[flexmaen]

A new bluetooth vulnerability was revealed:
https://www.welivesecurity.com/2020/...h-flaw-attack/

Will self-proclaimed secuity master Blackberry provide an update?

[bb10adopter111]

BlackBerry Mobile, owned by TCL, sold the phone. They are responsible, and I don't expect they will provide any more patches for the KEYone. BlackBerry Limited would only do the work if TCL paid for it.

Z10 = BB10 + VKB > iOS + Android

[ajokurvanyad]

'One way to lessen the risk is ensure that your phone is in non-discoverable mode when Bluetooth is on. Alternatively, enable Bluetooth only if necessary and remember to turn it off when not in use.'

Seems reasonably easy to avoid the vulnerability.



Posted via CB10

[conite]

Will self-proclaimed secuity master Blackberry provide an update?

You can skip the passive aggressive bit though. This is just a fan-site

Nor does BlackBerry Limited have anything to do with TCL's devices apart from being one of their many vendors.

[flexmaen]

Well, in general I like the product and am glad that still someone is doing keyboard phones.

The claim to deliver security however is kind of ridiculous. One side is the usual problem with Android updates, like most phone brands have. The oder side is the comments of the boss, although he denies a backdoor.

However I'm glad that they did not update to Android 9 or 10, since it is not possible to record calls there.

[HughJarsse]

'One way to lessen the risk is ensure that your phone is in non-discoverable mode when Bluetooth is on. Alternatively, enable Bluetooth only if necessary and remember to turn it off when not in use.'

Seems reasonably easy to avoid the vulnerability.



Posted via CB10

So what happens if, like me, you have a smartwatch, permanently connected via bluetooth??
Either stop using it, or take the 'chance' nothing happens??
Can't seem to find a way to check if using the watch means that the phone is always discoverable or not??

[RLeeSimon]

A new bluetooth vulnerability was revealed:
https://www.welivesecurity.com/2020/...h-flaw-attack/

Will self-proclaimed secuity master Blackberry provide an update?

Superciliousness supercedes superior security…

[bb10adopter111]

So what happens if, like me, you have a smartwatch, permanently connected via bluetooth??
Either stop using it, or take the 'chance' nothing happens??
Can't seem to find a way to check if using the watch means that the phone is always discoverable or not??

No. Once a device is paired with your phone, you can turn off scanning for new devices if your phone allows it, and leave Bluetooth on to work with your watch.

Z10 = BB10 + VKB > iOS + Android

[RLeeSimon]

BlackBerry Mobile, owned by TCL, sold the phone. They are responsible, and I don't expect they will provide any more patches for the KEYone. BlackBerry Limited would only do the work if TCL paid for it.

Z10 = BB10 + VKB > iOS + Android

The name emblazoned on every TCL model we are discussing here is "BlackBerry," not TCL

[RLeeSimon]

but the KEYᵒⁿᵉ is a pretty good device

[RLeeSimon]

but the KEYᵒⁿᵉ is a pretty good device

Oops, I let that slip out …

[Dunt Dunt Dunt]

So what happens if, like me, you have a smartwatch, permanently connected via bluetooth??
Either stop using it, or take the 'chance' nothing happens??
Can't seem to find a way to check if using the watch means that the phone is always discoverable or not??

Yeah, it's not that easy to say just leave Bluetooth off.

Watch, Car, Smart speakers, smartlock features..... these days I don't ever turn Bluetooth off.

As I understand it, Bluetooth for Android is only discoverable when you go into the settings...


The problem is keeping up with the different vulnerabilities that become know as time marches on.

[bb10adopter111]

The name emblazoned on every TCL model we are discussing here is "BlackBerry," not TCL

What's your point? Companies license brands all the time. If you buy a Frozen pajama set licensed from Disney by a clothing manufacturer for your kid and it falls apart, you can return it to the retailer or seek a replacement from the manufacturer, but Disney can't do anything for you. They just licensed the brand.

The Brand name has nothing to do with the legal responsibility.

Z10 = BB10 + VKB > iOS + Android

[falbo]

Oh no, Disney is doing the security updates. I should have guessed as it was a bit Mickey mouse!

Sorry, rant over.

Posted via my Awesome passport

[bb10adopter111]

Oh no, Disney is doing the security updates. I should have guessed as it was a bit Mickey mouse!

Sorry, rant over.

Posted via my Awesome passport

It was a good rant, though! Wit is always appreciated.

Z10 = BB10 + VKB > iOS + Android

[falbo]

It was a good rant, though! Wit is always appreciated.

Z10 = BB10 + VKB > iOS + Android

I'm glad you see it that way. I'm sure others may not.

Posted via my Awesome passport

[bb10adopter111]

I'm glad you see it that way. I'm sure others may not.

Posted via my Awesome passport

With the exception of Google's own phones, all Android updates seem like Mickey Mouse operations. Windows, Mac OS, iOS and Linux can all update devices directly as needed. Only Android has a byzantine approach that leaves users vulnerable to known threats with no way to mitigate them.

Z10 = BB10 + VKB > iOS + Android

[Dunt Dunt Dunt]

With the exception of Google's own phones, all Android updates seem like Mickey Mouse operations. Windows, Mac OS, iOS and Linux can all update devices directly as needed. Only Android has a byzantine approach that leaves users vulnerable to known threats with no way to mitigate them.

Z10 = BB10 + VKB > iOS + Android

I hear that by the time Android 15 gets here they will have the issue resolved....

Sadly Google just doesn't want to take the necessary stand that they should. They don't want to alienate OEMs or Carriers or be seen as bullies in this time when many are looking at them as Monopolistic.

[HughJarsse]

Interestingly, the link only states
'The vulnerability, tracked as CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0)'.
So, assume if you are running something like a Dtek, which was on Marshmallow, or an un-updated Priv on Nougat, then you should be OK??
Maybe there is some benefits from owning an 'EOL piece of equipment' might not get updates, but, might also be less prone to those in newer OS's perhaps???
(also assume by dear old Z10 is unaffected, (no android!! ) Currently being utilised as a work phone, it outlived my Dtek , that's for sure!!)

[conite]

Interestingly, the link only states
'The vulnerability, tracked as CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0)'.
So, assume if you are running something like a Dtek, which was on Marshmallow, or an un-updated Priv on Nougat, then you should be OK??
Maybe there is some benefits from owning an 'EOL piece of equipment' might not get updates, but, might also be less prone to those in newer OS's perhaps???
(also assume by dear old Z10 is unaffected, (no android!! ) Currently being utilised as a work phone, it outlived my Dtek , that's for sure!!)

Google only lists as far back as 8.0.

As of Aug/Sep of 2020, they will only list back to 9.

[ajokurvanyad]

So what happens if, like me, you have a smartwatch, permanently connected via bluetooth??
Either stop using it, or take the 'chance' nothing happens??
Can't seem to find a way to check if using the watch means that the phone is always discoverable or not??

I get it man, I use bluetooth headphones everyday on public transport in a major metropolitan area. As others have stated here and also the way I understand this whole wireless wizzardry works is your only discoverable when you go to pair a New device, not when connecting to a saved device. But there's also a chance that I might have already been hacked, so take all that I said with a grain a salt. I keep my important apps up tó date and hopefully that keeps me safe.

Posted via CB10

[RLeeSimon]

It's all about the branding as the alsecurity company" that isn't… laughable irony

[flexmaen]

There are more details about this issue now: https://insinuator.net/2020/04/cve-2...-rce-bluefrag/