[anon(10218918)]

BlackBerry support sent me this today:
"Hi, thanks for contacting us.

BlackBerry has investigated the impact to its products and determined that while the vulnerability isn’t in BlackBerry authored software, BlackBerry powered by Android smartphones are affected by the Spectre vulnerabilities. Mitigations to the Spectre vulnerability will be deployed via January’s Security Maintenance Release. The Meltdown vulnerability does not affect BlackBerry powered by Android smartphones.

BlackBerry recommends that customers only download apps from trusted sources and should not disable security features such as Verify Apps. Customers should avoid visiting untrusted websites. BlackBerry is not aware of any exploitation of this vulnerability against BlackBerry customers. Thank you. ^PA"

[Troy Tiscareno]

BlackBerry support sent me this today:

Translation: "We have nothing to say about BB10 except 'be careful.'"

[anon(10218918)]

Translation: "We have nothing to say about BB10 except 'be careful.'"

Yes! We all know, it is not a software problem but a mistake in the chips. BlackBerry thinks, the users are silly . The message from BlackBerry support means, they will try to minimize the problem in Android devices and not in BlackBerry 10 devices.

[Troy Tiscareno]

Yes! We all know, it is not a software problem but a mistake in the chips. BlackBerry thinks, the users are silly . The message from BlackBerry support means, they will try to minimize the problem in Android devices and not in BlackBerry 10 devices.

The real message is: BB10 development ended in 2015, and an EOL date has been announced, and BB just isn't interested in spending any more money on an EOL platform that likely has less than a million users (and dropping daily) that already cost them about $10B in losses.

They're not telling you not to use BB10, but they're not going to do anything (except keep the servers on for 23 more months) to make that easier for you. They've moved on.

[Chuck Finley69]

The real message is: BB10 development ended in 2015, and an EOL date has been announced, and BB just isn't interested in spending any more money on an EOL platform that likely has less than a million users (and dropping daily) that already cost them about $10B in losses.

They're not telling you not to use BB10, but they're not going to do anything (except keep the servers on for 23 more months) to make that easier for you. They've moved on.

Translation: BB to BB10 users after moving from BB10 devices to BBAndroid devices: "It's not us, it's you."

Translation: BB to BB10 users after leaving hardware year ago, "We're breaking up now."

Translation: BB to BB10 customers after EOL announcement recently and then calling about new updates now, "You're making us really uncomfortable and really want you to leave now. Please go or we're calling the cops."

[EFats]

Meltdown is pretty much confined to Intel, as far as we know at this point.
The 'not downloading from unknown sources' applies to pretty much anything, doesn't need spectre to attack you at that point.

The attack vector to worry about is the Javascript exploit from the browser. BB10's browser does support the feature that was demo'd in the Chrome exploit, however it is not clear if the BB10 browser is affected (I would assume yes). However, depends how much of the real-time core of QNX is used and if it is susceptible. The attack needs access to a very high resolution timer from Javascript. It is normally NOT provided in Chrome to avoid these kinds of attacks so a particular HTML5 feature is used to try and get access to one.

There has been an article floating around stating that QNX specifically, and real-time OS in general are not affected. I'm not sure I believe it.

Regardless, even if unpatched, phone would not be a desirable target mainly because of the time needed to extract any usable information on such a low power device.

Also, understandable that BlackBerry is vague on BB10 but they need to put out a definitive statement on QNX.

[EFats]

Ok maybe I feel a little bit better now. Mind you I'm no expert...

According to the spectre paper, the Javascript exploit requires a good high resolution timer. Chrome implements performance.now() which gives microsecond resolution, although Chrome deliberately degrades it somewhat and the attack needs that kind of accuracy

According to BlackBerry BB10 developer docs here:
https://developer.blackberry.com/nat...t_of_time.html

The microkernel only understands the tick as minimum of 1 ms. In theory I think this means that nobody gets access to anything less than this so it is very difficult or impossible to carry out the attack as described. Even a local app might find it difficult, but at any rate, if you can trick the user to downloading malware, you don't need spectre.

Very interesting that Arca Noae (the OS/2 guys) already analysed it and put out a statement regarding their vulnerability. (OS/2 is pretty safe from this due to similar reason)
https://www.arcanoae.com/blog/
Shame on BlackBerry for not being on top of things like this!

[Invictus0]

Ok maybe I feel a little bit better now. Mind you I'm no expert...

According to the spectre paper, the Javascript exploit requires a good high resolution timer. Chrome implements performance.now() which gives microsecond resolution, although Chrome deliberately degrades it somewhat and the attack needs that kind of accuracy

According to BlackBerry BB10 developer docs here:
https://developer.blackberry.com/nat...t_of_time.html

The microkernel only understands the tick as minimum of 1 ms. In theory I think this means that nobody gets access to anything less than this so it is very difficult or impossible to carry out the attack as described. Even a local app might find it difficult, but at any rate, if you can trick the user to downloading malware, you don't need spectre.

Very interesting that Arca Noae (the OS/2 guys) already analysed it and put out a statement regarding their vulnerability. (OS/2 is pretty safe from this due to similar reason)
https://www.arcanoae.com/blog/
Shame on BlackBerry for not being on top of things like this!

Interesting find. If that's the case you'd think BlackBerry would be promoting this, at the very least it would support QNX and their own reputation for proactive security.

[cyberdoggie]

Well, they still have to acknowledge that KRACK is affecting, or not, BB10. They seem to need an extraordinarily long time to come to a conclusion...

[DonHB]

Because of how message passing (IPC) works in Neutrino I would not be surprised if some of the risks of Meltdown transfers to Spectre. This maybe why it is taking more time for BlackBerry to comment. But they have no excuse regarding KRACK.

[Chuck Finley69]

Because of how message passing (IPC) works in Neutrino I would not be surprised if some of the risks of Meltdown transfers to Spectre. This maybe why it is taking more time for BlackBerry to comment. But they have no excuse regarding KRACK.

Perhaps they just don't care. Why should they care about spending money on BB10, if they're not in device business? It's a straight expense that directly reduces profit.

[cyberdoggie]

Perhaps they just don't care. Why should they care about spending money on BB10, if they're not in device business? It's a straight expense that directly reduces profit.

That is not what I call “support” (even if EOL in two years, period during which such has been pledged), in particular for critical issues such as these.

[DonHB]

Perhaps they just don't care. Why should they care about spending money on BB10, if they're not in device business? It's a straight expense that directly reduces profit.

Perhaps, this belongs in a different thread?

[Chuck Finley69]

Perhaps, this belongs in a different thread?

Why? This specifically relates to your statement about Meltdown and Spectre being addressed for BB10. You made the argument. Now you just need to back up your statement with some logical valid reasoning.

[DonHB]

Why? This specifically relates to your statement about Meltdown and Spectre being addressed for BB10. You made the argument. Now you just need to back up your statement with some logical valid reasoning.

I was suggesting that the impact of these vulnerabilities are different in Neutrino. I wrote nothing about the business arguments to fix the problem(s).

[Chuck Finley69]

That is not what I call “support” (even if EOL in two years, period during which such has been pledged), in particular for critical issues such as these.

But to a company that exited the business of hardware, what do they care about support? It's a word. It sounds nice, but really why should they care when that money could be spent more effectively on their existing business lines?

[cyberdoggie]

But to a company that exited the business of hardware, what do they care about support? It's a word. It sounds nice, but really why should they care when that money could be spent more effectively on their existing business lines?

I see your point but, then, BlackBerry should have been honest enough to put the axe on all things BB10 right away instead of promising phoney “support” throughout the next two years. It is quite dishonest towards loyal customers that have supported them previously by buying the gear. An honest approach would be to back up words with actual deeds.

[DonHB]

But to a company that exited the business of hardware, what do they care about support? It's a word. It sounds nice, but really why should they care when that money could be spent more effectively on their existing business lines?

Because the place to remedy these threats are at the level of the OS, the QNX subsidiary (maybe it is now a department?) needs to address these issues as it supports all the processors that have these vulnerabilities. I suspect Spectre is harder to fix for QNX then for other OS owners, but the lack of comment from BlackBerry regarding Spectre and Meltdown matching the no comment on KRACK regarding the QNX product line should be very concerning.

One reason to fix this in BB10 is to clarify what the company means by support if for no other reason than to bolster the company's reputation in security. I would expect support to be more proactive for company selling security solutions, but BlackBerry has acted otherwise.

[Chuck Finley69]

Because the place to remedy these threats are at the level of the OS the QNX subsidiary (maybe it is now a department?) needs to address these issues as it supports all the processors that have these vulnerabilities. I suspect Spectre is harder to fix for QNX then for other OS owners, but the lack of comment from BlackBerry regarding Spectre and Meltdown matching the no comment on KRACK regarding the QNX product line should be very concerning.

I would suspect these conversations go on behind the scenes with QNX suppliers and customers. Since BB deals with manufacturers, their statements are going to be directed in that direction and through private channels. Since you and I are not target audience, there's really no reason for communicating to us.

It seems that many people here are not adjusting to idea that BB is choosing to only communicate with it's actual customers now and not with end users. When you see BB making public statements and consumer type Q/A, it's generally more press release or predetermined Q/A.

The company is speaking to end-users on behalf of their direct customers only when asked to by those direct customers.

[DonHB]

Well, IBM is in no longer producing consumer products, but you can read about the fixes they are making for their Power CPUs. BlackBerry/QNX are silent.

[conite]

http://www.zdnet.com/article/meltdow...le-power-cpus/Well, IBM is in no longer producing consumer products, but you can read about the fixes they are making for their Power CPUs on ZDnet no-less.

Companies are still paying IBM big bucks for ongoing support contracts.

[conite]

I see your point but, then, BlackBerry should have been honest enough to put the axe on all things BB10 right away instead of promising phoney “support” throughout the next two years. It is quite dishonest towards loyal customers that have supported them previously by buying the gear. An honest approach would be to back up words with actual deeds.

The support is keeping BlackBerry World up and running, along with BBM for BB10, and BBID. That's pretty much it.

Let's not forget it took BB10's intern developer over 7 months to fix a couple lines of code for Vodafone Europe to address a small LTE issue (10.3.3.3057).

[Richard Buckley]

You can't really look at QNX in the same light as Windows and Linux. Most QNX deployments won't have any programs that didn't come from BlackBerry / QNX or from the application developers, and won't be downloading apps from third party developers. Also many of their customers probably aren't using the CPU features that make a system vulnerable. A lot of embedded ARM applications won't be vulnerable because they aren't using the features that lead to vulnerabilities and so will be based on chips that don't have the speculative execution included. The Raspberry Pi isn't vulnerable for this reason.

There were a lot of steps that could have been taken. For example Intel chips can make high resolution timing a privileged operation which would mitigate these and other problems. But users have become used to having unprivileged access, so it would be difficult to take it back now.

LeapSTR100-2/10.3.3.2205

[DonHB]

Companies are still paying IBM big bucks for ongoing support contracts.

You are of the opinion that car companies licensing Neutrino have no reason to be concerned about these vulnerabilities?

[cyberdoggie]

The support is keeping BlackBerry World up and running, along with BBM for BB10, and BBID. That's pretty much it.

Let's not forget it took BB10's intern developer over 7 months to fix a couple lines of code for Vodafone Europe to address a small LTE issue (10.3.3.3057).

And how does that relate to addressing a major security flaw such as KRACK? This is not an exotic issue. Ever since the flaw was discovered, and that is meanwhile four months ago, they have been saying that they are examining whether it impacts BB10. I have been asking them several times since and always get the same crappy answer. Why cannot they be honest about what they are doing or rather not doing?