[Pete The Penguin]

You are quite welcome

Would it be worth the time and effort to set up a personal BES10 server for myself and housemates?

Your advice would be appreciated.

[Sith_Apprentice]

Would it be worth the time and effort to set up a personal BES10 server for myself and housemates?

Your advice would be appreciated.

You would need BES10, then for email you would need your own Email server, domain, etc. There is a significant cost to something like this. But yes, if you are that concerned, you can definitely try it. This would protect communications (data only) between you and your housemates. You can also purchase BlackBerry Mobile Voice, and an ip based phone system to use VoIP from your BB10 devices to communicate NOT over the carrier network.

[Uzi]

You would need BES10, then for email you would need your own Email server, domain, etc. There is a significant cost to something like this. But yes, if you are that concerned, you can definitely try it. This would protect communications (data only) between you and your housemates. You can also purchase BlackBerry Mobile Voice, and an ip based phone system to use VoIP from your BB10 devices to communicate NOT over the carrier network.

wow it must be cost a lot of money

Posted via CB10

[Pete The Penguin]

You would need BES10, then for email you would need your own Email server, domain, etc. There is a significant cost to something like this. But yes, if you are that concerned, you can definitely try it. This would protect communications (data only) between you and your housemates. You can also purchase BlackBerry Mobile Voice, and an ip based phone system to use VoIP from your BB10 devices to communicate NOT over the carrier network.

For me, it makes more sense to route my internet through a double VPN and tunnel it through TOR (not easy on a Q10).

[lynxs_claw]

Yah.. I guess anyone can make claims out there when you don't have the phone on the marketing. Once it's on the market, it could be a very different story..

I'm sure Android and iOS thought they were unhackable.. at least for a period of time until someone hacked them.. Say whaat?

[jpvj]

Nope.
Even BES/BES10 isn't unhackable.

Sounds like you have seen it happen - or are you just saying "Everything can be hacked"?
Can you document just one (1) single *proof* of BES or BES 10 being compromised?
Feel free to choose production or lab environments, but the software has to be patched with latest SP, MR and hotfix from BlackBerry at the time of the attack. It would be too easy to choose a old version and utilize a veaknes that was fix released in a later hotfix :-)

Hint: Don't post the image from Heise.de - it shows a BIS email.

From working with BlackBerry in the Enterprise since version 4.0/4.1 and all the way up to BES 10 i know BlackBerry has patched some vulnerabilities (especially in BES 5 regarding the attachment service and PDF files). Even though I have not been able to locate a single instance of a compromized BES server. BlackBerry has (at least beginning of the year) about 120 people employed to look only at security (analysis, design and code review, hacking etc.) so they are not just talking about security - it is a very important focus area for them.

BES 10 is even harder, as it only works as a VPN tunnel to the LAN + MDM, so it does not have to handle any email synchronization, content compression or conversion (esp. attachment service).

[danielrivers]

I have seen some hosted BES solutions I have been interested in setting up, willing to pay a reasonable price for them for security. Disappointed when can't use balance without BES

[Sith_Apprentice]

Sounds like you have seen it happen - or are you just saying "Everything can be hacked"?
Can you document just one (1) single *proof* of BES or BES 10 being compromised?
Feel free to choose production or lab environments, but the software has to be patched with latest SP, MR and hotfix from BlackBerry at the time of the attack. It would be too easy to choose a old version and utilize a veaknes that was fix released in a later hotfix :-)

Hint: Don't post the image from Heise.de - it shows a BIS email.

From working with BlackBerry in the Enterprise since version 4.0/4.1 and all the way up to BES 10 i know BlackBerry has patched some vulnerabilities (especially in BES 5 regarding the attachment service and PDF files). Even though I have not been able to locate a single instance of a compromized BES server. BlackBerry has (at least beginning of the year) about 120 people employed to look only at security (analysis, design and code review, hacking etc.) so they are not just talking about security - it is a very important focus area for them.

BES 10 is even harder, as it only works as a VPN tunnel to the LAN + MDM, so it does not have to handle any email synchronization, content compression or conversion (esp. attachment service).

There HAVE been vulnerabilities in BES and BES10 that have been patched. This means someone identified it as a weak spot (to varying degrees). May not have been a live exploit, or it could have been (I have neither the time nor inclination to see), but the fact that it COULD have been proves it isnt unhackable.

Also UDS needs to be considered, it, at current, does not even have FIPS validation for the crypto kernel. That is as much a part of BES 10 as BDS is.

But we digress.

[Sith_Apprentice]

wow it must be cost a lot of money

Posted via CB10

Yes, it can cost quite a bit. remember, this is an enterprise level solution

[Pete The Penguin]

Sounds like you have seen it happen - or are you just saying "Everything can be hacked"?
Can you document just one (1) single *proof* of BES or BES 10 being compromised?
Feel free to choose production or lab environments, but the software has to be patched with latest SP, MR and hotfix from BlackBerry at the time of the attack. It would be too easy to choose a old version and utilize a veaknes that was fix released in a later hotfix :-)

Hint: Don't post the image from Heise.de - it shows a BIS email.

From working with BlackBerry in the Enterprise since version 4.0/4.1 and all the way up to BES 10 i know BlackBerry has patched some vulnerabilities (especially in BES 5 regarding the attachment service and PDF files). Even though I have not been able to locate a single instance of a compromized BES server. BlackBerry has (at least beginning of the year) about 120 people employed to look only at security (analysis, design and code review, hacking etc.) so they are not just talking about security - it is a very important focus area for them.

BES 10 is even harder, as it only works as a VPN tunnel to the LAN + MDM, so it does not have to handle any email synchronization, content compression or conversion (esp. attachment service).

Exactly, there have been vulnerabilities in BES and BES10 that have been patched. This means someone identified a weak spot.
Might not have been a live exploit but the fact that it could have been proves it's not unhackable.
That's why I'm interested in how secure BES10 is.

To say something can't ever be hacked is plain wrong. With time and the right tools, anything is possible.

[jpvj]

Yah.. I guess anyone can make claims out there when you don't have the phone on the marketing. Once it's on the market, it could be a very different story..

I'm sure Android and iOS thought they were unhackable.. at least for a period of time until someone hacked them.. Say whaat?

What exactly are you meaning when using the term "hacking"?
I could mean both “getting root access” or “getting access to data” (or both).

I have attended several meetings and phone conferences with a security analyser from BlackBerry. At one time 2 or 3 years ago he claimed: “iPhones are hacked (rooted) because Apple do not allow people to run whatever software they like on them. You can run any app on a BlackBerry and the need for rooting a BlackBerry device is not interesting”.

As far as I know there has been only on instance of a BlackBerry handheld being compromised. It was back in 2011 when the Torch was released with with Webkit browser engine to give a better browser experience. It was a security researcher finding the exploit and he did a great job getting further into the OS (black box hacking). BlackBerry released a fix withing 24 hours, but it took many, many month until the last carrier had accepted the update. If Apple found an Exploit this would be available to the users immediately. So in this matter Apple is actually in a MUCH better position to get the updates out.
BB 10 had (as far as I understand) a root exploit in the beta releases, but it was reported and fixed in due time.

BlackBerry has always given the user the control over application permissions. This is fine, but only if used with the proper knowledge, and in general, most “average Joe” people do not understand what permissions mean or the consequences of just clicking "allow".

Just one example (from PC/Windows): My own mom used (some years ago) Kaspersky Antivirus on her Windows PC. Kaspersky is trying to be very secure and also inspects HTTPS (encrypted HTTP traffic). In order to do so, it intercepts the SSL connection and presents the browser with a self-issued SSL certificate, so the connection is actually now from Browser <-> Kaspersky AV <-> Web site. Technically this is a man in the middle attack. At the time Kaspersky did not install a Root CA in the “Trusted Root Certificate” store in Windows, so the browser detected something was wrong (certificate was not trusted) and my mom just learned to press “Continue” whenever she got an SSL warning. “If I don’t I cannot access my bank” (!).

So what does this mean? Average Joe needs a vendor taking care of security for him and it should be implemented transparently, so he never has to thing about security or take any security related decisions.

Apple IMHO has been doing a great job of providing a good balance of simplicity and security: There is only one a single way to get apps on the device: AppStore. Apple controls the AppStore and is able to do a remote “kill/remove” on iPhons of any malicious app they discover post installation.
BlackBerry knows a lot about security, but has not succeeded in making the most user-friendly devices. BB 10 is a huge step in the right direction. Security wise BlackBerry have a problem getting OS fixes deployed fast, because any security fix has to be approved by each individual carrier before release. This is a BIG problem, but at this point in time BlackBerry is no way near being able to bypass the carriers. Anyone still on 10.1? 

Just my 2 cents++

[Poirots Progeny]

I would LOVE to use pgp and OPENVPN on my blackberry - been bleating on about it on the bb dev forums for AGES!

I buy bb for the security and reliability it brings TO THE DEVICE - im not on BES.

That said, if someone wants to bring something to the table that is really secure - well great.

And this may run on android but it will be forked, not google's implementation ( think amazon kindle fire et al). I have had institutions consult me that use their own roms on top of gs4s - no google play or apps or anything. Locked down. I imagine this phone will be something like that.

Either way i say the more the merrier - though i cant believe any government would grant a use license without talking to them first.

No one, not even blackberry, is above the law.

Sent from Tapatalk

[wuulfy]

What colours are available???
Does it have Angry Birds???

[Zathis]

These are not really the same thing. To secure something is like putting a lock on it. Privacy is hiding it from view. If this phone is going to be focused on "privacy" then it better not be able to access any social media sites or apps, Have any type of GPS location services, or be able to be triangulated off of any cell towers. I have a device like this already, it's called a brick!

[johnnyuk]

I know this has probably been debated before, so I apologize in advance. But if you are not on BES or even BIS (No BIS on BB10 from what I understand) are BlackBerry phones still more secure than other smartphones out there?

Posted via CB10

Without BES the communication of data to/from a BB10 phone is no more secure than other smartphones, except for BBM traffic which is more secure than competitor's IM systems.

The security of the OS, and thus your data, stored on the phone however is far more secure than that of iOS and particularly Android. In practical real world terms you can't root or jailbreak a BB10 phone. To do so would need a lot of insider help from BlackBerry.

Posted via CB10 on Z30 STA100-2 / 10.2.0.1803 on O2 UK - Activated on BES10.2

[jpvj]

Exactly, there have been vulnerabilities in BES and BES10 that have been patched. This means someone identified a weak spot.
Might not have been a live exploit but the fact that it could have been proves it's not unhackable.

A weak spot does not nescessarily mean it can be hacked (=getting some kind of access). It just means the code has a flaw, that makes it behave in an unwanted way. A denial of service could just as well be the outcome. So it does not "prove" it is hackable - it just shows a weakness. A "prove" is a working exploit - nothing less.

That's why I'm interested in how secure BES10 is.

I have not performed any in depth analysis of BES 10.
A few generic observation with regards to weak spots for a *remote* attack (BB10 only environment);

• During normal operation from an enrolled device. Hard to perform, as the BES 10 can only be reached over the network from the work partition, which again only execute native apps installed by the BES 10 admin. So either the BES admin should be the hacker or some 3. part software should be deployed and utitlized. Finally a device exploit could be found to give access to the work partition/connection to BES 10.
  
• At time of activation. Requires username and active activation password. A weakness in the activation process could exist.
  
• Remote using the SRP ID and a weakness in the dispatcher service. The attack would require a data connection from a device (computer) being provisioned on the BB network via a carrier. If you have enough knowledge, you could potentially be able to connect by emulating the BB10 protocol. On the BES 10 the dispatcher decrypts the content by (as far as I understand) looking at the PIN ID in the SRP header. If the ID is not found in the BlackBerry domain database, there is not encryption key available and data are discarded. Potentially you could find an overflow bug in the dispacther, but since the dispatcher has been in use since the early days, I do trust BlackBerry to have done their validation.

This list is just a few points from the top of my head, but I could add more if we talked about BES 5.

We also need to notice that BDS (which is the "BlackBerry part of BES 10") is more or less BES 5 without the PIM syncronization engine, so all the reused parts have been tested over many years.

Compared to BES 5 the attack surface is much smaller and there is no attachment service or messaging agent handling data at "application level".

From the LAN you can have more chances as you can communicate directly with the open TCP ports on the BES 10. This approach seems much more possible, and getting LAN access is often easier as you have a huge attack surface (browsers exploits, email attachments (PDF files anyone?), physical access etc. If only requires direct acces from LAN to BES 10 (no firewall). Unless the attacker has very special needs for informations stored on the BES 10 (e.g. current carrier of a specific user) there is really no reason to even try to hack BES 10 at this point. A Domain Controller or any data hosting server is probably much more interesting.

To say something can't ever be hacked is plain wrong. With time and the right tools, anything is possible.

Let's use the term "Within reasonable time" and keep that definition to 5 or maybe even 10 years. It all comes down to the data being protected, but 10.000 years from now does not really matter to anyone.

"Right tools". Anything goes for me, as long as it is a tool being used from a distance. Getting direct access to Windows with Administrative rights to install the tool is out of scope ;-) A LAN attack is also fine, but if Windows Server is the primary target (root/admin access), there is really not much BlackBerry can do about it.

I really don't like a statement like "anything can be hacked" because it *is* FUD. It is a good example of the "Uncertainty" part of FUD. You are not providing a single proof or even a single, possible attack point. If you had written "BES 10 can potentially be hacked" I would have rested my case, but you are just putting an argument up with nothing to back it up.

There are always theorectial points of view, and if taking a BES 10 into a lab and having full admin access and debugging tools running the BES 10, you can probably easy "hack it". But that's not how an enterprise runs BES 10.

[Sith_Apprentice]

For BDS Security methods:
http://docs.blackberry.com/en/admin/...verview_en.pdf

For Secure Work Space (non FIPS validated):
http://docs.blackberry.com/en/admin/...ty_Note_en.pdf

for all BlackBerry related CVEs:
NIST Search

Of note, this are related to BES10:
National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-3693)



BB10 related:
National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-3692)


Keep in mind these are all documented by NIST.

There are also others filed under Research in Motion (instead of BlackBerry). Both are listed here.

Research In Motion Limited : Products and vulnerabilities
Blackberry : Products and vulnerabilities

[petalmasher]

My only question is this:
Will they make it in tin foil color to match my hat?

[SEAWARRIOR]

There are also others filed under Research in Motion (instead of BlackBerry). Both are listed here.

Research In Motion Limited : Products and vulnerabilities
Blackberry : Products and vulnerabilities

interesting,,, the largest amount of vulnerabilities exist in 2013, =BBOS>BB10???

[Sith_Apprentice]

interesting,,, the largest amount of vulnerabilities exist in 2013, =BBOS>BB10???

Not necessarily. Look at the vulnerability scores etc as well. There were several highly critical vulnerabilities in BES 4.1 that took a while to fix, and even had to disable part of the attachment service (PDF portion) until the fix was in place. Number of vulerabilities does not necessarily mean anything.

[nelsonpml]

Funny thing is when I try to open the blackphone website on the browser of my Z10 I get the message below :



Posted via CB10

[Sith_Apprentice]

Also, I did not include any third party vulerabilities (think Adobe) in the searches. Adobe Flash Vulnerability Impacts Older BlackBerry 10 & PlayBook OS Builds - BerryReview

http://www.cvedetails.com/vendor/53/Adobe.html


While this is somewhat off topic to the OP, it is on topic to the security debate going on in the thread.

[Axacta]

I have some questions.

The video at the Blackphone site claims, "Just about everything you do is private."

Pretty bold statement.

They also claim it "includes all available apps".

Seems to be a contradiction of the first quote. How can using Android apps be private when many of them demand some of your information in order to work?

Elsewhere I read that it will be "carrier independent" and "ahead of carriers" and "without any hooks to carriers or venders" and "unlocked and works with any GSM carrier". What do these mean exactly? What are the limitations of these claims? If there were not limitations and compromises, wouldn't all phone manufacturers offer them at least as options?

Also, can they guarantee that the phones cannot be penetrated during or post manufacture, as has been reported that many iPhones have been?

As an aside, their video is pretty amateurish, and doesn't inspire confidence.

[Axacta]

From the Blackphone site:

"It has the features necessary to do all the things you need, as well as all the things you want, while maintaining your privacy and security and giving you the freedom to choose your carrier, your apps, and your location."

Sounds like weasel words to me, considering the quotes I presented in my last post. More from the site:

"The tools installed on Blackphone give you everything you need to take ownership of your mobile presence and digital footprints, and ensure nobody else can watch you without your knowledge."

Again, there must be caveats to this, since they claim all apps can be used, and many apps are not secure, and even worse, many apps demand your information. More from the site:

"You can make and receive secure phone calls; exchange secure texts; exchange and store secure files; have secure video chat; browse privately; and anonymize your activity through a VPN."

Secure communication is already available to at least some extent on all phones as options. What makes this statement exceptional? Any manufacturer could make this statement if the user is willing to do the work to implement the measures needed. But how secure? For instance, it is now known that even TOR does not guarantee anonymous browsing or communication.

[Axacta]

Will Blackphone be able to stop this:

Senior Tory MP reveals how 'spy in the pocket' phones track your every move