[slebdog]

What's the latest news regarding an OS upgrade to Nougat for the DTek60?

[00stryder]

There is no news regarding an OS upgrade to Nougat for the DTEK60. Although not impossible, I wouldn't hold my breath waiting for an update.

[securityboy]

Doubt we will see Nougat on the DTEK60.

[rcab]

They can't get timely security updates out. Not much hope for anything coming our way. I remember reading long time ago if you want nougat that the suggestion was to buy Keyone and I have not seen anything else here in Crackberry

[Gomark75]

At this point, if any update comes, it might as well be Oreo. It would be easier since they are already working on Oreo for their newer devices. But not likely happening for the DTEK series.

[tickerguy]

Don't expect anything in that regard.... it's an orphan.

[HughJarsse]

At this point, if any update comes, it might as well be Oreo. It would be easier since they are already working on Oreo for their newer devices. But not likely happening for the DTEK series.

As has been mentioned, the DTEKs are orphaned, they are officially 'legacy devices', so think yourself lucky to get sporadic security updates (when they work!!) and if they ever arrive....
Personally, I think that BB/TCL/BBMo (or whatever todays name is) are deliberately making it as difficult as they can regarding updates, in the hope we will all get fed up with the mess, and 'upgrade' to their latest offering, so they can 'rip us off some more' in the future..

[00stryder]

My next device will likely be whatever Google's offering is at the time I decide to upgrade so I know I'll get support for at least two years or more. Will more than likely shell out money for the BlackBerry App Suite and maybe the launcher (or Nova, haven't decided). What I really want though is a device manufactured through Google and it's partners, with BlackBerry stepping in to secure the OS.

[simon williams4]

I have done exactly as you ..pixel xl with blackberry apps , great combination

[dirk_ddiggler]

... with BlackBerry stepping in to secure the OS.

Other than marketing hyperbole, there is scant evidence that Blackberry has any magic sauce to secure Android any better than what it already is. Some of the worst vulnerabilities are in the Qualcomm binaries, and no-one got visibility into those. Our devices are security swiss cheese, full of zero-day exploits. Only secure devices are pen/paper and old school typewriters. Also, I am not aware of any enterprise or Google Play store app that has taken advantage of the BlackBerry Integrity Detection other than the DTEK app itself. Raise your hand if your DTEK app has been telling you the OS is compromised since November 2016 and you have completely ignored it for the past year.....

Other than that, you got the right idea. Get yourself whatever you like, slap on it Nova, etc. Also, Google is now promising 3 years of updates for the Pixel line, and with Project Treble, you could have Lineage OS running it for much longer still.

For myself, I am now using a LG G6 and the wife was migrated last week from a Nexus 5X to an Essential PH-1 (also getting Project Treble with the 8.1 update.)

[conite]

Other than marketing hyperbole, there is scant evidence that Blackberry has any magic sauce to secure Android any better than what it already is.

You mean apart from the fact that no one has ever achieved super user or persistent root on a BlackBerry Android device EVER?

[dirk_ddiggler]

You mean apart from the fact that no one has ever achieved super user or persistent root on a BlackBerry Android device EVER?

Not necessary.

For those not versed, a few links to educate, first on Broadpwn:

https://www.wired.com/story/broadpwn...y-ios-android/

For those who got an hour, here is the presentation from BlackHat 2017




And who could forget BlueBorne? Winner of the sexiest bluetooth worm of 2017... video of exploit included.

https://arstechnica.com/information-...king-required/

Blackberry's response was to patch just like everyone else. I guess that hardened kernel just didn't cut it.

BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products

There will be many more like this in the coming years. For those of you still believing Blackberry's voodoo magic security sauce, I got a bridge to nowhere I would like to sell you.

[conite]

Blackberry's response was to patch just like everyone else. I guess that hardened kernel just didn't cut it.

Just because you are more resilient to attack, you don't just stop other aspects of security like patching. Even a healthy person still gets his/her shots.

BlackBerry was the first to patch Quadrooter, but it was generally accepted at the time that BlackBerry Android would not have been compromised.

[Bay 13]

Other than marketing hyperbole, there is scant evidence that Blackberry has any magic sauce to secure Android any better than what it already is. Some of the worst vulnerabilities are in the Qualcomm binaries, and no-one got visibility into those. Our devices are security swiss cheese, full of zero-day exploits. Only secure devices are pen/paper and old school typewriters. Also, I am not aware of any enterprise or Google Play store app that has taken advantage of the BlackBerry Integrity Detection other than the DTEK app itself. Raise your hand if your DTEK app has been telling you the OS is compromised since November 2016 and you have completely ignored it for the past year.....

Other than that, you got the right idea. Get yourself whatever you like, slap on it Nova, etc. Also, Google is now promising 3 years of updates for the Pixel line, and with Project Treble, you could have Lineage OS running it for much longer still.

For myself, I am now using a LG G6 and the wife was migrated last week from a Nexus 5X to an Essential PH-1 (also getting Project Treble with the 8.1 update.)

Agree with you on all points. I moved on to an LG V20 and could not be happier. We will see how : 1. TCL support their phones that are being released after the licensing agreement with Blackberry (Future OS updates). Spending full retail on Dtek 60 with no future OS updates was a raw deal. Wife unlocked Galaxy S7 went from Marshmallow to Android N and will get Android O. 2. Will they release new phones with current hardware components (Processor). Tired of spending premium price for dated hardware. Security?? If the average consumer stay off shady sites they should be safe.

[dirk_ddiggler]

Just because you are more resilient to attack, you don't just stop other aspects of security like patching. Even a healthy person still gets his/her shots.

There is nothing in the advisory to suggest that Blackberry's modifications to Android had a mitigating effect on the BlueBorn exploit. If it did, they would have stated so in the advisory.

BlackBerry was the first to patch Quadrooter, but it was generally accepted at the time that BlackBerry Android would not have been compromised.

Here is the advisory for QuadRooter. Again, a reading of it suggest that the exploit works the same on all affected devices. No mention of mitigating factors special to Blackberry, so we can safely assume that there simply aren't any. Therefore, I see no reason to believe that it "...was generally accepted at the time...." Accepted by whom?

BSRT-2016-007 Vulnerability in Qualcomm kernel driver impacts BlackBerry powered by Android smartphones

[conite]

Here is the advisory for QuadRooter. Again, a reading of it suggest that the exploit works the same on all affected devices. No mention of mitigating factors special to Blackberry, so we can safely assume that there simply aren't any. Therefore, I see no reason to believe that it "...was generally accepted at the time...." Accepted by whom?

BSRT-2016-007 Vulnerability in Qualcomm kernel driver impacts BlackBerry powered by Android smartphones

BlackBerry Priv and DTEK50 first to be fully patched against all QuadRooter vulnerabilities https://www.crackberry.com/blackberr...ulnerabilities

"The Priv and the DTEK50 also have a secure boot process that verifies the system hasn't been tampered with. In other words, this wasn't going to go far in the first place."

This is the whole raison d'être of Integrity Detection - to prevent a persistent root.

[dirk_ddiggler]

BlackBerry Priv and DTEK50 first to be fully patched against all QuadRooter vulnerabilities https://www.crackberry.com/blackberr...ulnerabilities

"The Priv and the DTEK50 also have a secure boot process that verifies the system hasn't been tampered with. In other words, this wasn't going to go far in the first place."

This is the whole raison d'être of Integrity Detection - to prevent a persistent root.

You can't build a secure operating system on insecure foundations. This is true to any OS, not just Android. Kudos for BB for getting the patches out early. Those were the days they still cared. And regardless of who patched it first, the issue remains, you can't build a secure OS on top of swiss cheese.

There does not exist today a hardware platform that is transparent and makes all hardware and software logic open source or at least audit-able. What we got today is zero visibility into the hardware logic, zero visibility into the CPU/GPU microcode, zero visibility into system firmware, zero visibility into system management (think Intel ME), no visibility into the TPM, and so forth and so forth. So it is in this environment of uncertainty and opaqueness that we are sold security solutions that can never deliver on their promises because they are compromised by their very own nature. BroadPwn, BlueBorn, and QuadRooter are great demonstration of this.

[conite]

You can't build a secure operating system on insecure foundations.

But the clever thing about BlackBerry Android (and to a lesser extent, Knox), is that you don't have to.

Assuming you can't close every attack vector, Integrity Detection and Secure Boot Chain will prevent boot if any system files have been modified - requiring a factory reset.

[dirk_ddiggler]

But the clever thing about BlackBerry Android (and to a lesser extent, Knox), is that you don't have to.

Assuming you can't close every attack vector, Integrity Detection and Secure Boot Chain will prevent boot if any system files have been modified - requiring a factory reset.

Modifying OS files is not the only way to get persistence on a device. Plenty of places to hide in the components on the phone, and if ARM's security is as good as Intel's, there are plenty of places to compromise secure boot too.

Besides, imagine you had 2 devices, you could use BlueBorn, for example, to ping pong between the devices as you occasionally reboot them. Now expand that to dozens of devices that you come into regular proximity. That's what I would call "soft persistence." Unless we rethink security wholesale, saying that Blackberry does anything special is snake oil at worst, splitting hairs at best.

[conite]

...if ARM's security is as good as Intel's, there are plenty of places to compromise secure boot too.

Yet there is not a single documented case of this occurring.

...saying that Blackberry does anything special is snake oil at worst, splitting hairs at best.

You seem to just pick this notion out of thin air, without any reasonable proof or citation.

[dirk_ddiggler]

Yet there is not a single documented case of this occurring.

Except... you are wrong.

https://blog.acolyer.org/2017/09/21/...gy-management/

and there is also this...

https://arxiv.org/ftp/arxiv/papers/1707/1707.05082.pdf

(whenever you read "root" as the needed pre-requisite for this exploit to work, just substitute something like BlueBorn or one of the yet to be disclosed zero-day's to accomplish the same.)

Both of these papers are from 2017. I can find many more if you wish, going back years.

You seem to just pick this notion out of thin air, without any reasonable proof or citation.

My citations are the advisories Blackberry put out for BlueBorne, BroadPwn, and QuadRooter. They are just a vulnerable as anyone else and they patch just like everyone else. They themselves provided no statement regarding mitigating effects of their "hardening," blunting the effects of these exploits. If anything they did would have had a mitigating effect, you bet they would have paraded that.

[conite]

Except... you are wrong.

https://blog.acolyer.org/2017/09/21/...gy-management/

and there is also this...

https://arxiv.org/ftp/arxiv/papers/1707/1707.05082.pdf

(whenever you read "root" as the needed pre-requisite for this exploit to work, just substitute something like BlueBorn or one of the yet to be disclosed zero-day's to accomplish the same.)

Both of these papers are from 2017. I can find many more if you wish, going back years.



My citations are the advisories Blackberry put out for BlueBorne, BroadPwn, and QuadRooter. They are just a vulnerable as anyone else and they patch just like everyone else. They themselves provided no statement regarding mitigating effects of their "hardening," blunting the effects of these exploits. If anything they did would have had a mitigating effect, you bet they would have paraded that.

Your examples do not document a case of a BlackBerry Android secure boot process being compromised.

Picking 3 vulnerabilities that were patched as part of the standard AOSP patching program says absolutely nothing about whether or not BlackBerry Android is more resilient to these or any number of other threats. Your logic does not follow.

Thurber did specifically say that many "vulnerabilities" were patched on the Priv, as part of the regular program, but that the Priv wouldn't have been affected anyway because of its increased security posture.

[dirk_ddiggler]

Your examples do not document a case of a BlackBerry Android devices being rooted.

If you want to get hung up on whether a Blackberry device was ever persistently rooted as your benchmark for Android security, go ahead a delude yourself with that. Persistent roots are not required to pawn a device. What the BlueBorn exploit shows that any device can be slayed without the OS knowing and all data can be exfiltrated from such a device. It can be used to infect other devices as well.

Picking 3 vulnerabilities that were patched as part of the standard AOSP patching program says absolutely nothing about whether or not BlackBerry Android is more resilient to these or any number of other threats. Your logic does not follow.

To the contrary, it illustrates the point perfectly. Blackberry and all other OEMs can't do jack squat about hardware and software that is not in their control.

[conite]

If you want to get hung up on whether a Blackberry device was ever persistently rooted as your benchmark for Android security, go ahead a delude yourself with that. Persistent roots are not required to pawn a device. What the BlueBorn exploit shows that any device can be slayed without the OS knowing and all data can be exfiltrated from such a device. It can be used to infect other devices as well.

To the contrary, it illustrates the point perfectly. Blackberry and all other OEMs can't do jack squat about hardware and software that is not in their control.

Even if true (which I dispute), you're hanging your hat on a single (or a select few) vulnerability to "prove" that the BlackBerry Android (or Knox) security features have no value against ANY threats. This is a logical fallacy.

[dirk_ddiggler]

Even if true (which I dispute), you're hanging your hat on a single (or a select few) vulnerability to "prove" that the BlackBerry Android (or Knox) security features have no value against ANY threats. This is a logical fallacy.

No logical fallacy.

My argument is that Blackberry's actual (and/or perceived) improvements to Android security are trivial in the grand scheme of things when one understands that the most egregious exploits are baked into the hardware and software that is not under Blackberry's control.

Even their claim to fame of being un-rootable is nothing to brag about. The 3 recent exploits that I used as examples show that persistent roots are not necessary and Blackberry has no value add when exploits run this deep. It's not their fault really. It's just how it is.

The bottom line: When making cell phone purchases, consumers should not make trade-offs for this trivial value add.