[lewis71980]

Out of interest, does the microkernel design of the OS prevent against these attacks?

Does BB10 / QNX need patching in the same way as Linux / Windows?

[glwerry]

Out of interest, does the microkernel design of the OS prevent against these attacks?

Does BB10 / QNX need patching in the same way as Linux / Windows?

Although I don't know explicitly, it likely would, since the vulerability is at the HARDWARE level - it's the CPU itself, independent of the OS.

[rthonpm]

This is an issue that affects Intel based x86 systems. BB10 uses a different instruction set entirely so mobile systems using ARM or other processor types aren't at risk. For QNX as a whole, it will likely depend on what it's running on, but as it was built primarily for embedded systems, it's likely on custom chipsets or other non-x86 systems for the most part.

Posted via CB10

[co4nd]

This is an issue that affects Intel based x86 systems. BB10 uses a different instruction set entirely so mobile systems using ARM or other processor types aren't at risk. For QNX as a whole, it will likely depend on what it's running on, but as it was built primarily for embedded systems, it's likely on custom chipsets or other non-x86 systems for the most part.

Posted via CB10

They are reporting today that Spectre effects Intel, AMD and Arm.

https://www.pcmag.com/news/358249/in...ix-means-slowe

[gerson008]

To the best of my knowledge, they maybe not be affected
1) For BB Classics which i own, uses snapdragon S4 plus, which is ARM Cortex A5
2) For Keyone which i am planning to purchase uses Snapdragon 625 , which is ARM Cortex-A53

Neither of them are listed in https://developer.arm.com/support/security-update

Of course, i am also waiting for the confirmation by a qualified BB personnel.

Refereces:
1) for Classics - https://www.gsmarena.com/blackberry_classic-6458.php
2) For Keyone - https://www.gsmarena.com/blackberry_keyone-8508.php

[Dunt Dunt Dunt]

Proable need to see if QNX makes any comment about their products... like with KRACK BlackBerry probable isn't talking about BB10 anymore.

[anon(10321802)]

Keep in mind these vulnerabilities can only be exploited via malware running locally on the device.

This may be a case where "security through obscurity" may offer some protection.

[thurask]

There are four CPUs underlying every BB10 device:

• TI OMAP 4470 (Z10 STL100-1): ARM Cortex A9 cores, which are vulnerable according to ARM.
• Qualcomm Snapdragon S4 (other Z10, Z30, Q10, Q5, Classic, Leap): Custom Qualcomm Krait cores; the ARM bulletin only lists their models instead of derivatives from other manufacturers (Qualcomm Krait/Kryo, Samsung Exynos custom cores, etc), but Krait does have speculative execution, so they're quite likely vulnerable to Spectre.
• Qualcomm Snapdragon 800 (Passport): Custom Qualcomm Krait 400 cores, ditto.
• Qualcomm Snapdragon 400 (Z3): Custom Qualcomm Krait 200 cores, ditto.

So that's all of them. Moreover, unless BlackBerry wills their development division back from the dead, software mitigations are unlikely.

[Superdupont 2_0]

[...] So that's all of them. Moreover, unless BlackBerry wills their development division back from the dead, software mitigations are unlikely.

Assuming there is no mitigation, they will have to do something, otherwise millions of BB10 devices will be rendered useless.

If BlackBerry doesn't take any action, at least for the stock browser, I will replace all BB10 devices with iOS next month.


Posted via CB10

[anon(10321802)]

Assuming there is no mitigation, they will have to do something, otherwise millions of BB10 devices will be rendered useless.

If BlackBerry doesn't take any action, at least for the stock browser, I will replace all BB10 devices with iOS next month.


Posted via CB10

They will not be useless. They will still work, but they will be potentially less secure than newer devices that receive regular security patches.

Malware has to be running locally on the device to take advantage of Spectre and Meltdown. If you don't install apps you don't trust, you'll probably be fine.

[Superdupont 2_0]

They will not be useless. They will still work, but they will be potentially less secure than newer devices that receive regular security patches.

Malware has to be running locally on the device to take advantage of Spectre and Meltdown. If you don't install apps you don't trust, you'll probably be fine.

Nope. Unfortunately javascript code in the browser can launch some of these attacks.

And I certainly don't want to change my passwords on a monthly base, so either BlackBerry provides a clear statement and reasonable mitigation, or BB10 is dead for me.

Posted via CB10

[anon(10321802)]

Nope. Unfortunately javascript code in the browser can launch some of these attacks.

And I certainly don't want to change my passwords on a monthly base, so either BlackBerry provides a clear statement and reasonable mitigation, or BB10 is dead for me.

Posted via CB10

I hadn't read that javascript could exploit these vulnerabilities. If true, that's concerning, indeed.

I was contemplating a return to BB10 (from iPhone) as a minimalist alternative to modern smartphones, but these and other unpatched vulnerabilities (KRACK) are making me reconsider.

As much as iOS frustrates me sometimes, even my ancient iPhone 5S still receives security patches.

[Superdupont 2_0]

I hadn't read that javascript could exploit these vulnerabilities. If true, that's concerning, indeed.

I was contemplating a return to BB10 (from iPhone) as a minimalist alternative to modern smartphones, but these and other unpatched vulnerabilities (KRACK) are making me reconsider.

As much as iOS frustrates me sometimes, even my ancient iPhone 5S still receives security patches.

Firefox got patched a few days ago, and Google Chrome will get patched 23 January.

I don't care much about KRACK, because all sensitive connections on my devices are protected with TLS.

But Spectre is a very serious problem.
Web filters (adblockers, PAC files etc etc) can mitigate it to some extend, but I will no rely only on web filters.

If BlackBerry leaves us in the dark about Spectre, it's time to move on.

Posted via CB10

[Doctornoc]

Blackberry isn't in devices business anymore

Posted via CB10

[anon(10218918)]

They are still in it! They don't produce hardware anymore, but they develope und update -sometimes- the software. Look at the statement from Alex Thurber in December.

Posted via CB10

[Invictus0]

Assuming there is no mitigation, they will have to do something, otherwise millions of BB10 devices will be rendered useless.

If BlackBerry doesn't take any action, at least for the stock browser, I will replace all BB10 devices with iOS next month.


Posted via CB10

You're probably better off waiting for SOC's that deal with the root problem. From the sounds of it these issues will require longterm patching.

Blackberry isn't in devices business anymore

Posted via CB10

It wouldn't matter in this case because the only known mitigations are software patches.

[Dunt Dunt Dunt]

Nope. Unfortunately javascript code in the browser can launch some of these attacks.

And I certainly don't want to change my passwords on a monthly base, so either BlackBerry provides a clear statement and reasonable mitigation, or BB10 is dead for me.

Posted via CB10

How long will you wait?

I suspect a statement will come just as quickly as the one for KRACK did.

At this point, what's the point in waiting? Even if BlackBerry sent out a statement that they would patch BB10.... how long would it take them with nobody working on BB10 for a year almost, even then a small team that barley was able to get out 10.3.3 with it's known issues.

[Chuck Finley69]

Firefox got patched a few days ago, and Google Chrome will get patched 23 January.

I don't care much about KRACK, because all sensitive connections on my devices are protected with TLS.

But Spectre is a very serious problem.
Web filters (adblockers, PAC files etc etc) can mitigate it to some extend, but I will no rely only on web filters.

If BlackBerry leaves us in the dark about Spectre, it's time to move on.

Posted via CB10

I'd probably start packing. At least start accumulation of moving boxes.....

[johnsliderbb]

Install a patched light Android webbrowser to mitigate the risk?

Posted via CB10

[glwerry]

Install a patched light Android webbrowser to mitigate the risk?

Posted via CB10

My understanding is that Chrome is going to be patched soon in order to address at least part of the vulnerabilities.

[johnsliderbb]

Had the same understanding.

Now Chrome doesn't really run on eg a Classic. A derivative like Jumpgo however does.

Posted via CB10

[ShalokShalom]

There are four CPUs underlying every BB10 device:

• TI OMAP 4470 (Z10 STL100-1): ARM Cortex A9 cores, which are vulnerable according to ARM.
• Qualcomm Snapdragon S4 (other Z10, Z30, Q10, Q5, Classic, Leap): Custom Qualcomm Krait cores; the ARM bulletin only lists their models instead of derivatives from other manufacturers (Qualcomm Krait/Kryo, Samsung Exynos custom cores, etc), but Krait does have speculative execution, so they're quite likely vulnerable to Spectre.
• Qualcomm Snapdragon 800 (Passport): Custom Qualcomm Krait 400 cores, ditto.
• Qualcomm Snapdragon 400 (Z3): Custom Qualcomm Krait 200 cores, ditto.

So that's all of them. Moreover, unless BlackBerry wills their development division back from the dead, software mitigations are unlikely.

First of, the Passport use a 801.
Secondly, BlackBerry just announced 2 years more support, which includes IMHO security patches.
They stopped the development and marketing of those devices.
Not the overall security support. Or did I missed that?

[thurask]

First of, the Passport use a 801.
Secondly, BlackBerry just announced 2 years more support, which includes IMHO security patches.
They stopped the development and marketing of those devices.
Not the overall security support. Or did I missed that?

800, 801, still Krait.

And as for "support", you must be new here.

[Invictus0]

800, 801, still Krait.

And as for "support", you must be new here.

Not to mention other OEM's are hinting at longterm patching to deal with Spectre, I doubt we'll see that for BB10 or the Priv.

[Troy Tiscareno]

First of, the Passport use a 801.
Secondly, BlackBerry just announced 2 years more support, which includes IMHO security patches.
They stopped the development and marketing of those devices.
Not the overall security support. Or did I missed that?

Unfortunately, your HO isn't the same as BB's. "Support" seems to mean "we'll continue to pay the power and Internet bills to keep the BB servers running until 12/31/2019", after which BB World for sure will go down, and likely the other BB servers (BBM for BB10, BB ID, etc.) will also.

The fix for Spectre is much, much more involved than the fix for Krack, yet BB hasn't even given any official update on a fix for Krack for BB10, which is several months old at this point. The writing is right there on the wall, you just have to read it.