- BlackBerry support sent me this today:
"Hi, thanks for contacting us.
BlackBerry has investigated the impact to its products and determined that while the vulnerability isn’t in BlackBerry authored software, BlackBerry powered by Android smartphones are affected by the Spectre vulnerabilities. Mitigations to the Spectre vulnerability will be deployed via January’s Security Maintenance Release. The Meltdown vulnerability does not affect BlackBerry powered by Android smartphones.
BlackBerry recommends that customers only download apps from trusted sources and should not disable security features such as Verify Apps. Customers should avoid visiting untrusted websites. BlackBerry is not aware of any exploitation of this vulnerability against BlackBerry customers. Thank you. ^PA"01-09-18 06:20 AMLike 0 - Yes! We all know, it is not a software problem but a mistake in the chips. BlackBerry thinks, the users are silly . The message from BlackBerry support means, they will try to minimize the problem in Android devices and not in BlackBerry 10 devices.
Last edited by CrackPriv; 01-09-18 at 03:46 PM.
01-09-18 01:01 PMLike 0 -
They're not telling you not to use BB10, but they're not going to do anything (except keep the servers on for 23 more months) to make that easier for you. They've moved on.StephanieMaks and HighFlight88 like this.01-09-18 08:00 PMLike 2 - The real message is: BB10 development ended in 2015, and an EOL date has been announced, and BB just isn't interested in spending any more money on an EOL platform that likely has less than a million users (and dropping daily) that already cost them about $10B in losses.
They're not telling you not to use BB10, but they're not going to do anything (except keep the servers on for 23 more months) to make that easier for you. They've moved on.
Translation: BB to BB10 users after leaving hardware year ago, "We're breaking up now."
Translation: BB to BB10 customers after EOL announcement recently and then calling about new updates now, "You're making us really uncomfortable and really want you to leave now. Please go or we're calling the cops."01-09-18 08:15 PMLike 5 - Meltdown is pretty much confined to Intel, as far as we know at this point.
The 'not downloading from unknown sources' applies to pretty much anything, doesn't need spectre to attack you at that point.
The attack vector to worry about is the Javascript exploit from the browser. BB10's browser does support the feature that was demo'd in the Chrome exploit, however it is not clear if the BB10 browser is affected (I would assume yes). However, depends how much of the real-time core of QNX is used and if it is susceptible. The attack needs access to a very high resolution timer from Javascript. It is normally NOT provided in Chrome to avoid these kinds of attacks so a particular HTML5 feature is used to try and get access to one.
There has been an article floating around stating that QNX specifically, and real-time OS in general are not affected. I'm not sure I believe it.
Regardless, even if unpatched, phone would not be a desirable target mainly because of the time needed to extract any usable information on such a low power device.
Also, understandable that BlackBerry is vague on BB10 but they need to put out a definitive statement on QNX.01-10-18 12:43 PMLike 0 - Ok maybe I feel a little bit better now. Mind you I'm no expert...
According to the spectre paper, the Javascript exploit requires a good high resolution timer. Chrome implements performance.now() which gives microsecond resolution, although Chrome deliberately degrades it somewhat and the attack needs that kind of accuracy
According to BlackBerry BB10 developer docs here:
https://developer.blackberry.com/nat...t_of_time.html
The microkernel only understands the tick as minimum of 1 ms. In theory I think this means that nobody gets access to anything less than this so it is very difficult or impossible to carry out the attack as described. Even a local app might find it difficult, but at any rate, if you can trick the user to downloading malware, you don't need spectre.
Very interesting that Arca Noae (the OS/2 guys) already analysed it and put out a statement regarding their vulnerability. (OS/2 is pretty safe from this due to similar reason)
https://www.arcanoae.com/blog/
Shame on BlackBerry for not being on top of things like this!Invictus0 likes this.01-10-18 02:00 PMLike 1 - Ok maybe I feel a little bit better now. Mind you I'm no expert...
According to the spectre paper, the Javascript exploit requires a good high resolution timer. Chrome implements performance.now() which gives microsecond resolution, although Chrome deliberately degrades it somewhat and the attack needs that kind of accuracy
According to BlackBerry BB10 developer docs here:
https://developer.blackberry.com/nat...t_of_time.html
The microkernel only understands the tick as minimum of 1 ms. In theory I think this means that nobody gets access to anything less than this so it is very difficult or impossible to carry out the attack as described. Even a local app might find it difficult, but at any rate, if you can trick the user to downloading malware, you don't need spectre.
Very interesting that Arca Noae (the OS/2 guys) already analysed it and put out a statement regarding their vulnerability. (OS/2 is pretty safe from this due to similar reason)
https://www.arcanoae.com/blog/
Shame on BlackBerry for not being on top of things like this!01-10-18 02:21 PMLike 0 - Well, they still have to acknowledge that KRACK is affecting, or not, BB10. They seem to need an extraordinarily long time to come to a conclusion...anon(10218918) likes this.01-10-18 02:29 PMLike 1
- Perhaps they just don't care. Why should they care about spending money on BB10, if they're not in device business? It's a straight expense that directly reduces profit.01-10-18 02:41 PMLike 0
- That is not what I call “support” (even if EOL in two years, period during which such has been pledged), in particular for critical issues such as these.anon(10218918) likes this.01-10-18 02:45 PMLike 1
-
- I was suggesting that the impact of these vulnerabilities are different in Neutrino. I wrote nothing about the business arguments to fix the problem(s).01-10-18 02:57 PMLike 0
- But to a company that exited the business of hardware, what do they care about support? It's a word. It sounds nice, but really why should they care when that money could be spent more effectively on their existing business lines?01-10-18 02:58 PMLike 0
- I see your point but, then, BlackBerry should have been honest enough to put the axe on all things BB10 right away instead of promising phoney “support” throughout the next two years. It is quite dishonest towards loyal customers that have supported them previously by buying the gear. An honest approach would be to back up words with actual deeds.elfabio80 likes this.01-10-18 03:12 PMLike 1
-
One reason to fix this in BB10 is to clarify what the company means by support if for no other reason than to bolster the company's reputation in security. I would expect support to be more proactive for company selling security solutions, but BlackBerry has acted otherwise.Last edited by DonHB; 01-10-18 at 04:00 PM.
01-10-18 03:41 PMLike 0 - Because the place to remedy these threats are at the level of the OS the QNX subsidiary (maybe it is now a department?) needs to address these issues as it supports all the processors that have these vulnerabilities. I suspect Spectre is harder to fix for QNX then for other OS owners, but the lack of comment from BlackBerry regarding Spectre and Meltdown matching the no comment on KRACK regarding the QNX product line should be very concerning.
It seems that many people here are not adjusting to idea that BB is choosing to only communicate with it's actual customers now and not with end users. When you see BB making public statements and consumer type Q/A, it's generally more press release or predetermined Q/A.
The company is speaking to end-users on behalf of their direct customers only when asked to by those direct customers.Mecca EL likes this.01-10-18 03:53 PMLike 1 - http://www.zdnet.com/article/meltdow...le-power-cpus/Well, IBM is in no longer producing consumer products, but you can read about the fixes they are making for their Power CPUs on ZDnet no-less.01-10-18 04:12 PMLike 0
- I see your point but, then, BlackBerry should have been honest enough to put the axe on all things BB10 right away instead of promising phoney “support” throughout the next two years. It is quite dishonest towards loyal customers that have supported them previously by buying the gear. An honest approach would be to back up words with actual deeds.
Let's not forget it took BB10's intern developer over 7 months to fix a couple lines of code for Vodafone Europe to address a small LTE issue (10.3.3.3057).01-10-18 04:14 PMLike 0 - You can't really look at QNX in the same light as Windows and Linux. Most QNX deployments won't have any programs that didn't come from BlackBerry / QNX or from the application developers, and won't be downloading apps from third party developers. Also many of their customers probably aren't using the CPU features that make a system vulnerable. A lot of embedded ARM applications won't be vulnerable because they aren't using the features that lead to vulnerabilities and so will be based on chips that don't have the speculative execution included. The Raspberry Pi isn't vulnerable for this reason.
There were a lot of steps that could have been taken. For example Intel chips can make high resolution timing a privileged operation which would mitigate these and other problems. But users have become used to having unprivileged access, so it would be difficult to take it back now.
LeapSTR100-2/10.3.3.220501-10-18 05:37 PMLike 0 - And how does that relate to addressing a major security flaw such as KRACK? This is not an exotic issue. Ever since the flaw was discovered, and that is meanwhile four months ago, they have been saying that they are examining whether it impacts BB10. I have been asking them several times since and always get the same crappy answer. Why cannot they be honest about what they are doing or rather not doing?01-10-18 08:44 PMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
Spectre / Meltdown - BB10 / QNX
Similar Threads
-
CrackBerry Forums app update --- BB10-ish!
By kyleheney in forum BlackBerry Android OSReplies: 12Last Post: 01-25-18, 07:34 AM -
Meltdown
By Soapm in forum BlackBerry PrivReplies: 19Last Post: 01-10-18, 10:23 PM -
Z30 BB10 - Android apps Storage ISSUE!
By BB30000 in forum BlackBerry Z30Replies: 10Last Post: 01-09-18, 09:08 PM -
Cancel BB10 upgrade (Q10)
By Go_rom in forum Ask a QuestionReplies: 12Last Post: 01-04-18, 10:34 PM -
Will Installing the Android WhatsApp on my BB10 overwrite the BB10 Version?
By CrackBerry Question in forum Ask a QuestionReplies: 2Last Post: 01-01-18, 04:37 AM
LINK TO POST COPIED TO CLIPBOARD