1. llelectronics's Avatar
    The first postings and unboxings I read about state that the Motion ships with security patch level September.
    This would mean it ships by default with a very vulnerable OS that can't even be safely updated as OTA Updates could be compromised by the KRACK WPA2 security hole.

    I did not find 'autoloaders' or Roms for the Motion containing the November Patchlevel so updating via cable instead of potential cracked Wifi is not possible.

    Is this really true? Shouldn't BlackBerry delay the launch for shipping a non vulnerable phone?
    Or am I the only one seeing an issue here?

    Posted via CB10
    11-18-17 03:34 AM
  2. howarmat's Avatar
    you are the only one that sees this as an issue honestly. autoloaders/roms would be used by a very very small population as it is. 90% of people that get the patch will get it OTA
    11-18-17 04:47 AM
  3. tickerguy's Avatar
    It's a non-issue from a standpoint of getting an OTA patch.

    Yes, someone could try to tamper with it during delivery, in theory. But if they did tamper with it the phone would refuse to load it as it would fail verification -- which is exactly what BlackBerry's "root of trust" certification system is designed to do.

    So if you got KRACKd during an OTA update the verification would fail. When retried in a place where you weren't KRACKd at that moment it would succeed, and from that point on, of course, the phone is fine.
    Wezard likes this.
    11-18-17 04:54 AM
  4. aecgda's Avatar
    Mine downloaded as soon as I fired it up.
    11-18-17 07:17 AM
  5. conite's Avatar
    The first postings and unboxings I read about state that the Motion ships with security patch level September.
    This would mean it ships by default with a very vulnerable OS that can't even be safely updated as OTA Updates could be compromised by the KRACK WPA2 security hole.

    I did not find 'autoloaders' or Roms for the Motion containing the November Patchlevel so updating via cable instead of potential cracked Wifi is not possible.

    Is this really true? Shouldn't BlackBerry delay the launch for shipping a non vulnerable phone?
    Or am I the only one seeing an issue here?

    Posted via CB10
    What would you expect? The product has been sitting in supply channels for a while now.

    Most will see an update as soon as they start up for the first time.
    11-18-17 08:03 AM
  6. Invictus0's Avatar
    It's a non-issue from a standpoint of getting an OTA patch.

    Yes, someone could try to tamper with it during delivery, in theory. But if they did tamper with it the phone would refuse to load it as it would fail verification -- which is exactly what BlackBerry's "root of trust" certification system is designed to do.

    So if you got KRACKd during an OTA update the verification would fail. When retried in a place where you weren't KRACKd at that moment it would succeed, and from that point on, of course, the phone is fine.
    Root of Trust wouldn't detect KRACK and updates are probably sent over https anyway. It wouldn't make sense to exploit a device in transit with KRACK either because the user hasn't actually configured it so you wouldn't get any worthwhile data.

    OP: The October update for BB Android should have the patch, if you're worried just update over data.
    11-18-17 09:54 AM
  7. app_Developer's Avatar
    There is no way KRACK compromises OTA updates. Explain how an adversary can alter an update this way.
    11-18-17 10:32 AM
  8. conite's Avatar
    There is no way KRACK compromises OTA updates. Explain how an adversary can alter an update this way.
    You're right. It's impossible.
    11-18-17 10:41 AM
  9. tickerguy's Avatar
    There is no way KRACK compromises OTA updates. Explain how an adversary can alter an update this way.
    You could MITM the transaction and replace the download.

    However, in the case of BlackBerry doing so is worthless since it won't install if it's tampered with, as the interloper doesn't have the required signing key for the package.
    11-18-17 10:43 AM
  10. app_Developer's Avatar
    You could MITM the transaction and replace the download.

    However, in the case of BlackBerry doing so is worthless since it won't install if it's tampered with, as the interloper doesn't have the required signing key for the package.
    No you can’t. That’s not how KRACK works.

    Plus the actual stream is TLS. But even it is weren’t, that’s not how KRACK works.
    11-18-17 11:29 AM
  11. Crumpster567's Avatar
    Mine downloaded as soon as I fired it up.
    Same, it pulled it down after I'd finished the setup.
    11-18-17 01:16 PM
  12. Bla1ze's Avatar
    The first postings and unboxings I read about state that the Motion ships with security patch level September.
    This would mean it ships by default with a very vulnerable OS that can't even be safely updated as OTA Updates could be compromised by the KRACK WPA2 security hole.

    I did not find 'autoloaders' or Roms for the Motion containing the November Patchlevel so updating via cable instead of potential cracked Wifi is not possible.

    Is this really true? Shouldn't BlackBerry delay the launch for shipping a non vulnerable phone?
    Or am I the only one seeing an issue here?

    Posted via CB10
    You're def the only one seeing an issue since it has an OTA ready lol.
    tickerguy likes this.
    11-19-17 02:26 PM
  13. tickerguy's Avatar
    Yeah given the fact that it appears it grabs it over TLS the "vulnerability" is that you might not get it on the first try if you're KRACK'd since your connection could be disrupted (but not replaced.) Once the OTA comes down, of course, that "hole" (such as it is) is closed.
    11-19-17 02:44 PM
  14. jackcarr's Avatar
    As soon as I booted up the phone the first time it downloaded the latest security OS patch.
    11-22-17 06:36 PM

Similar Threads

  1. have to send Priv back. what to do?
    By prplhze2000 in forum BlackBerry Priv
    Replies: 8
    Last Post: 12-07-17, 05:45 PM
  2. BlackBerry Motion Locker
    By olga421 in forum BlackBerry Motion
    Replies: 1
    Last Post: 11-18-17, 02:57 PM
  3. Contacts app on Motion
    By aecgda in forum Ask a Question
    Replies: 3
    Last Post: 11-18-17, 04:34 AM
  4. Replies: 3
    Last Post: 11-17-17, 10:30 PM
LINK TO POST COPIED TO CLIPBOARD