional so even if someone were to hack my BlackBerry, all they would get would be access to the $5 in my bank account and my facebook password.
The Heartbleed Hit List: The Passwords You Need to Change Right Now
no bank sites were affected directly.. but I'd take a moment to at least change the shopping/commerce sites or any site pw where u put your bank info in... cuz it may be only $5 now but you've got to pay for that phone ur browsing CB with somehow right? wouldn't want them to steal your next phone bill payment or we wouldn't be seeing you for a while! heh jk ...04-11-14 06:54 AMLike 0 - you did more than "raise concern"; you also mentioned multiple times BB10 was vulnerable and needed to be patched, before having all the facts and/or a statement from BlackBerry...
i respect you and have learned a lot from several of your posts, so while your other observations on TLS1.0 may be true, that was an assumption that should not have been made.
Nobody has independently verified that BB10 is safe though. We're just taking BlackBerry's word for it.NinjaB likes this.04-11-14 08:03 AMLike 1
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
The "secure" BB10 OS is not great at establishing secure connections because it uses dated protocols
« It's probably already too late to worry about FREAK vulnerability
|
Update for BlackBerry 10 devices »
Similar Threads
-
Not Taking a Step Back
By JAS0NB0URNE in forum BlackBerry ClassicReplies: 11Last Post: 02-28-14, 02:05 PM -
BlackBerry ahead of Android 2 years back , hope we had the same thing now.
By rave1090 in forum General BlackBerry News, Discussion & RumorsReplies: 4Last Post: 02-25-14, 11:43 AM -
It's business as usual with app development on the BlackBerry Q20
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 1Last Post: 02-25-14, 11:12 AM
LINK TO POST COPIED TO CLIPBOARD