[Jerry A]

This is a hardware code problem. Has nothing to do with apps. Apps may be able to exploit the flaw, but that's a different discussion in a Priv thread.

Actually, the CVE says it's a bug in the driver and related code. Sounds like software to me.

[Tsepz_GP]

Over-priced? Maybe for some; particularly those with no appreciation for creative design and value added features. If BlackBerry hadn't invested the time and money to clean up Android and put diapers on it, I wouldn't have touched Priv or any other Android device. BlackBerry's enhancements to the Android experience make it useable. But just barely.

Now run along and be a good Android fanboy...

Posted via BlackBerry Priv STV100-1

They haven't done anything to improve Android, but if thats what helps you sleep at night, keep believing kid!

Ps. I can't be a fanboy, I switch between iOS and Android throughout the day sorry kid.

[Tsepz_GP]

This affects Snapdragon 800 (Xperia Z Ultra) all the way to 820 (S7).

The phones they list must be what they tested. So even Passport.

[conite]

They haven't done anything to improve Android, but if thats what helps you sleep at night, keep believing kid!

I will say that, for me, BlackBerry has made Android better.

I've always had Nexus devices around using various launchers and email clients, but I find the BlackBerry Launcher and HUB far better.

I also like how DTEK works handling permissions. It also makes me FEEL better knowing there is better resilience to a persistent root with the hardware root of trust and integrity detection.

That's just me, but I hope enough others will agree so we can keep BlackBerry devices around for a while.

[dpeters11]

This affects Snapdragon 800 (Xperia Z Ultra) all the way to 820 (S7).

The phones they list must be what they tested. So even Passport.

Not really. The issue is in the driver. Passport would use a different driver.

There is a significant difference.

[Tsepz_GP]

I will say that, for me, BlackBerry has made Android better.

I've always had Nexus devices around using various launchers and email clients, but I find the BlackBerry Launcher and HUB far better.

I also like how DTEK works handling permissions. It also makes me FEEL better knowing there is better resilience to a persistent root with the hardware root of trust and integrity detection.

That's just me, but I hope enough others will agree so we can keep BlackBerry devices around for a while.

Exactly, for you it has, for many of us, not so much, we got used to reading about malware that never actually makes it to the phones. I'm glad it has made you more comfortable with Android.

Not really. The issue is in the driver. Passport would use a different driver.

There is a significant difference.

I hope so, either way, no user will get into trouble here, unless they are looking for it.

[sorinv]

Regardless, for most users it means they have nothing to worry about.

There could be hardware code problems in Apple A-series SoCs, Samsung Exynos SoCs and Huawei Kirin SoCs, but the number of Snapdragon devices that exist by far outnumber all 3 put together, worth it to invest and find ways to exploit them and get money from people who don't know any better.

I definitely agree with what you wrote above.

[sorinv]

Actually, the CVE says it's a bug in the driver and related code. Sounds like software to me.

I wrote hardware code. Code means software but the software is specific and dedicated to that IC (hardware). Code can also be hardwired into the hardware. But that was not the case here.

[DenverRalphy]

I wrote hardware code. Code means software but the software is specific and dedicated to that IC (hardware). Code can also be hardwired into the hardware. But that was not the case here.

No, hardware does not have Hardwired code. Hardware only passes on input. It's nothing more than a sequence of logic switches. If you've indeed written "hardware code", then you'd know the difference between software, hardware, and firmware. What you're alluding to is firmware, which is actually software but in an isolated environment, which can be replaced. It's not Hardwired. Any modern chip can be reflashed without having to replace that chip.

[sorinv]

Not really. The issue is in the driver. Passport would use a different driver.

There is a significant difference.

It would be interesting if anybody checked those "prohibitively expensive" Passport drivers to see if they suffer from the same problem. If they were developed by Qualcomm and not by BlackBerry, they may very well suffer from the same flaws.

[conite]

It would be interesting if anybody checked those "prohibitively expensive" Passport drivers to see if they suffer from the same problem. If they were developed by Qualcomm and not by BlackBerry, they may very well suffer from the same flaws.

There's no one left who cares enough to check.

There never even was at its peak. Hence security through obscurity.

[sorinv]

No, hardware does not have Hardwired code. Hardware only passes on input. It's nothing more than a sequence of logic switches. If you've indeed written "hardware code", then you'd know the difference between software, hardware, and firmware. What you're alluding to is firmware, which is actually software but in an isolated environment, which can be replaced. It's not Hardwired. Any modern chip can be reflashed without having to replace that chip.

I agree. The BBC link did not talk about drivers. That information became available later, through posts by others.

However, you can hardwire code into IC's. This is done regularly with fuses. You burn them once and you cannot reverse the process through software. You can hardwire "1"s and "0". That's what code ultimately is.

In the 1980's people even hardwired the Spice simulator into a dedicated IC to make it run faster than in software.

It is true that pretty much every chip now has a digital interface through which it can be programmed. That makes even analog and RF chips vulnerable to software bugs, as seems to be the case here.

However, the statement that this proves that BlackBerry, Google, Samsung and others cannot secure through software ICs designed and fabricated by other vendors remains valid.

[conite]

However, the statement that this proves that BlackBerry, Google, Samsung and others cannot secure through software ICs designed and fabricated by other vendors remains valid.

Why would you inherently trust BlackBerry or Samsung any more than Qualcomm?

[sorinv]

Why would you inherently trust BlackBerry or Samsung any more than Qualcomm?

I wouldn't. The title of the thread is an engineering and philosophical topic. It's not about Android, it's not about apps, it's about the inability of a software company to guarantee the integrity of the hardware it runs on if all or some of the details of the hardware design are kept away from it.

[conite]

I wouldn't. The title of the thread is an engineering and philosophical topic. It's not about Android, it's not about apps, it's about the inability of a software company to guarantee the integrity of the hardware it runs on if all or some of the details of the hardware design are kept away from it.

Well, if you don't trust any of the various players anyway, the topic is moot. Or, at the very least, the distinction is irrelevant.

[DenverRalphy]

However, the statement that this proves that BlackBerry, Google, Samsung and others cannot secure through software ICs designed and fabricated by other vendors remains valid.

Not really. Any OEM can reflash the chips, even if the device is already in the hands of the end user. Many updates sometimes reflash. Especially in the case of updating camera functionality.

OEMs are not strictly limited to what the chip makers dictate. In fact, they don't even have to use the drivers provided by the chip makers (though doing so makes their lives a lot easier).

Samsung is notorious for reflashing their own custom updates. Which is often why various 3rd party camera apps don't work as well as they do on other Android devices. Case in point, if you install and use the stock Android camera app, the digital zoom severely degrades picture quality, whereas if you digital zoom with the Samsung camera, it correctly accounts for it and optimizes the picture so that quality isn't degraded as much.

Which peeves me because I prefer the stock Android Camera over the Samsung camera on my Note 5. But the moment I realize that I have to zoom, I have to switch to the Samsung camera. Whereas on my Nexus device, the Google Camera is superior.

[sorinv]

Well, if you don't trust any of the various players anyway, the topic is moot. Or, at the very least, the distinction is irrelevant.

I used to trust BlackBerry more than Qualcomm and Samsung before Chen joined.

I didn't trust Apple under Jobs. I am beginning to trust Tim Cook, but I have no indication that his desire for privacy and security is matched by the competence of his crew to deliver them.
I still feel safer surfing on my passport or Linux than on my macBook. I can easily tell that from the kind of response I get from the same website...

Ultimately, a company's values depend a lot and can change with the values of the Board and CEO.

[sorinv]

Not really. Any OEM can reflash the chips, even if the device is already in the hands of the end user. Many updates sometimes reflash. Especially in the case of updating camera functionality.

OEMs are not strictly limited to what the chip makers dictate. In fact, they don't even have to use the drivers provided by the chip makers (though doing so makes their lives a lot easier).

Samsung is notorious for reflashing their own custom updates. Which is often why various 3rd party camera apps don't work as well as they do on other Android devices. Case in point, if you install and use the stock Android camera app, the digital zoom severely degrades picture quality, whereas if you digital zoom with the Samsung camera, it correctly accounts for it and optimizes the picture so that quality isn't degraded as much.

Sure, but there are parts of the IC that a customer may have no clue about.
This is very common in the instrumentation, fiberoptics and RF industry.
As an IC designer, I can disable some functionality of my chip from some of my customers because that particular feature is exclusive to a specific customer. It happens all the time.

[conite]

I used to trust BlackBerry more than Qualcomm and Samsung before Chen joined.

I didn't trust Apple under Jobs. I am beginning to trust Tim Cook, but I have no indication that his desire for privacy and security is matched by the competence of his crew to deliver them.
I still feel safer surfing on my passport or Linux than on my macBook. I can easily tell that from the kind of response I get from the same website...

Ultimately, a company's values depend a lot and can change with the values of the Board and CEO.

So you base your buying decisions (which are usually two year commitments) based on current staffing choices of the various manufacturers and gut feelings?

[sorinv]

No. I use mostly Linux and don't change my PCs/laptops more frequently than 4 years. So far I have used bb10, but I have no idea what phone I'll buy next. For now, I purchased a second Passport to last me until the picture becomes clearer. There is no rush to buy a new phone.

Moore's law, the cellphone and semiconductor IC markets are saturated. There are no new dramatic developments that introduce new, must have, functionality, so people no longer miss much by not upgrading every year. I actually upgraded my cellphones three times between February 2013 and September 2014. Not since.

It is not uncommon for successful high tech companies to keep the same CEO (usually the founder) for a very long time. So you don't really have to change your buying pattern that often if the ethical values of the company are a concern. They aren't always, but for cellphones these days, they must be. Cellphones know too much about their user.

[anon(9742832)]

No. I use mostly Linux and don't change my PCs/laptops more frequently than 4 years. So far I have used bb10, but I have no idea what phone I'll buy next. For now, I purchased a second Passport to last me until the picture becomes clearer. There is no rush to buy a new phone.

Moore's law, the cellphone and semiconductor IC markets are saturated. There are no new dramatic developments that introduce new, must have, functionality, so people no longer miss much by not upgrading every year. I actually upgraded my cellphones three times between February 2013 and September 2014. Not since.

It is not uncommon for successful high tech companies to keep the same CEO (usually the founder) for a very long time. So you don't really have to change your buying pattern that often if the ethical values of the company are a concern. They aren't always, but for cellphones these days, they must be. Cellphones know too much about their user.

You nailed it, people have been lulled into thinking its OK to give up privacy. Just look at Facebook, people will scream about the CIA and NSA, but will post their entire lives on Facebook. So in the end its not the phone that's the problem but the owner.

[anon(9607753)]

Ps. I can't be a fanboy, I switch between iOS and Android throughout the day sorry kid.

Impressive. Lol.

Posted via BlackBerry Priv STV100-1

[anon(9742832)]

Impressive. Lol.

Posted via BlackBerry Priv STV100-1

shocking!!....Kid...LOL

[dpeters11]

It would be interesting if anybody checked those "prohibitively expensive" Passport drivers to see if they suffer from the same problem. If they were developed by Qualcomm and not by BlackBerry, they may very well suffer from the same flaws.

Thing is though, it's not just the drivers, is it? It's the drivers and the interaction with the OS. These vulnerabilities give root access to the Android OS. I'm not saying it's impossible, but it would need to be different malicious code.

[Premium1]

Android bug fear in 900 million phones - BBC News

I have been posing that question here for over two years.
Again this proves that without controlling hardware, including designing your own integrated circuits and not buying them from others, a company like BlackBerry cannot claim security.
It's interesting that Samsung with Equinox processor (and Apple) are not on the list because they do not use the Qualcomm chip. They have their own.

This also goes back to the security (lack thereof) of a phone designed and assembled in China whose hardware integrity one might fully control.

Seems unless you side load apps you should be alright. With that being said, Qualcomm has really dropped the ball the past few years with their chips and now the security issues. Would love if Blackberry used the Exynos chips in their device rather than the Qualcomm chips. Here is the article from android central Google confirms 'Verify Apps' can block apps using QuadRooter vulnerabilities | Android Central