01-14-18 02:24 PM
99 123 ...
tools
  1. lewis71980's Avatar
    Out of interest, does the microkernel design of the OS prevent against these attacks?

    Does BB10 / QNX need patching in the same way as Linux / Windows?
    01-04-18 01:35 PM
  2. glwerry's Avatar
    Out of interest, does the microkernel design of the OS prevent against these attacks?

    Does BB10 / QNX need patching in the same way as Linux / Windows?
    Although I don't know explicitly, it likely would, since the vulerability is at the HARDWARE level - it's the CPU itself, independent of the OS.
    01-04-18 01:56 PM
  3. rthonpm's Avatar
    This is an issue that affects Intel based x86 systems. BB10 uses a different instruction set entirely so mobile systems using ARM or other processor types aren't at risk. For QNX as a whole, it will likely depend on what it's running on, but as it was built primarily for embedded systems, it's likely on custom chipsets or other non-x86 systems for the most part.

    Posted via CB10
    01-04-18 04:15 PM
  4. co4nd's Avatar
    This is an issue that affects Intel based x86 systems. BB10 uses a different instruction set entirely so mobile systems using ARM or other processor types aren't at risk. For QNX as a whole, it will likely depend on what it's running on, but as it was built primarily for embedded systems, it's likely on custom chipsets or other non-x86 systems for the most part.

    Posted via CB10
    They are reporting today that Spectre effects Intel, AMD and Arm.

    https://www.pcmag.com/news/358249/in...ix-means-slowe
    01-04-18 08:57 PM
  5. gerson008's Avatar
    To the best of my knowledge, they maybe not be affected
    1) For BB Classics which i own, uses snapdragon S4 plus, which is ARM Cortex A5
    2) For Keyone which i am planning to purchase uses Snapdragon 625 , which is ARM Cortex-A53

    Neither of them are listed in https://developer.arm.com/support/security-update

    Of course, i am also waiting for the confirmation by a qualified BB personnel.

    Refereces:
    1) for Classics - https://www.gsmarena.com/blackberry_classic-6458.php
    2) For Keyone - https://www.gsmarena.com/blackberry_keyone-8508.php
    01-05-18 06:34 AM
  6. Dunt Dunt Dunt's Avatar
    Proable need to see if QNX makes any comment about their products... like with KRACK BlackBerry probable isn't talking about BB10 anymore.
    01-05-18 09:35 AM
  7. Newfangled's Avatar
    Keep in mind these vulnerabilities can only be exploited via malware running locally on the device.

    This may be a case where "security through obscurity" may offer some protection.
    Soapm likes this.
    01-05-18 11:34 AM
  8. thurask's Avatar
    There are four CPUs underlying every BB10 device:
    • TI OMAP 4470 (Z10 STL100-1): ARM Cortex A9 cores, which are vulnerable according to ARM.
    • Qualcomm Snapdragon S4 (other Z10, Z30, Q10, Q5, Classic, Leap): Custom Qualcomm Krait cores; the ARM bulletin only lists their models instead of derivatives from other manufacturers (Qualcomm Krait/Kryo, Samsung Exynos custom cores, etc), but Krait does have speculative execution, so they're quite likely vulnerable to Spectre.
    • Qualcomm Snapdragon 800 (Passport): Custom Qualcomm Krait 400 cores, ditto.
    • Qualcomm Snapdragon 400 (Z3): Custom Qualcomm Krait 200 cores, ditto.


    So that's all of them. Moreover, unless BlackBerry wills their development division back from the dead, software mitigations are unlikely.
    SoundChaser007 and Mecca EL like this.
    01-05-18 12:51 PM
  9. Superdupont 2_0's Avatar
    [...] So that's all of them. Moreover, unless BlackBerry wills their development division back from the dead, software mitigations are unlikely.
    Assuming there is no mitigation, they will have to do something, otherwise millions of BB10 devices will be rendered useless.

    If BlackBerry doesn't take any action, at least for the stock browser, I will replace all BB10 devices with iOS next month.


    Posted via CB10
    CrackPriv and Bee Gee like this.
    01-07-18 08:34 AM
  10. Newfangled's Avatar
    Assuming there is no mitigation, they will have to do something, otherwise millions of BB10 devices will be rendered useless.

    If BlackBerry doesn't take any action, at least for the stock browser, I will replace all BB10 devices with iOS next month.


    Posted via CB10
    They will not be useless. They will still work, but they will be potentially less secure than newer devices that receive regular security patches.

    Malware has to be running locally on the device to take advantage of Spectre and Meltdown. If you don't install apps you don't trust, you'll probably be fine.
    01-07-18 09:15 AM
  11. Superdupont 2_0's Avatar
    They will not be useless. They will still work, but they will be potentially less secure than newer devices that receive regular security patches.

    Malware has to be running locally on the device to take advantage of Spectre and Meltdown. If you don't install apps you don't trust, you'll probably be fine.
    Nope. Unfortunately javascript code in the browser can launch some of these attacks.

    And I certainly don't want to change my passwords on a monthly base, so either BlackBerry provides a clear statement and reasonable mitigation, or BB10 is dead for me.

    Posted via CB10
    01-07-18 09:27 AM
  12. Newfangled's Avatar
    Nope. Unfortunately javascript code in the browser can launch some of these attacks.

    And I certainly don't want to change my passwords on a monthly base, so either BlackBerry provides a clear statement and reasonable mitigation, or BB10 is dead for me.

    Posted via CB10
    I hadn't read that javascript could exploit these vulnerabilities. If true, that's concerning, indeed.

    I was contemplating a return to BB10 (from iPhone) as a minimalist alternative to modern smartphones, but these and other unpatched vulnerabilities (KRACK) are making me reconsider.

    As much as iOS frustrates me sometimes, even my ancient iPhone 5S still receives security patches.
    01-07-18 09:41 AM
  13. Superdupont 2_0's Avatar
    I hadn't read that javascript could exploit these vulnerabilities. If true, that's concerning, indeed.

    I was contemplating a return to BB10 (from iPhone) as a minimalist alternative to modern smartphones, but these and other unpatched vulnerabilities (KRACK) are making me reconsider.

    As much as iOS frustrates me sometimes, even my ancient iPhone 5S still receives security patches.
    Firefox got patched a few days ago, and Google Chrome will get patched 23 January.

    I don't care much about KRACK, because all sensitive connections on my devices are protected with TLS.

    But Spectre is a very serious problem.
    Web filters (adblockers, PAC files etc etc) can mitigate it to some extend, but I will no rely only on web filters.

    If BlackBerry leaves us in the dark about Spectre, it's time to move on.

    Posted via CB10
    CrackPriv likes this.
    01-07-18 09:53 AM
  14. Doctornoc's Avatar
    Blackberry isn't in devices business anymore

    Posted via CB10
    Mecca EL likes this.
    01-07-18 10:01 AM
  15. CrackPriv's Avatar
    They are still in it! They don't produce hardware anymore, but they develope und update -sometimes- the software. Look at the statement from Alex Thurber in December.

    Posted via CB10
    01-07-18 10:45 AM
  16. Invictus0's Avatar
    Assuming there is no mitigation, they will have to do something, otherwise millions of BB10 devices will be rendered useless.

    If BlackBerry doesn't take any action, at least for the stock browser, I will replace all BB10 devices with iOS next month.


    Posted via CB10
    You're probably better off waiting for SOC's that deal with the root problem. From the sounds of it these issues will require longterm patching.

    Blackberry isn't in devices business anymore

    Posted via CB10
    It wouldn't matter in this case because the only known mitigations are software patches.
    01-07-18 11:17 AM
  17. Dunt Dunt Dunt's Avatar
    Nope. Unfortunately javascript code in the browser can launch some of these attacks.

    And I certainly don't want to change my passwords on a monthly base, so either BlackBerry provides a clear statement and reasonable mitigation, or BB10 is dead for me.

    Posted via CB10
    How long will you wait?

    I suspect a statement will come just as quickly as the one for KRACK did.

    At this point, what's the point in waiting? Even if BlackBerry sent out a statement that they would patch BB10.... how long would it take them with nobody working on BB10 for a year almost, even then a small team that barley was able to get out 10.3.3 with it's known issues.
    Mecca EL likes this.
    01-08-18 09:25 AM
  18. Chuck Finley69's Avatar
    Firefox got patched a few days ago, and Google Chrome will get patched 23 January.

    I don't care much about KRACK, because all sensitive connections on my devices are protected with TLS.

    But Spectre is a very serious problem.
    Web filters (adblockers, PAC files etc etc) can mitigate it to some extend, but I will no rely only on web filters.

    If BlackBerry leaves us in the dark about Spectre, it's time to move on.

    Posted via CB10
    I'd probably start packing. At least start accumulation of moving boxes.....
    Dunt Dunt Dunt and Mecca EL like this.
    01-08-18 09:29 AM
  19. johnsliderbb's Avatar
    Install a patched light Android webbrowser to mitigate the risk?

    Posted via CB10
    01-08-18 11:12 AM
  20. glwerry's Avatar
    Install a patched light Android webbrowser to mitigate the risk?

    Posted via CB10
    My understanding is that Chrome is going to be patched soon in order to address at least part of the vulnerabilities.
    01-08-18 01:31 PM
  21. johnsliderbb's Avatar
    Had the same understanding.

    Now Chrome doesn't really run on eg a Classic. A derivative like Jumpgo however does.

    Posted via CB10
    01-08-18 03:11 PM
  22. ShalokShalom's Avatar
    There are four CPUs underlying every BB10 device:
    • TI OMAP 4470 (Z10 STL100-1): ARM Cortex A9 cores, which are vulnerable according to ARM.
    • Qualcomm Snapdragon S4 (other Z10, Z30, Q10, Q5, Classic, Leap): Custom Qualcomm Krait cores; the ARM bulletin only lists their models instead of derivatives from other manufacturers (Qualcomm Krait/Kryo, Samsung Exynos custom cores, etc), but Krait does have speculative execution, so they're quite likely vulnerable to Spectre.
    • Qualcomm Snapdragon 800 (Passport): Custom Qualcomm Krait 400 cores, ditto.
    • Qualcomm Snapdragon 400 (Z3): Custom Qualcomm Krait 200 cores, ditto.


    So that's all of them. Moreover, unless BlackBerry wills their development division back from the dead, software mitigations are unlikely.
    First of, the Passport use a 801.
    Secondly, BlackBerry just announced 2 years more support, which includes IMHO security patches.
    They stopped the development and marketing of those devices.
    Not the overall security support. Or did I missed that?
    01-08-18 04:02 PM
  23. thurask's Avatar
    First of, the Passport use a 801.
    Secondly, BlackBerry just announced 2 years more support, which includes IMHO security patches.
    They stopped the development and marketing of those devices.
    Not the overall security support. Or did I missed that?
    800, 801, still Krait.

    And as for "support", you must be new here.
    StephanieMaks and Mecca EL like this.
    01-08-18 04:08 PM
  24. Invictus0's Avatar
    800, 801, still Krait.

    And as for "support", you must be new here.
    Not to mention other OEM's are hinting at longterm patching to deal with Spectre, I doubt we'll see that for BB10 or the Priv.
    01-08-18 04:16 PM
  25. Troy Tiscareno's Avatar
    First of, the Passport use a 801.
    Secondly, BlackBerry just announced 2 years more support, which includes IMHO security patches.
    They stopped the development and marketing of those devices.
    Not the overall security support. Or did I missed that?
    Unfortunately, your HO isn't the same as BB's. "Support" seems to mean "we'll continue to pay the power and Internet bills to keep the BB servers running until 12/31/2019", after which BB World for sure will go down, and likely the other BB servers (BBM for BB10, BB ID, etc.) will also.

    The fix for Spectre is much, much more involved than the fix for Krack, yet BB hasn't even given any official update on a fix for Krack for BB10, which is several months old at this point. The writing is right there on the wall, you just have to read it.
    01-09-18 01:52 AM
99 123 ...

Similar Threads

  1. CrackBerry Forums app update --- BB10-ish!
    By kyleheney in forum BlackBerry Android OS
    Replies: 12
    Last Post: 01-25-18, 07:34 AM
  2. Meltdown
    By Soapm in forum BlackBerry Priv
    Replies: 19
    Last Post: 01-10-18, 10:23 PM
  3. Z30 BB10 - Android apps Storage ISSUE!
    By BB30000 in forum BlackBerry Z30
    Replies: 10
    Last Post: 01-09-18, 09:08 PM
  4. Cancel BB10 upgrade (Q10)
    By Go_rom in forum Ask a Question
    Replies: 12
    Last Post: 01-04-18, 10:34 PM
  5. Replies: 2
    Last Post: 01-01-18, 04:37 AM
LINK TO POST COPIED TO CLIPBOARD