1. i_plod_an_dr_void's Avatar
    Any word on whether or not the security/privacy issue of the Samsung fingerprint scanner vulnerability might affect the BlackBerry Key series phones? (ie similiar technology, similiar algorithms?)

    https://ca.news.yahoo.com/fingerprin...124258103.html

    I kind of didn't like that tech very much in the first place (but I'm sure others do for the convenience)...but didn't have to use it being on BB10. Turns out it may be more vulnerable than the simple password it seems. Does this still make BB10 more secure than Android (and Apple)? But back to the point are the KEY series affected by a similiar bug? (Aside from in-marrying being a potential cause...okay I jest). Maybe this should be added to the Humorous BlackBerry security workaround commercial on Youtube.( )
    Last edited by i_plod_an_dr_void; 10-18-19 at 10:57 PM.
    10-18-19 10:43 PM
  2. Thud Hardsmack's Avatar
    Any word on whether or not the security/privacy issue of the Samsung fingerprint scanner vulnerability might affect the BlackBerry Key series phones? (ie similiar technology, similiar algorithms?)

    https://ca.news.yahoo.com/fingerprin...124258103.html

    I kind of didn't like that tech very much in the first place (but I'm sure others do for the convenience)...but didn't have to use it being on BB10. Turns out it may be more vulnerable than the simple password it seems. Does this still make BB10 more secure than Android (and Apple)? But back to the point are the KEY series affected by a similiar bug? (Aside from in-marrying being a potential cause...okay I jest). Maybe this should be added to the Humorous BlackBerry security workaround commercial on Youtube.( )
    No, because they're not using the ultrasonic readers on the S10/Note 10. Also, the vulnerability only exists when gel screen protectors are in use.
    10-19-19 03:10 AM
  3. Emaderton3's Avatar
    Not to mention they are supposed to release an update soon to fix the problem.
    10-19-19 09:20 AM
  4. joeldf's Avatar
    It helps to read what the issue is and see that the S10 uses a total different reader (ultrasonic and behind the screen glass). Previous Samsungs with a dedicated pad like the Key series is not affected.
    10-19-19 10:13 AM
  5. i_plod_an_dr_void's Avatar
    Good to know. I don't use fingerprint phones , so didn't know the details. But it does make one wonder especially for people who use fingerprints for bonding/employment etc....whether they could be vulnerable to hacking, if someone got their print and fashioned a 3-d like replica of the print...I dunno using a 3-d printer for example. Kind of makes immigration to some countries a bit of a risk (or a co-worker who snags your coffee cup from the garbage) -to opening your phone maybe if they decide to scan prints.
    10-19-19 03:17 PM
  6. joeldf's Avatar
    I personally don't use the FP scanner on my S9. I find using a PIN is all I need.
    10-19-19 03:21 PM
  7. bb10adopter111's Avatar
    Just remember that no biometrics available for the major mobile phones are very secure. Researchers have cracked all of them. Someone can get your fingerprint from a glass and 3-d print a finger or project a photo of your face onto a dimensional model.

    Think of biometric security on your phone like a privacy lock on a bathroom. It will work as long as other respect it, but it won't keep out a dedicated adversary who gains access to by our phone.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-19-19 05:03 PM
  8. chain13's Avatar
    Code wise, biometric will generate longer script than simple passcode, which is more secure, but in the other hand all beometric methods are easier to hijack by hardware, like extracting your fingerprints out of your daily coffee glass. The only biometric that has more difficulty to bypass is retina, but not impossible though.
    10-20-19 09:25 PM
  9. Invictus0's Avatar
    Just remember that no biometrics available for the major mobile phones are very secure. Researchers have cracked all of them. Someone can get your fingerprint from a glass and 3-d print a finger or project a photo of your face onto a dimensional model.

    Think of biometric security on your phone like a privacy lock on a bathroom. It will work as long as other respect it, but it won't keep out a dedicated adversary who gains access to by our phone.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Makes me sad that "picture password" never went anywhere. On an uncompromised device it's probably the most ideal solution for physical device security.
    Jake2826 likes this.
    10-20-19 09:55 PM
  10. Emaderton3's Avatar
    But come on, how often is this happening in real life? I am sure the fingerprint is just fine for 99 percent of usage cases.
    Egonzalez1978 likes this.
    10-21-19 07:05 PM
  11. chain13's Avatar
    But come on, how often is this happening in real life? I am sure the fingerprint is just fine for 99 percent of usage cases.
    No tolerant, because blackberry users value privacy and security like they always carry a nuclear code in their pocket
    bbfanfan likes this.
    10-22-19 12:54 AM
  12. bb10adopter111's Avatar
    But come on, how often is this happening in real life? I am sure the fingerprint is just fine for 99 percent of usage cases.
    Naturally, people should evaluate their individual threat model. One size does not fit all. But many millions of people have elevated risk profiles due to their wealth, their job, or their celebrity. I use the fingerprint reader on my iPad because it's convenient and because I keep no personal information on the device, but I don't use the fingerprint reader on my KEYone because my company is regularly targeted by threat actors attempting to compromise our clients' information.

    Any compromise of biometric security on your phone requires physical access to the device, and preparation, so it won't be random. It will be targeted. But but is not technically difficult to do. Any motivated person of average intelligence with access to your phone could execute such an attack.

    On the other hand, not securing your accounts with a second factor means anyone with your credentials can compromise you without access to your handheld. Such attacks can be executed at scale against "random" targets.

    If you hold a position of responsibility or visibility in a critical infrastructure industry (defense, government, energy, healthcare, etc.) or if you are a high net worth individual or celebrity, I would consider using a harder to compromise second factor than fingerprint or facial recognition.

    Consider, once someone compromises a phone that gives them email access and access to their multi-factor authentication, It only takes a professional about five minutes to reset core email passwords and transfer the second factors for all other accounts to another device.

    Only you can decide if such an attack is likely or would have a significant impact on you.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    zephyr613 likes this.
    10-22-19 01:03 PM
  13. Emaderton3's Avatar
    Naturally, people should evaluate their individual threat model. One size does not fit all. But many millions of people have elevated risk profiles due to their wealth, their job, or their celebrity. I use the fingerprint reader on my iPad because it's convenient and because I keep no personal information on the device, but I don't use the fingerprint reader on my KEYone because my company is regularly targeted by threat actors attempting to compromise our clients' information.

    Any compromise of biometric security on your phone requires physical access to the device, and preparation, so it won't be random. It will be targeted. But but is not technically difficult to do. Any motivated person of average intelligence with access to your phone could execute such an attack.

    On the other hand, not securing your accounts with a second factor means anyone with your credentials can compromise you without access to your handheld. Such attacks can be executed at scale against "random" targets.

    If you hold a position of responsibility or visibility in a critical infrastructure industry (defense, government, energy, healthcare, etc.) or if you are a high net worth individual or celebrity, I would consider using a harder to compromise second factor than fingerprint or facial recognition.

    Consider, once someone compromises a phone that gives them email access and access to their multi-factor authentication, It only takes a professional about five minutes to reset core email passwords and transfer the second factors for all other accounts to another device.

    Only you can decide if such an attack is likely or would have a significant impact on you.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    I rely on data as a scientist. I understand your stance. But I also evaluate things based on the data available. I have not seen warning flags go up for this and instances of theft widespread.
    10-22-19 01:29 PM
  14. bb10adopter111's Avatar
    I rely on data as a scientist. I understand your stance. But I also evaluate things based on the data available. I have not seen warning flags go up for this and instances of theft widespread.
    There is very little data published on cyber incidents in general. People usually only disclose breaches like Equifax with a regulatory disclosure requirement. What you see in print or online is the tip of the iceberg. The average multi-millionaire who loses a couple of million dollars doesn't go to the press to talk about it.

    The estimates for total worldwide cyber losses thus year range dramatically for several hundred billion to two trillion dollars U.S. That doesn't include compromises to the integrity of governments and other institutions. In an era when political tweets move markets and could start wars, the trivial effort required to compromise a Twitter account should concern everyone.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-22-19 01:48 PM
  15. Emaderton3's Avatar
    There is very little data published on cyber incidents in general. People usually only disclose breaches like Equifax with a regulatory disclosure requirement. What you see in print or online is the tip of the iceberg. The average multi-millionaire who loses a couple of million dollars doesn't go to the press to talk about it.

    The estimates for total worldwide cyber losses thus year range dramatically for several hundred billion to two trillion dollars U.S. That doesn't include compromises to the integrity of governments and other institutions. In an era when political tweets move markets and could start wars, the trivial effort required to compromise a Twitter account should concern everyone.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Yes, but as an "average" person, I also have other stopgaps such as credit monitoring. I also subscribe to an industry security bulletin. I have seen warnings, but yet to see this being a large issue.

    All I am saying is that it is fine for most people. I have been on here several years and have always enjoyed your input and getting to know you from what I have read. I know you are very cautious which is great. Most cell phones are stolen and resold on a lower level--for resale and wipe but not data theft. I appreciate your input on being careful.
    10-22-19 01:54 PM
  16. bb10adopter111's Avatar
    Yes, but as an "average" person, I also have other stopgaps such as credit monitoring. I also subscribe to an industry security bulletin. I have seen warnings, but yet to see this being a large issue.

    All I am saying is that it is fine for most people. I have been on here several years and have always enjoyed your input and getting to know you from what I have read. I know you are very cautious which is great. Most cell phones are stolen and resold on a lower level--for resale and wipe but not data theft. I appreciate your input on being careful.
    I'm agreeing with you that this isn't something that a common thief will do. Low level crime is opportunistic. Its economic formula is based on committing many quick, low-reward crimes.

    But sophisticated criminals, including organized crime syndicates, and nation states, execute much longer time-frame, targeted attacks over days, weeks and months. In that sense, it's similar to SIM-swap attacks, which are becoming very common among high-net worth folks and celebrities.

    The "average" engineer who works for a power plant or defense contractor, or an IT admin for a major company, or the administrative assistant to a CEO, or a paralegal at a law firm that protects a pharmaceutical company's IP are the typical targets for these kinds of attacks. And the reason you'll likely not hear about them is that the theft of credentials from the phone is only one step in a kill chain that might include a variety of other vectors and techniques.

    In short, the fact that a lay person hasn't heard about a certain type of cyber attack is not convincing evidence that such attacks aren't occurring. Only a small fraction of compromises are ever made public, and only a small fraction of the elements involved in those breaches are ever announced.

    The Equifax breach, for example, was a months-long, sustained campaign (almost certainly by a nation state military or intelligence unit) that may or may not have included a mobile endpoint compromise. In many cases, forensic experts know a lot more than is disclosed, but they also can't uncover everything, since professionals cover their tracks and misdirect extensively.

    By all means you should make up your own mind as to which threat actors are relevant to you, and which capabilities they might bring to bear against you. If a common criminal swipes your phone on the subway, then a strong biometric, combined with disk encryption and theft protection should allow you to wipe your device remotely and leave the criminal with a brick. So long as your important data are backed up, the cost of the loss is simply the replacement cost of the device, the time and effort it takes to restore your data, and the opportunity cost of the time and money expended.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-22-19 02:32 PM
  17. Emaderton3's Avatar
    I'm agreeing with you that this isn't something that a common thief will do. Low level crime is opportunistic. Its economic formula is based on committing many quick, low-reward crimes.

    But sophisticated criminals, including organized crime syndicates, and nation states, execute much longer time-frame, targeted attacks over days, weeks and months. In that sense, it's similar to SIM-swap attacks, which are becoming very common among high-net worth folks and celebrities.

    The "average" engineer who works for a power plant or defense contractor, or an IT admin for a major company, or the administrative assistant to a CEO, or a paralegal at a law firm that protects a pharmaceutical company's IP are the typical targets for these kinds of attacks. And the reason you'll likely not hear about them is that the theft of credentials from the phone is only one step in a kill chain that might include a variety of other vectors and techniques.

    In short, the fact that a lay person hasn't heard about a certain type of cyber attack is not convincing evidence that such attacks aren't occurring. Only a small fraction of compromises are ever made public, and only a small fraction of the elements involved in those breaches are ever announced.

    The Equifax breach, for example, was a months-long, sustained campaign (almost certainly by a nation state military or intelligence unit) that may or may not have included a mobile endpoint compromise. In many cases, forensic experts know a lot more than is disclosed, but they also can't uncover everything, since professionals cover their tracks and misdirect extensively.

    By all means you should make up your own mind as to which threat actors are relevant to you, and which capabilities they might bring to bear against you. If a common criminal swipes your phone on the subway, then a strong biometric, combined with disk encryption and theft protection should allow you to wipe your device remotely and leave the criminal with a brick. So long as your important data are backed up, the cost of the loss is simply the replacement cost of the device, the time and effort it takes to restore your data, and the opportunity cost of the time and money expended.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    You said above "typical targets" of certain kinds of professions. I am not aware of pharmaceutical or paralegal personnel being compromised.

    I still think at the end of the day it is fine for most people. Those devices likely have more security anyway via MDM.
    10-22-19 03:59 PM
  18. bb10adopter111's Avatar
    You said above "typical targets" of certain kinds of professions. I am not aware of pharmaceutical or paralegal personnel being compromised.

    I still think at the end of the day it is fine for most people. Those devices likely have more security anyway via MDM.
    So, your opinion is based on the fact that you haven't heard about it? I am afraid I can only offer you hearsay evidence, but we hear about carefully targeted attacks against admin personnel at IP law firms and pharmaceutical companies regularly. The biometric hacks are so easy for a professional that I would be shocked if it hasn't happened already.

    So, from our perspective if their are threat actors with the proper incentives, and their is no technical barrier, it is only a matter of time before they are compromised. This is only slightly harder than stealing someone's car keys.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-22-19 06:55 PM
  19. Emaderton3's Avatar
    So, your opinion is based on the fact that you haven't heard about it? I am afraid I can only offer you hearsay evidence, but we hear about carefully targeted attacks against admin personnel at IP law firms and pharmaceutical companies regularly. The biometric hacks are so easy for a professional that I would be shocked if it hasn't happened already.

    So, from our perspective if their are threat actors with the proper incentives, and their is no technical barrier, it is only a matter of time before they are compromised. This is only slightly harder than stealing someone's car keys.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    You are at a much greater advantage to hear such info given your profession, correct? Then I have no reason not to believe you.
    10-23-19 06:34 AM
  20. bb10adopter111's Avatar
    You are at a much greater advantage to hear such info given your profession, correct? Then I have no reason not to believe you.
    The reason that black hat and security researchers exist is specifically to identify vulnerabilities before they are exploited. These researchers have demonstrated the ease with which they can defeat many commercial biometric second factors given possession of the device. That's enough for many organizations whose threat profile includes threat actors with the motivation and capability to use those exploits to alter their policies to prevent compromise.

    The goal of a risk-based security program is to avoid loss events by mitigating relevant vulnerabilities, not to wait for evidence of exploits before taking action.

    To be clear, the single most important thing for the average consumer is to use compex, unique credentials and multi-factor authentication of some kind on every account they don't want compromised. In that context, using the convenient biometric tools on their phone reduces risk significantly. It's just not sufficient for all threat profiles.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-23-19 09:27 AM
  21. Emaderton3's Avatar
    The reason that black hat and security researchers exist is specifically to identify vulnerabilities before they are exploited. These researchers have demonstrated the ease with which they can defeat many commercial biometric second factors given possession of the device. That's enough for many organizations whose threat profile includes threat actors with the motivation and capability to use those exploits to alter their policies to prevent compromise.

    The goal of a risk-based security program is to avoid loss events by mitigating relevant vulnerabilities, not to wait for evidence of exploits before taking action.

    To be clear, the single most important thing for the average consumer is to use compex, unique credentials and multi-factor authentication of some kind on every account they don't want compromised. In that context, using the convenient biometric tools on their phone reduces risk significantly. It's just not sufficient for all threat profiles.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Yes I understand. But my thinking is more along the line of Conite's where I don't think Google is nefarious nor so I believe massive data breaches are occurring yet.

    We can agree to disagree. I think in many areas of life and some sectors that the fingerprint is convenient and relatively safe for most.

    If such industries are indeed getting compromised, then I have no idea why their IT departments would continue to allow the use of fingerprints.
    10-23-19 01:50 PM
  22. bb10adopter111's Avatar
    Yes I understand. But my thinking is more along the line of Conite's where I don't think Google is nefarious nor so I believe massive data breaches are occurring yet.

    We can agree to disagree. I think in many areas of life and some sectors that the fingerprint is convenient and relatively safe for most.

    If such industries are indeed getting compromised, then I have no idea why their IT departments would continue to allow the use of fingerprints.
    Cyber crime was expected to cost $2 Trillion in 2019. Is that not massive enough?

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-23-19 02:15 PM
  23. bb10adopter111's Avatar
    If such industries are indeed getting compromised, then I have no idea why their IT departments would continue to allow the use of fingerprints.
    Simple, they are using fingerprints as one component of a defense-in-depth strategy. Biometrics are only risky if you expect them to provide greater protection than they actually do.

    Privacy locks on residential bathrooms are very effective at preventing friends and family from accidentally walking in on each other, but I would not rely on them for a bank vault.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-23-19 02:19 PM
  24. Emaderton3's Avatar
    Cyber crime was expected to cost $2 Trillion in 2019. Is that not massive enough?

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    This is likely to brute force attacks and not biometrics though.
    10-23-19 02:29 PM
  25. bb10adopter111's Avatar
    This is likely to brute force attacks and not biometrics though.
    30% of incidents, and almost all the big ones, are targeted, according to the reports I see.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    10-23-19 02:32 PM
29 12

Similar Threads

  1. Any Experiance with MintMobile SIM cards and BBQ10
    By darbz232 in forum BlackBerry Q10
    Replies: 16
    Last Post: 12-11-19, 09:46 PM
  2. Is that the new BlackBerry???
    By dxvigne in forum BlackBerry KEYone
    Replies: 15
    Last Post: 11-04-19, 08:06 AM
  3. Blackberry Keyone updates (Italian speaking)
    By Maurizio 63 in forum BlackBerry KEYone
    Replies: 9
    Last Post: 10-21-19, 09:27 PM
  4. Replies: 7
    Last Post: 10-19-19, 01:22 PM
  5. What's under the cloth....
    By Roveer in forum General BlackBerry News, Discussion & Rumors
    Replies: 2
    Last Post: 10-18-19, 03:59 PM
LINK TO POST COPIED TO CLIPBOARD