Blackphone claims to be first privacy-focused smartphone
-
- Sith_ApprenticeMod Team EmeritusYou would need BES10, then for email you would need your own Email server, domain, etc. There is a significant cost to something like this. But yes, if you are that concerned, you can definitely try it. This would protect communications (data only) between you and your housemates. You can also purchase BlackBerry Mobile Voice, and an ip based phone system to use VoIP from your BB10 devices to communicate NOT over the carrier network.Pete The Penguin likes this.01-15-14 08:23 AMLike 1
- UziRetired ModeratorYou would need BES10, then for email you would need your own Email server, domain, etc. There is a significant cost to something like this. But yes, if you are that concerned, you can definitely try it. This would protect communications (data only) between you and your housemates. You can also purchase BlackBerry Mobile Voice, and an ip based phone system to use VoIP from your BB10 devices to communicate NOT over the carrier network.
Posted via CB1001-15-14 08:27 AMLike 0 - Pete The PenguinResident CrackBerry WizardYou would need BES10, then for email you would need your own Email server, domain, etc. There is a significant cost to something like this. But yes, if you are that concerned, you can definitely try it. This would protect communications (data only) between you and your housemates. You can also purchase BlackBerry Mobile Voice, and an ip based phone system to use VoIP from your BB10 devices to communicate NOT over the carrier network.01-15-14 08:27 AMLike 0
- Yah.. I guess anyone can make claims out there when you don't have the phone on the marketing. Once it's on the market, it could be a very different story..
I'm sure Android and iOS thought they were unhackable.. at least for a period of time until someone hacked them.. Say whaat?01-15-14 08:27 AMLike 0 - Sounds like you have seen it happen - or are you just saying "Everything can be hacked"?
Can you document just one (1) single *proof* of BES or BES 10 being compromised?
Feel free to choose production or lab environments, but the software has to be patched with latest SP, MR and hotfix from BlackBerry at the time of the attack. It would be too easy to choose a old version and utilize a veaknes that was fix released in a later hotfix :-)
Hint: Don't post the image from Heise.de - it shows a BIS email.
From working with BlackBerry in the Enterprise since version 4.0/4.1 and all the way up to BES 10 i know BlackBerry has patched some vulnerabilities (especially in BES 5 regarding the attachment service and PDF files). Even though I have not been able to locate a single instance of a compromized BES server. BlackBerry has (at least beginning of the year) about 120 people employed to look only at security (analysis, design and code review, hacking etc.) so they are not just talking about security - it is a very important focus area for them.
BES 10 is even harder, as it only works as a VPN tunnel to the LAN + MDM, so it does not have to handle any email synchronization, content compression or conversion (esp. attachment service).01-15-14 08:33 AMLike 2 - I have seen some hosted BES solutions I have been interested in setting up, willing to pay a reasonable price for them for security. Disappointed when can't use balance without BES01-15-14 08:33 AMLike 0
- Sith_ApprenticeMod Team EmeritusSounds like you have seen it happen - or are you just saying "Everything can be hacked"?
Can you document just one (1) single *proof* of BES or BES 10 being compromised?
Feel free to choose production or lab environments, but the software has to be patched with latest SP, MR and hotfix from BlackBerry at the time of the attack. It would be too easy to choose a old version and utilize a veaknes that was fix released in a later hotfix :-)
Hint: Don't post the image from Heise.de - it shows a BIS email.
From working with BlackBerry in the Enterprise since version 4.0/4.1 and all the way up to BES 10 i know BlackBerry has patched some vulnerabilities (especially in BES 5 regarding the attachment service and PDF files). Even though I have not been able to locate a single instance of a compromized BES server. BlackBerry has (at least beginning of the year) about 120 people employed to look only at security (analysis, design and code review, hacking etc.) so they are not just talking about security - it is a very important focus area for them.
BES 10 is even harder, as it only works as a VPN tunnel to the LAN + MDM, so it does not have to handle any email synchronization, content compression or conversion (esp. attachment service).
Also UDS needs to be considered, it, at current, does not even have FIPS validation for the crypto kernel. That is as much a part of BES 10 as BDS is.
But we digress.01-15-14 08:38 AMLike 3 -
- Pete The PenguinResident CrackBerry WizardSounds like you have seen it happen - or are you just saying "Everything can be hacked"?
Can you document just one (1) single *proof* of BES or BES 10 being compromised?
Feel free to choose production or lab environments, but the software has to be patched with latest SP, MR and hotfix from BlackBerry at the time of the attack. It would be too easy to choose a old version and utilize a veaknes that was fix released in a later hotfix :-)
Hint: Don't post the image from Heise.de - it shows a BIS email.
From working with BlackBerry in the Enterprise since version 4.0/4.1 and all the way up to BES 10 i know BlackBerry has patched some vulnerabilities (especially in BES 5 regarding the attachment service and PDF files). Even though I have not been able to locate a single instance of a compromized BES server. BlackBerry has (at least beginning of the year) about 120 people employed to look only at security (analysis, design and code review, hacking etc.) so they are not just talking about security - it is a very important focus area for them.
BES 10 is even harder, as it only works as a VPN tunnel to the LAN + MDM, so it does not have to handle any email synchronization, content compression or conversion (esp. attachment service).
Might not have been a live exploit but the fact that it could have been proves it's not unhackable.
That's why I'm interested in how secure BES10 is.
To say something can't ever be hacked is plain wrong. With time and the right tools, anything is possible.01-15-14 08:49 AMLike 0 - Yah.. I guess anyone can make claims out there when you don't have the phone on the marketing. Once it's on the market, it could be a very different story..
I'm sure Android and iOS thought they were unhackable.. at least for a period of time until someone hacked them.. Say whaat?
I could mean both “getting root access” or “getting access to data” (or both).
I have attended several meetings and phone conferences with a security analyser from BlackBerry. At one time 2 or 3 years ago he claimed: “iPhones are hacked (rooted) because Apple do not allow people to run whatever software they like on them. You can run any app on a BlackBerry and the need for rooting a BlackBerry device is not interesting”.
As far as I know there has been only on instance of a BlackBerry handheld being compromised. It was back in 2011 when the Torch was released with with Webkit browser engine to give a better browser experience. It was a security researcher finding the exploit and he did a great job getting further into the OS (black box hacking). BlackBerry released a fix withing 24 hours, but it took many, many month until the last carrier had accepted the update. If Apple found an Exploit this would be available to the users immediately. So in this matter Apple is actually in a MUCH better position to get the updates out.
BB 10 had (as far as I understand) a root exploit in the beta releases, but it was reported and fixed in due time.
BlackBerry has always given the user the control over application permissions. This is fine, but only if used with the proper knowledge, and in general, most “average Joe” people do not understand what permissions mean or the consequences of just clicking "allow".
Just one example (from PC/Windows): My own mom used (some years ago) Kaspersky Antivirus on her Windows PC. Kaspersky is trying to be very secure and also inspects HTTPS (encrypted HTTP traffic). In order to do so, it intercepts the SSL connection and presents the browser with a self-issued SSL certificate, so the connection is actually now from Browser <-> Kaspersky AV <-> Web site. Technically this is a man in the middle attack. At the time Kaspersky did not install a Root CA in the “Trusted Root Certificate” store in Windows, so the browser detected something was wrong (certificate was not trusted) and my mom just learned to press “Continue” whenever she got an SSL warning. “If I don’t I cannot access my bank” (!).
So what does this mean? Average Joe needs a vendor taking care of security for him and it should be implemented transparently, so he never has to thing about security or take any security related decisions.
Apple IMHO has been doing a great job of providing a good balance of simplicity and security: There is only one a single way to get apps on the device: AppStore. Apple controls the AppStore and is able to do a remote “kill/remove” on iPhons of any malicious app they discover post installation.
BlackBerry knows a lot about security, but has not succeeded in making the most user-friendly devices. BB 10 is a huge step in the right direction. Security wise BlackBerry have a problem getting OS fixes deployed fast, because any security fix has to be approved by each individual carrier before release. This is a BIG problem, but at this point in time BlackBerry is no way near being able to bypass the carriers. Anyone still on 10.1?
Just my 2 cents++01-15-14 09:14 AMLike 4 - I would LOVE to use pgp and OPENVPN on my blackberry - been bleating on about it on the bb dev forums for AGES!
I buy bb for the security and reliability it brings TO THE DEVICE - im not on BES.
That said, if someone wants to bring something to the table that is really secure - well great.
And this may run on android but it will be forked, not google's implementation ( think amazon kindle fire et al). I have had institutions consult me that use their own roms on top of gs4s - no google play or apps or anything. Locked down. I imagine this phone will be something like that.
Either way i say the more the merrier - though i cant believe any government would grant a use license without talking to them first.
No one, not even blackberry, is above the law.
Sent from TapatalkPete The Penguin likes this.01-15-14 09:25 AMLike 1 - These are not really the same thing. To secure something is like putting a lock on it. Privacy is hiding it from view. If this phone is going to be focused on "privacy" then it better not be able to access any social media sites or apps, Have any type of GPS location services, or be able to be triangulated off of any cell towers. I have a device like this already, it's called a brick!m1kr0 likes this.01-15-14 09:31 AMLike 1
-
The security of the OS, and thus your data, stored on the phone however is far more secure than that of iOS and particularly Android. In practical real world terms you can't root or jailbreak a BB10 phone. To do so would need a lot of insider help from BlackBerry.
Posted via CB10 on Z30 STA100-2 / 10.2.0.1803 on O2 UK - Activated on BES10.2Last edited by johnnyuk; 01-15-14 at 12:19 PM.
Sith_Apprentice and fanatical like this.01-15-14 09:38 AMLike 2 -
I have not performed any in depth analysis of BES 10.
A few generic observation with regards to weak spots for a *remote* attack (BB10 only environment);
- During normal operation from an enrolled device. Hard to perform, as the BES 10 can only be reached over the network from the work partition, which again only execute native apps installed by the BES 10 admin. So either the BES admin should be the hacker or some 3. part software should be deployed and utitlized. Finally a device exploit could be found to give access to the work partition/connection to BES 10.
- At time of activation. Requires username and active activation password. A weakness in the activation process could exist.
- Remote using the SRP ID and a weakness in the dispatcher service. The attack would require a data connection from a device (computer) being provisioned on the BB network via a carrier. If you have enough knowledge, you could potentially be able to connect by emulating the BB10 protocol. On the BES 10 the dispatcher decrypts the content by (as far as I understand) looking at the PIN ID in the SRP header. If the ID is not found in the BlackBerry domain database, there is not encryption key available and data are discarded. Potentially you could find an overflow bug in the dispacther, but since the dispatcher has been in use since the early days, I do trust BlackBerry to have done their validation.
This list is just a few points from the top of my head, but I could add more if we talked about BES 5.
We also need to notice that BDS (which is the "BlackBerry part of BES 10") is more or less BES 5 without the PIM syncronization engine, so all the reused parts have been tested over many years.
Compared to BES 5 the attack surface is much smaller and there is no attachment service or messaging agent handling data at "application level".
From the LAN you can have more chances as you can communicate directly with the open TCP ports on the BES 10. This approach seems much more possible, and getting LAN access is often easier as you have a huge attack surface (browsers exploits, email attachments (PDF files anyone?), physical access etc. If only requires direct acces from LAN to BES 10 (no firewall). Unless the attacker has very special needs for informations stored on the BES 10 (e.g. current carrier of a specific user) there is really no reason to even try to hack BES 10 at this point. A Domain Controller or any data hosting server is probably much more interesting.
"Right tools". Anything goes for me, as long as it is a tool being used from a distance. Getting direct access to Windows with Administrative rights to install the tool is out of scope ;-) A LAN attack is also fine, but if Windows Server is the primary target (root/admin access), there is really not much BlackBerry can do about it.
I really don't like a statement like "anything can be hacked" because it *is* FUD. It is a good example of the "Uncertainty" part of FUD. You are not providing a single proof or even a single, possible attack point. If you had written "BES 10 can potentially be hacked" I would have rested my case, but you are just putting an argument up with nothing to back it up.
There are always theorectial points of view, and if taking a BES 10 into a lab and having full admin access and debugging tools running the BES 10, you can probably easy "hack it". But that's not how an enterprise runs BES 10.Unidentified User and johnnyuk like this.01-15-14 10:17 AMLike 2 - During normal operation from an enrolled device. Hard to perform, as the BES 10 can only be reached over the network from the work partition, which again only execute native apps installed by the BES 10 admin. So either the BES admin should be the hacker or some 3. part software should be deployed and utitlized. Finally a device exploit could be found to give access to the work partition/connection to BES 10.
- Sith_ApprenticeMod Team EmeritusFor BDS Security methods:
http://docs.blackberry.com/en/admin/...verview_en.pdf
For Secure Work Space (non FIPS validated):
http://docs.blackberry.com/en/admin/...ty_Note_en.pdf
for all BlackBerry related CVEs:
NIST Search
Of note, this are related to BES10:
National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-3693)
BB10 related:
National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-3692)
Keep in mind these are all documented by NIST.
There are also others filed under Research in Motion (instead of BlackBerry). Both are listed here.
Research In Motion Limited : Products and vulnerabilities
Blackberry : Products and vulnerabilitiesjpvj and Pete The Penguin like this.01-15-14 10:39 AMLike 2 -
-
There are also others filed under Research in Motion (instead of BlackBerry). Both are listed here.
Research In Motion Limited : Products and vulnerabilities
Blackberry : Products and vulnerabilities01-15-14 11:23 AMLike 0 - Sith_ApprenticeMod Team EmeritusNot necessarily. Look at the vulnerability scores etc as well. There were several highly critical vulnerabilities in BES 4.1 that took a while to fix, and even had to disable part of the attachment service (PDF portion) until the fix was in place. Number of vulerabilities does not necessarily mean anything.SEAWARRIOR and Superfly_FR like this.01-15-14 11:27 AMLike 2
- Sith_ApprenticeMod Team EmeritusAlso, I did not include any third party vulerabilities (think Adobe) in the searches. Adobe Flash Vulnerability Impacts Older BlackBerry 10 & PlayBook OS Builds - BerryReview
http://www.cvedetails.com/vendor/53/Adobe.html
While this is somewhat off topic to the OP, it is on topic to the security debate going on in the thread.jpvj likes this.01-15-14 11:39 AMLike 1 - I have some questions.
The video at the Blackphone site claims, "Just about everything you do is private."
Pretty bold statement.
They also claim it "includes all available apps".
Seems to be a contradiction of the first quote. How can using Android apps be private when many of them demand some of your information in order to work?
Elsewhere I read that it will be "carrier independent" and "ahead of carriers" and "without any hooks to carriers or venders" and "unlocked and works with any GSM carrier". What do these mean exactly? What are the limitations of these claims? If there were not limitations and compromises, wouldn't all phone manufacturers offer them at least as options?
Also, can they guarantee that the phones cannot be penetrated during or post manufacture, as has been reported that many iPhones have been?
As an aside, their video is pretty amateurish, and doesn't inspire confidence.01-15-14 12:34 PMLike 0 - From the Blackphone site:
"It has the features necessary to do all the things you need, as well as all the things you want, while maintaining your privacy and security and giving you the freedom to choose your carrier, your apps, and your location."
"The tools installed on Blackphone give you everything you need to take ownership of your mobile presence and digital footprints, and ensure nobody else can watch you without your knowledge."
"You can make and receive secure phone calls; exchange secure texts; exchange and store secure files; have secure video chat; browse privately; and anonymize your activity through a VPN."Superfly_FR likes this.01-15-14 12:59 PMLike 1 - Will Blackphone be able to stop this:
Senior Tory MP reveals how 'spy in the pocket' phones track your every move01-15-14 01:22 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Blackphone claims to be first privacy-focused smartphone
« BBM preloaded on Nokia X?
|
Facebook will now have your phone number too. You cannot hide it again!!!!!! »
Similar Threads
-
Unable to get Temple Run bar to work
By ambarish annapureddy in forum More for your BlackBerry 10 Phone!Replies: 11Last Post: 01-29-14, 07:38 AM -
BlackBerry Might Be Considering BBM For Android 2.3 Gingerbread Devices: http://www.ubergizmo.com/20
By Paul Collins4 in forum General BlackBerry News, Discussion & RumorsReplies: 8Last Post: 01-15-14, 10:32 AM -
How to sideload the q5 and get a leaked update??
By smugp1 in forum BlackBerry Q5Replies: 1Last Post: 01-15-14, 05:36 AM -
Indian Enterprise customers make the move to BES10
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 01-15-14, 03:20 AM
LINK TO POST COPIED TO CLIPBOARD