[gebco]

I am very disappointed with BlackBerry's decision to stop security updates for the Priv, so much so that I am considering a Pixel for my next phone as apparently Google gives longer security update timelines.

Question though, would a Priv without the patches but with the root-of-trust, kernel-hardening, disc encryption, integrity detection etc be more, less, or equally as secure as a non BlackBerry without these features but with security patches?

[Invictus0]

BB Android's main advantage is root protection so an unpatched BB Android device would have some level of protection against root based exploits compared to regular Android (as in the case of QuadRooter).

For other exploits I guess it would depend but the major vulnerabilities from this year (BlueBorne, KRACK, etc) required patching on BB Android and regular Android.

[anon(10268214)]

I am very disappointed with BlackBerry's decision to stop security updates for the Priv, so much so that I am considering a Pixel for my next phone as apparently Google gives longer security update timelines.

Question though, would a Priv without the patches but with the root-of-trust, kernel-hardening, disc encryption, integrity detection etc be more, less, or equally as secure as a non BlackBerry without these features but with security patches?

If you believe Thurber's corporatespeak, the PRIV is still more secure than a 'non-hardened Android' even without updates. However that doesn't explain why it had to receive security patches religiously for two years straight, nor why it's on the list for the trade-in program...

[conite]

The true answer to the question is "it depends".

[gebco]

The true answer to the question is "it depends".

Depends on user as in ID ten T error or as in future vulnerabilities?

[conite]

Depends on user as in ID ten T error or as in future vulnerabilities?

Both.

BlackBerry Android is certainly more resilient to many threats, and real-time monitoring can detect unusual behaviour and changes to system files, but some vulnerabilities may just need to be patched.

[gebco]

Both.

BlackBerry Android is certainly more resilient to many threats, and real-time monitoring can detect unusual behaviour and changes to system files, but some vulnerabilities may just need to be patched.

So essentially we will have to see if BlackBerry steps up as they said they will when vulnerabilities are discovered.

[conite]

So essentially we will have to see if BlackBerry steps up as they said they will when vulnerabilities are discovered.

I don't see that as particularly likely. Maybe with a simple but serious fix like Krack.

[dastillero1975]

The true answer to the question is "it depends".

^^^^ This.

[vladi]

Of course it is. It's as safe as the user. Don't install apps you really don't need and careful with shady links in emails and IMs

Enjoy your Priv, the best slider since Pre 3

[anon(10268214)]

I don't know why anyone would assume the PRIV would still be patched in the event a new exploit like KRACK is discovered? No more updates means no more updates.

If that kind of emergency security patching has real meaning to you, as does hanging on to one if the last real BlackBerry devices for as long as possible...you might as well go back to a BB10 or BBOS device. At least for those products they have guaranteed support until the end of 2019.

[conite]

I don't know why anyone would assume the PRIV would still be patched in the event a new exploit like KRACK is discovered? No more updates means no more updates.

If that kind of emergency security patching has real meaning to you, as does hanging on to one if the last real BlackBerry devices for as long as possible...you might as well go back to a BB10 or BBOS device. At least for those products they have guaranteed support until the end of 2019.

Krack hasn't been patched on BB10.

With respect to the Priv, Thurber did say: "Third, should a critical vulnerability be exposed we will engage our partners as needed to develop and deliver necessary patches."

[anon(10268214)]

Krack hasn't been patched on BB10.

With respect to the Priv, Thurber did say: "Third, should a critical vulnerability be exposed we will engage our partners as needed to develop and deliver necessary patches."

Yeah I read that too...and I actually thought it meant something until he qualified it by inserting the weasel phrase 'as needed' into the sentence.

I stick with my original premise. No updates means no updates. I truly feel sorry for anyone who sticks with a PRIV believing they are ever going to see another security update, or that somehow it is still more secure than other Android devices without them.
Too much 'secret sauce' clouds the mind, lol.

[Huussi]

Yeah I read that too...and I actually thought it meant something until he qualified it by inserting the weasel phrase 'as needed' into the sentence.

I stick with my original premise. No updates means no updates. I truly feel sorry for anyone who sticks with a PRIV believing they are ever going to see another security update, or that somehow it is still more secure than other Android devices without them.
Too much 'secret sauce' clouds the mind, lol.

I guess this is the right way of thinking considering the record BlackBerry has on updates.
But i'm almost certain that if there is a large vulnerability like KRACK discovered within the next year BlackBerry will patch it on the priv and dteks.

[Invictus0]

Of course it is. It's as safe as the user. Don't install apps you really don't need and careful with shady links in emails and IMs

Enjoy your Priv, the best slider since Pre 3

Stagefright, KRACK, BlueBorne, etc had nothing to do with the user. If exploits like these continue to be found in 2018 the best the user can do is disable features on their device and hope it'll be patched.

Krack hasn't been patched on BB10.

With respect to the Priv, Thurber did say: "Third, should a critical vulnerability be exposed we will engage our partners as needed to develop and deliver necessary patches."

If BB10 with a larger install base than the Priv doesn't have a KRACK patch or comment yet it doesn't fill me with much hope that we'll see timely updates on the Priv moving forward.

[conite]

If BB10 with a larger install base than the Priv doesn't have a KRACK patch or comment yet it doesn't fill me with much hope that we'll see timely updates on the Priv moving forward.

The BB10 infrastructure and expertise to deal with updates is almost nonexistent.

[Invictus0]

The BB10 infrastructure and expertise to deal with updates is almost nonexistent.

They certainly do as .3057 was released recently and there was some recent movement in the spotted OS thread. Whether or not they want to or see it as urgent is a different question, and I guess the same would apply to the Priv moving forward as well.

[anon(10268214)]

Obviously BlackBerry is more interested in it's bottom line than its device customers. When BlackBerry said they would support PRIV for two years, I don't think anyone thought this meant literally exactly two years, and especially if Google was still supporting the OS with security patches. This is total hypocrisy. And the only remedy they have to the sudden about face regarding patching is the secret sauce? Shame on them.

PRIV abandoned once the minimum commitment fulfilled, and no OS update for either of the DTEKs. Heck of a way to kick off their licensing strategy...by booting consumers in their rear end so they can inflate their balance sheet.

[conite]

They certainly do as .3057 was released recently and there was some recent movement in the spotted OS thread. Whether or not they want to or see it as urgent is a different question, and I guess the same would apply to the Priv moving forward as well.

That update was from July, and was the one and only update since last Christmas.

The only change was a few bytes in the radio file to accommodate a Vodafone LTE issue.

There has been zero activity since.

[Invictus0]

That update was from July, and was the one and only update since last Christmas.

The only change was a few bytes in the radio file to accommodate a Vodafone LTE issue.

There has been zero activity since.

KRACK was disclosed to QNX in early August IIRC so it's highly unlikely that they didn't have the people to do anything about it less than a month later. They also tested for BlueBorne in September and released a bulletin so I think it's reasonable to assume they at least have the resources even if they don't consider it a priority.

Even if we ignore that, BlackBerry didn't even release a bulletin to advise BB10 users (which still includes government and enterprise) on the status of KRACK and what they can do moving forward. BlackBerry's track record for dealing with "maintenance mode" software is pretty mixed so I don't have high hopes for the Priv (I'd love to be proven wrong though).

[anon(10268214)]

And from Android Authority, no less:

"No matter which way you slice it, BlackBerry failing to properly update the Priv to Nougat, not even Oreo, and refusing to extend important security updates beyond the “standard” 2 years promised by everyone else is an undeniable sign that the company isn’t willing to go the distance with security. That’s more than a little disappointing."

https://www.androidauthority.com/bla...pdates-824374/

Obviously just another crapdroid article looking for a senseless excuse to slag BlackBerry for its inflated price and poor hardware specs, lol.

[anon(10268214)]

KRACK was disclosed to QNX in early August IIRC so it's highly unlikely that they didn't have the people to do anything about it less than a month later. They also tested for BlueBorne in September and released a bulletin so I think it's reasonable to assume they at least have the resources even if they don't consider it a priority.

Even if we ignore that, BlackBerry didn't even release a bulletin to advise BB10 users (which still includes government and enterprise) on the status of KRACK and what they can do moving forward. BlackBerry's track record for dealing with "maintenance mode" software is pretty mixed so I don't have high hopes for the Priv (I'd love to be proven wrong though).

I think it's quite obvious their way of dealing with this, or any major BB10 security issue going forward will be via managed devices and their EMM solutions. To the only remaining BB10 clients that matter to them, these will be one and the same customers. Any update to either BB10 or BBOS is extremely unlikely. For consumers it goes something like sorry but you need to buy a new device...here's a coupon for a BlackBerry if you're interested...but the security updates expire exactly two years from launch, so hurry!

[dastillero1975]

I guess this is the right way of thinking considering the record BlackBerry has on updates.
But i'm almost certain that if there is a large vulnerability like KRACK discovered within the next year BlackBerry will patch it on the priv and dteks.

Is KRACK patched on BB10?. I don't think so.
Moreover Android is full of unpatched devices from other companies and they stay that way until the end of times. That's something inherent to Android due to fragmentation and a good excuse for BB to do nothing when a critical flaw affects the PRIV since now.
Moreover you still need to convince "the partners" to give a hand if needed.
Nah! I think you already show the last patch for Priv.

[Huussi]

Is KRACK patched on BB10?. I don't think so.
Moreover Android is full of unpatched devices from other companies and they stay that way until the end of times. That's something inherent to Android due to fragmentation and a good excuse for BB to do nothing when a critical flaw affects the PRIV since now.
Moreover you still need to convince "the partners" to give a hand if needed.
Nah! I think you already show the last patch for Priv.

Sounds fair.
No idea why is still believe in BlackBerrys "promises"

[conite]

KRACK was disclosed to QNX in early August IIRC so it's highly unlikely that they didn't have the people to do anything about it less than a month later. They also tested for BlueBorne in September and released a bulletin so I think it's reasonable to assume they at least have the resources even if they don't consider it a priority.

Even if we ignore that, BlackBerry didn't even release a bulletin to advise BB10 users (which still includes government and enterprise) on the status of KRACK and what they can do moving forward. BlackBerry's track record for dealing with "maintenance mode" software is pretty mixed so I don't have high hopes for the Priv (I'd love to be proven wrong though).

It is documented that the BB10 unit wasn't informed until October.

I'm not disagreeing that the BB10 response is abysmal - but I'm also saying they have little to no capacity left.