OnePlus Security Fail Makes Case for BlackBerry Motion
- Unbelievably, the OnePlus engineering team left a huge backdoor in security that allows anyone with physical access to your phone to easily "get virtually unlimited access to their files and software."
OnePlus Backdoor Means Hackers Could Take Over Your Phone
It's been generally accepted that consumers "don't care about security," but that's mostly because they assume that their products are reasonably secure.
This is a great example of how that's simply not the case. In an environment where security isn't a top priority, it will eventually be compromised for the sake of convenience. In this case, in order to facilitate manufacturing, OnePlus created an "Engineering Mode" with a global password that allows access to everything on a phone. This is a universal backdoor.
Of course, now that it's been revealed, it will be patched, but the fact that nobody at OnePlus bothered to stop it in the first place is the issue. There is clearly no focus on security at OnePlus. In terms of screwups, this is the equivalent of not bolting a wing onto a plane properly during manufacture. It's an egregious error that demonstrates a complete lack of security safeguards.
I'm not saying that only Blackberry is secure. Samsung and Apple both have robust security models, but this illustrates clearly that one should NOT assume that a generic Android phone is secure. The problem here was not with Android itself, but with the implementation of it on the OnePlus phones. And that's the point. HOW Android is implemented varies from device to device, and security must be vigilantly engineered throughout to be effective.11-15-17 05:24 AMLike 2 - Almost every Android device has a built-in backdoor called Play Store. I worked with an Android apps development team in the past and the revisions Google do to approve the apps that will go in the store are just a joke...
Apple have an edge here as you cannot expect your app approved before 7-10 days most of the time (I'm talking about Spain) while it will take 1-2 days to be approved by Google.
While I like Android because of it openness, I assume that it is an inferior OS security wise compared to iOS, the defunct Windows Mobile and BBOS 10 of course.
It is not fair that makers leave those backdoor exposed (I suspect that almost all of them have some kind of backdoor in their software) but if you chose Android you probably chose the most insecure mobile OS out there.11-15-17 06:11 AMLike 2 - Right. It's an implementation issue. But, like I said, failure to lock it down betrays a very ineffective security culture. This is the problem with the smart phone market. Many manufacturers don't have any kind of comprehensive approach to security. To them they're just making consumer electronics. There's nothing wrong with the existence of "engineering mode." But to secure the phone, it simply can't be accessible to anyone (including the user) post manufacture. Once a phone has been delivered and activated, a thief, spy, spouse, hacker, or disgruntled colleague should not be able to access it without the owner's help. That's Security 101.Jake2826 likes this.11-15-17 07:00 AMLike 1
- Someone that avoids a phone over this probably wouldn't get a BlackBerry device either because of their statements on encryption and issues with BBM.
Security just isn't as big a priority as it should be, I wouldn't be surprised if many smartphone owners don't even realize their phones can be easily compromised or put at risk by running older software.ObiGeorge likes this.11-15-17 10:31 AMLike 1 -
Moreover, as has been said, if this patched vulnerability is reason enough to disqualify OnePlus then BB's past escapades count too.Dunt Dunt Dunt likes this.11-15-17 10:42 AMLike 1 - Someone that avoids a phone over this probably wouldn't get a BlackBerry device either because of their statements on encryption and issues with BBM.
Security just isn't as big a priority as it should be, I wouldn't be surprised if many smartphone owners don't even realize their phones can be easily compromised or put at risk by running older software.
Posted with my trusty Z10BigBadWulf likes this.11-15-17 10:50 AMLike 1 -
Is that a huge privacy concern? Absolutely. But it's not a security failure. The system was as secure as it was intended to be.
To my knowledge, BlackBerry has never had an egregious cybersecurity failure of any scale because it's always been a priority. That's my point.
And I know consumers don't care, and I honestly don't care what choices individuals make with their own data. That's on them. But security-minded enterprises have to manage real risks, and need to eliminate sloppy companies from their cybersecurity supply chain.
This was a fundamental failure, akin to leaving a door unlocked. No big deal if you go out for a stroll in your neighborhood, but instant termination for an employee at a prison, bank, armory, power plant etc.
Posted with my trusty Z1011-15-17 10:58 AMLike 0 - The BBM issue is in no way related to a handset backdoor left intentionally open by a manufacturer.
That's not an "oops", it's a choice -- to put it in there in the first place, and then not have the auditing procedures so that when you transition from development to production it is not removed.
Sorry, those aren't identical or even in the same league. Never mind that OnePlus was caught before using telemetry that was wildly inappropriate and sending data home to "Momma" -- in CHINA.
That was "patched" too, but only once discovered independently, which again goes to the point -- it was put in there on purpose and was only removed when discovered by third parties.
If you wish to buy handsets from people who intentionally do that sort of thing, be my guest. After all most of you load the Facesucker app on your phone, right? Was that not the entire reason BlackBerry's BB10 handsets didn't find "commercial acceptance"?
We live in a drugged world, and those companies are the ones doing the drugging. Were we to apply the law equally we'd need more wood chippers to insert those people into -- feet first (rhetorically of course) exactly as we do with international drug traffickers.anon(2313227) likes this.11-15-17 11:14 AMLike 1 - Blackberry's statements on encryption wouldn't deter an Enterprise customer who has a legal responsibility to retain records and produce them if required by a court. Don't confuse privacy with security. They are often, but not always, related.
Posted with my trusty Z10
https://forums.theregister.co.uk/for..._water_cooler/
https://www.itworldcanada.com/articl...-reveal/382481
https://www.theinquirer.net/inquirer...-on-encryption
etc
Breaking encryption is in a different league from your examples and one without a consensus. Realistically, IT admins are consumers at heart and with how competitive the device and EMM markets are I'm sure these issues would influence decisions (for or against).
If we're just discussing enterprise users though, I don't see why the OnePlus issue would deter them either as EMM software could disable USB debugging (Knox does it by default IIRC, not sure about others).
The BBM issue is in no way related to a handset backdoor left intentionally open by a manufacturer.
That's not an "oops", it's a choice -- to put it in there in the first place, and then not have the auditing procedures so that when you transition from development to production it is not removed.
http://www.cbc.ca/news/technology/bl...ages-1.3620186
https://www.theregister.co.uk/2012/0...ia_bbn_server/
https://www.theguardian.com/technolo...bia-ban-lifted
Telemetry issues aren't exclusive to OnePlus or Chinese OEM's either, we saw it recently with Microsoft and Windows, it comes up with Google and Android every now and then as well.Last edited by Invictus0; 11-15-17 at 12:08 PM.
11-15-17 11:53 AMLike 0 - Unbelievably, the OnePlus engineering team left a huge backdoor in security that allows anyone with physical access to your phone to easily "get virtually unlimited access to their files and software."
OnePlus Backdoor Means Hackers Could Take Over Your Phone
It's been generally accepted that consumers "don't care about security," but that's mostly because they assume that their products are reasonably secure.
This is a great example of how that's simply not the case. In an environment where security isn't a top priority, it will eventually be compromised for the sake of convenience. In this case, in order to facilitate manufacturing, OnePlus created an "Engineering Mode" with a global password that allows access to everything on a phone. This is a universal backdoor.
Of course, now that it's been revealed, it will be patched, but the fact that nobody at OnePlus bothered to stop it in the first place is the issue. There is clearly no focus on security at OnePlus. In terms of screwups, this is the equivalent of not bolting a wing onto a plane properly during manufacture. It's an egregious error that demonstrates a complete lack of security safeguards.
I'm not saying that only Blackberry is secure. Samsung and Apple both have robust security models, but this illustrates clearly that one should NOT assume that a generic Android phone is secure. The problem here was not with Android itself, but with the implementation of it on the OnePlus phones. And that's the point. HOW Android is implemented varies from device to device, and security must be vigilantly engineered throughout to be effective.
They didn't fix it because the hacker would need to physically have the device in their possession in order to gain access. I personally would have loved to see Blackberry Mobile team up with Oneplus to make a top tier device. The Oneplus 5T with 64gb of storage is going to sell for $479. Add Blackberry's security to it and sell it for $600. Boom, instant hit
Rock'n that Passport SE aka the KeyONE's fat sister11-15-17 02:16 PMLike 0 - I
They didn't fix it because the hacker would need to physically have the device in their possession in order to gain access. I personally would have loved to see Blackberry Mobile team up with Oneplus to make a top tier device. The Oneplus 5T with 64gb of storage is going to sell for $479. Add Blackberry's security to it and sell it for $600. Boom, instant hit
Rock'n that Passport SE aka the KeyONE's fat sister
Root access is fine for enthusiasts who like to tinker or customize their devices, but it's an unacceptable risk in an Enterprise context.
Companies should restrict BYOD devices to a white list of companues with a proven track record on security. Generic Android phones shouldn't be on that list, even with "Android for Work."
Posted with my trusty Z10Last edited by bb10adopter111; 11-16-17 at 06:49 AM.
11-15-17 05:06 PMLike 0 -
Google Android : CVE security vulnerabilities, versions and detailed reports
Enterprise would probably be fine with just remotely wiping a device once it's lost instead of assuming it'll be unexploitable. This also ignores that EMM would lock down devices anyway to the point where some exploits (including the one in OP) may not even work.11-15-17 05:18 PMLike 0 - In that case Android simply wouldn't be an option for enterprise. If a hacker found an Android device on the ground they'd have a loooong list of vulnerabilities to try,
detailed reports.
Enterprise would probably be fine with just remotely wiping a device once it's lost instead of assuming it'll be unexploitable. This also ignores that EMM would lock down devices anyway to the point where some exploits (including the one in OP) may not even work.
Also, Enterprise is definitely NOT satisfied with wiping a device, because that can only be done after the device's loss is known. A lot can happen before then. If a skilled mobile phone hacker finds my BB10 or BlackBerry Android on the street, the only thing they could do is try the security 10 times and fail, resulting in a security wipe of the phone.
Not to put too fine a point in it, but while we would never fire an employee for losing a device to theft, we would instantly fire an employee who exposed sensitive data through the theft of a device. Protecting company and client data at all times is part of our BYOD agreement and a key job requirement. We have a zero tolerance policy for employees who allow information to be compromised.
Posted with my trusty Z1011-15-17 05:32 PMLike 0 -
-
I agree that most Android phones are highly exploitable. That's my point.
End users can buy any device they like, but that doesn't mean their employers should let them all on the network!
Posted with my trusty Z1011-15-17 07:32 PMLike 0 - My whole point bus that generic Android IS unacceptable. That is not true for BlackBerry or Samsung devices (and probably for Pixel as well). No one has demonstrated an ability to access a BlackBerry Android phone in that way, and, while Samsung phones can be rooted, doing so blows the Knox "fuse" which cuts of access to all enterprise data.
Also, Enterprise is definitely NOT satisfied with wiping a device, because that can only be done after the device's loss is known. A lot can happen before then. If a skilled mobile phone hacker finds my BB10 or BlackBerry Android on the street, the only thing they could do is try the security 10 times and fail, resulting in a security wipe of the phone.
Hypothetically assuming the patches haven't been applied, what's stopping someone from hacking BB Android through Android vulnerabilities like BlueBorne, KRACK, or Stagefright? BB Android's main security selling point is root protection (which proved itself with QuadRooter) but in other areas it's vulnerable to the same exploits as a generic device. Android is Android at the end of the day, the real differentiator in this case is monthly patching.Troy Tiscareno likes this.11-15-17 07:41 PMLike 1 - I believe wiping a device after 10 wrong password attempts is a stock Android feature now.
Hypothetically assuming the patches haven't been applied, what's stopping someone from hacking BB Android through Android vulnerabilities like BlueBorne, KRACK, or Stagefright? BB Android's main security selling point is root protection (which proved itself with QuadRooter) but in other areas it's vulnerable to the same exploits as a generic device. Android is Android at the end of the day, the real differentiator in this case is monthly patching.
Posted with my trusty Z1011-15-17 08:45 PMLike 0 -
I just opted to wipe it instead though via hw reset as I forgot the pin because I loaned it to someone and changed pin to something I don't normally use so they don't know my regular pin.11-15-17 09:07 PMLike 0 - Yes, monthly patching is critical, of course. But it's not sufficient if the company implementing Android is ADDING vulnerabilities through lax internal controls and a general lack of concern for security. Securing Android devices requires more than just slapping in the right version of the OS.
Posted with my trusty Z10
Not sure about that. I forgot pin to htc m9 which is on N. After a while it put a huge delay 30 seconds before you can try again but doesn't wipe. Basically I can probably with time get it if I keep trying theoretically.
I just opted to wipe it instead though via hw reset as I forgot the pin because I loaned it to someone and changed pin to something I don't normally use so they don't know my regular pin.
https://forums.androidcentral.com/ht...u-get-rid.html11-15-17 11:23 PMLike 0 - Fair enough and OnePlus should certainly do better in this regard as this isn't the first incident but OEM's are largely reliant on Google to secure Android. There are companies that have forked Android to do it themselves but they miss out on Google services as a result.
It could be device specific, I'm finding posts about it going back a few years.
https://forums.androidcentral.com/ht...u-get-rid.html
Posted with my trusty Z1011-16-17 06:54 AMLike 0 - Well, now to be fair my device is on my Exchange server, and I can send a "wipe" command from the Exchange management system. If the phone connects to that server once the request has been made, it wipes immediately.
So yes, there's "lost device" protection in an Exchange environment even without "formal" EMM. But -- if you can get into the device you can remove the account, which of course shuts off that path. Therefore, the question is "can you break into the device and remove the Exchange link before it's known to be compromised or lost?"
If yes, then the so-called security is worthless.11-16-17 08:41 AMLike 0 - I don't think anyone has a worst track record for security vulnerabilities... than BLU. Yet they still have three of the top selling unlocked smartphones on Amazon in the US.
In the end there is a reason Google and Microsoft send out monthly patches, right or wrong that seems to be enough for most all Android users. But might also be why Apple dominates in enterprise.
This means nothing for BlackBerry.... as they aren't even a consideration for most of enterprise at this point - simply due to the uncertainty (and maybe past track record and no sign that things have changed for the better) and avilablity.11-16-17 08:51 AMLike 0 - I don't think anyone has a worst track record for security vulnerabilities... than BLU. Yet they still have three of the top selling unlocked smartphones on Amazon in the US.
In the end there is a reason Google and Microsoft send out monthly patches, right or wrong that seems to be enough for most all Android users. But might also be why Apple dominates in enterprise.
This means nothing for BlackBerry.... as they aren't even a consideration for most of enterprise at this point - simply due to the uncertainty (and maybe past track record and no sign that things have changed for the better) and avilablity.
But the myth that all Android phones are equivalent from a cybersecurity perspective is just silly. The OS is obviously a critical component, but it's just one component. A company that does not have a large, dedicated cybersecurity analysis and engineering team is not a good candidate for a fleet or BYOD.
Blu, OnePlus, and other "generic" Android manufacturers can be made reasonably secure for general use if their users behave properly. But generic Android is simply not secure enough for most serious professional environments.
Enterprise IT and cybersecurity leaders know this. That's why they prefer Apple and Samsung, both of whom have proven their commitment to security. BlackBerry is also highly qualified in cybersecurity, but, as you say, they don't have the same reputation in 2017.
My point is not that the Motion will sell millions of units because OnePlus screwed the pooch in cybersecurity. It's that the OnePlus fail demonstrates why enterprises shouldn't allow generic Android's on their networks in the mistaken belief that a OnePlus phone is just as secure as Samsung, BlackBerry, Apple, or (possibly Google).
Posted with my trusty Z1011-16-17 09:35 AMLike 0 - In that case Android simply wouldn't be an option for enterprise. If a hacker found an Android device on the ground they'd have a loooong list of vulnerabilities to try,
Google Android : CVE security vulnerabilities, versions and detailed reports
Enterprise would probably be fine with just remotely wiping a device once it's lost instead of assuming it'll be unexploitable. This also ignores that EMM would lock down devices anyway to the point where some exploits (including the one in OP) may not even work.11-16-17 09:37 PMLike 0
- Forum
- Android BlackBerry Phones & OS
- BlackBerry Motion
OnePlus Security Fail Makes Case for BlackBerry Motion
Similar Threads
-
Sales numbers for TCL made BlackBerry?
By jgrobertson in forum General BlackBerry News, Discussion & RumorsReplies: 36Last Post: 02-20-18, 08:34 AM -
blackberry z10 bberror10 0015
By Dranialz in forum BlackBerry Z10Replies: 7Last Post: 11-28-17, 04:32 AM -
Blackberry id registration
By Kems1 in forum BlackBerry PassportReplies: 2Last Post: 11-23-17, 11:53 PM -
Alleged BlackBerry KEYone successor appears on GeekBench
By FishhPoohh in forum BlackBerry KEYoneReplies: 1Last Post: 11-22-17, 07:09 AM
LINK TO POST COPIED TO CLIPBOARD