08-09-16 08:36 PM
225 ... 789
tools
  1. Jerry A's Avatar
    This is a hardware code problem. Has nothing to do with apps. Apps may be able to exploit the flaw, but that's a different discussion in a Priv thread.
    Actually, the CVE says it's a bug in the driver and related code. Sounds like software to me.

    08-09-16 11:02 AM
  2. Tsepz_GP's Avatar
    Over-priced? Maybe for some; particularly those with no appreciation for creative design and value added features. If BlackBerry hadn't invested the time and money to clean up Android and put diapers on it, I wouldn't have touched Priv or any other Android device. BlackBerry's enhancements to the Android experience make it useable. But just barely.

    Now run along and be a good Android fanboy...

    Posted via BlackBerry Priv STV100-1
    They haven't done anything to improve Android, but if thats what helps you sleep at night, keep believing kid!

    Ps. I can't be a fanboy, I switch between iOS and Android throughout the day sorry kid.
    Last edited by Tsepz_GP; 08-09-16 at 01:14 PM.
    08-09-16 12:09 PM
  3. Tsepz_GP's Avatar
    This affects Snapdragon 800 (Xperia Z Ultra) all the way to 820 (S7).

    The phones they list must be what they tested. So even Passport.
    08-09-16 12:14 PM
  4. conite's Avatar
    They haven't done anything to improve Android, but if thats what helps you sleep at night, keep believing kid!
    I will say that, for me, BlackBerry has made Android better.

    I've always had Nexus devices around using various launchers and email clients, but I find the BlackBerry Launcher and HUB far better.

    I also like how DTEK works handling permissions. It also makes me FEEL better knowing there is better resilience to a persistent root with the hardware root of trust and integrity detection.

    That's just me, but I hope enough others will agree so we can keep BlackBerry devices around for a while.
    08-09-16 12:19 PM
  5. dpeters11's Avatar
    This affects Snapdragon 800 (Xperia Z Ultra) all the way to 820 (S7).

    The phones they list must be what they tested. So even Passport.
    Not really. The issue is in the driver. Passport would use a different driver.

    There is a significant difference.
    08-09-16 12:20 PM
  6. Tsepz_GP's Avatar
    I will say that, for me, BlackBerry has made Android better.

    I've always had Nexus devices around using various launchers and email clients, but I find the BlackBerry Launcher and HUB far better.

    I also like how DTEK works handling permissions. It also makes me FEEL better knowing there is better resilience to a persistent root with the hardware root of trust and integrity detection.

    That's just me, but I hope enough others will agree so we can keep BlackBerry devices around for a while.
    Exactly, for you it has, for many of us, not so much, we got used to reading about malware that never actually makes it to the phones. I'm glad it has made you more comfortable with Android.
    Not really. The issue is in the driver. Passport would use a different driver.

    There is a significant difference.
    I hope so, either way, no user will get into trouble here, unless they are looking for it.
    08-09-16 12:25 PM
  7. sorinv's Avatar
    Regardless, for most users it means they have nothing to worry about.

    There could be hardware code problems in Apple A-series SoCs, Samsung Exynos SoCs and Huawei Kirin SoCs, but the number of Snapdragon devices that exist by far outnumber all 3 put together, worth it to invest and find ways to exploit them and get money from people who don't know any better.
    I definitely agree with what you wrote above.
    08-09-16 02:03 PM
  8. sorinv's Avatar
    Actually, the CVE says it's a bug in the driver and related code. Sounds like software to me.

    I wrote hardware code. Code means software but the software is specific and dedicated to that IC (hardware). Code can also be hardwired into the hardware. But that was not the case here.
    Mecca EL likes this.
    08-09-16 02:07 PM
  9. DenverRalphy's Avatar
    I wrote hardware code. Code means software but the software is specific and dedicated to that IC (hardware). Code can also be hardwired into the hardware. But that was not the case here.
    No, hardware does not have Hardwired code. Hardware only passes on input. It's nothing more than a sequence of logic switches. If you've indeed written "hardware code", then you'd know the difference between software, hardware, and firmware. What you're alluding to is firmware, which is actually software but in an isolated environment, which can be replaced. It's not Hardwired. Any modern chip can be reflashed without having to replace that chip.
    Bluenoser63 likes this.
    08-09-16 02:26 PM
  10. sorinv's Avatar
    Not really. The issue is in the driver. Passport would use a different driver.

    There is a significant difference.
    It would be interesting if anybody checked those "prohibitively expensive" Passport drivers to see if they suffer from the same problem. If they were developed by Qualcomm and not by BlackBerry, they may very well suffer from the same flaws.
    08-09-16 02:28 PM
  11. conite's Avatar
    It would be interesting if anybody checked those "prohibitively expensive" Passport drivers to see if they suffer from the same problem. If they were developed by Qualcomm and not by BlackBerry, they may very well suffer from the same flaws.
    There's no one left who cares enough to check.

    There never even was at its peak. Hence security through obscurity.
    Jerry A likes this.
    08-09-16 02:30 PM
  12. sorinv's Avatar
    No, hardware does not have Hardwired code. Hardware only passes on input. It's nothing more than a sequence of logic switches. If you've indeed written "hardware code", then you'd know the difference between software, hardware, and firmware. What you're alluding to is firmware, which is actually software but in an isolated environment, which can be replaced. It's not Hardwired. Any modern chip can be reflashed without having to replace that chip.
    I agree. The BBC link did not talk about drivers. That information became available later, through posts by others.

    However, you can hardwire code into IC's. This is done regularly with fuses. You burn them once and you cannot reverse the process through software. You can hardwire "1"s and "0". That's what code ultimately is.

    In the 1980's people even hardwired the Spice simulator into a dedicated IC to make it run faster than in software.

    It is true that pretty much every chip now has a digital interface through which it can be programmed. That makes even analog and RF chips vulnerable to software bugs, as seems to be the case here.

    However, the statement that this proves that BlackBerry, Google, Samsung and others cannot secure through software ICs designed and fabricated by other vendors remains valid.
    Last edited by sorinv; 08-09-16 at 03:08 PM.
    08-09-16 02:53 PM
  13. conite's Avatar
    However, the statement that this proves that BlackBerry, Google, Samsung and others cannot secure through software ICs designed and fabricated by other vendors remains valid.
    Why would you inherently trust BlackBerry or Samsung any more than Qualcomm?
    08-09-16 03:01 PM
  14. sorinv's Avatar
    Why would you inherently trust BlackBerry or Samsung any more than Qualcomm?
    I wouldn't. The title of the thread is an engineering and philosophical topic. It's not about Android, it's not about apps, it's about the inability of a software company to guarantee the integrity of the hardware it runs on if all or some of the details of the hardware design are kept away from it.
    08-09-16 03:05 PM
  15. conite's Avatar
    I wouldn't. The title of the thread is an engineering and philosophical topic. It's not about Android, it's not about apps, it's about the inability of a software company to guarantee the integrity of the hardware it runs on if all or some of the details of the hardware design are kept away from it.
    Well, if you don't trust any of the various players anyway, the topic is moot. Or, at the very least, the distinction is irrelevant.
    08-09-16 03:08 PM
  16. DenverRalphy's Avatar
    However, the statement that this proves that BlackBerry, Google, Samsung and others cannot secure through software ICs designed and fabricated by other vendors remains valid.
    Not really. Any OEM can reflash the chips, even if the device is already in the hands of the end user. Many updates sometimes reflash. Especially in the case of updating camera functionality.

    OEMs are not strictly limited to what the chip makers dictate. In fact, they don't even have to use the drivers provided by the chip makers (though doing so makes their lives a lot easier).

    Samsung is notorious for reflashing their own custom updates. Which is often why various 3rd party camera apps don't work as well as they do on other Android devices. Case in point, if you install and use the stock Android camera app, the digital zoom severely degrades picture quality, whereas if you digital zoom with the Samsung camera, it correctly accounts for it and optimizes the picture so that quality isn't degraded as much.

    Which peeves me because I prefer the stock Android Camera over the Samsung camera on my Note 5. But the moment I realize that I have to zoom, I have to switch to the Samsung camera. Whereas on my Nexus device, the Google Camera is superior.
    08-09-16 03:09 PM
  17. sorinv's Avatar
    Well, if you don't trust any of the various players anyway, the topic is moot. Or, at the very least, the distinction is irrelevant.
    I used to trust BlackBerry more than Qualcomm and Samsung before Chen joined.

    I didn't trust Apple under Jobs. I am beginning to trust Tim Cook, but I have no indication that his desire for privacy and security is matched by the competence of his crew to deliver them.
    I still feel safer surfing on my passport or Linux than on my macBook. I can easily tell that from the kind of response I get from the same website...

    Ultimately, a company's values depend a lot and can change with the values of the Board and CEO.
    08-09-16 03:13 PM
  18. sorinv's Avatar
    Not really. Any OEM can reflash the chips, even if the device is already in the hands of the end user. Many updates sometimes reflash. Especially in the case of updating camera functionality.

    OEMs are not strictly limited to what the chip makers dictate. In fact, they don't even have to use the drivers provided by the chip makers (though doing so makes their lives a lot easier).

    Samsung is notorious for reflashing their own custom updates. Which is often why various 3rd party camera apps don't work as well as they do on other Android devices. Case in point, if you install and use the stock Android camera app, the digital zoom severely degrades picture quality, whereas if you digital zoom with the Samsung camera, it correctly accounts for it and optimizes the picture so that quality isn't degraded as much.
    Sure, but there are parts of the IC that a customer may have no clue about.
    This is very common in the instrumentation, fiberoptics and RF industry.
    As an IC designer, I can disable some functionality of my chip from some of my customers because that particular feature is exclusive to a specific customer. It happens all the time.
    08-09-16 03:17 PM
  19. conite's Avatar
    I used to trust BlackBerry more than Qualcomm and Samsung before Chen joined.

    I didn't trust Apple under Jobs. I am beginning to trust Tim Cook, but I have no indication that his desire for privacy and security is matched by the competence of his crew to deliver them.
    I still feel safer surfing on my passport or Linux than on my macBook. I can easily tell that from the kind of response I get from the same website...

    Ultimately, a company's values depend a lot and can change with the values of the Board and CEO.
    So you base your buying decisions (which are usually two year commitments) based on current staffing choices of the various manufacturers and gut feelings?
    08-09-16 03:23 PM
  20. sorinv's Avatar
    No. I use mostly Linux and don't change my PCs/laptops more frequently than 4 years. So far I have used bb10, but I have no idea what phone I'll buy next. For now, I purchased a second Passport to last me until the picture becomes clearer. There is no rush to buy a new phone.

    Moore's law, the cellphone and semiconductor IC markets are saturated. There are no new dramatic developments that introduce new, must have, functionality, so people no longer miss much by not upgrading every year. I actually upgraded my cellphones three times between February 2013 and September 2014. Not since.

    It is not uncommon for successful high tech companies to keep the same CEO (usually the founder) for a very long time. So you don't really have to change your buying pattern that often if the ethical values of the company are a concern. They aren't always, but for cellphones these days, they must be. Cellphones know too much about their user.
    08-09-16 03:43 PM
  21. anon(9742832)'s Avatar
    No. I use mostly Linux and don't change my PCs/laptops more frequently than 4 years. So far I have used bb10, but I have no idea what phone I'll buy next. For now, I purchased a second Passport to last me until the picture becomes clearer. There is no rush to buy a new phone.

    Moore's law, the cellphone and semiconductor IC markets are saturated. There are no new dramatic developments that introduce new, must have, functionality, so people no longer miss much by not upgrading every year. I actually upgraded my cellphones three times between February 2013 and September 2014. Not since.

    It is not uncommon for successful high tech companies to keep the same CEO (usually the founder) for a very long time. So you don't really have to change your buying pattern that often if the ethical values of the company are a concern. They aren't always, but for cellphones these days, they must be. Cellphones know too much about their user.
    You nailed it, people have been lulled into thinking its OK to give up privacy. Just look at Facebook, people will scream about the CIA and NSA, but will post their entire lives on Facebook. So in the end its not the phone that's the problem but the owner.
    IndianTiwari likes this.
    08-09-16 07:46 PM
  22. anon(9607753)'s Avatar
    Ps. I can't be a fanboy, I switch between iOS and Android throughout the day sorry kid.
    Impressive. Lol.

    Posted via BlackBerry Priv STV100-1
    08-09-16 07:53 PM
  23. anon(9742832)'s Avatar
    Impressive. Lol.

    Posted via BlackBerry Priv STV100-1
    shocking!!....Kid...LOL
    08-09-16 07:56 PM
  24. dpeters11's Avatar
    It would be interesting if anybody checked those "prohibitively expensive" Passport drivers to see if they suffer from the same problem. If they were developed by Qualcomm and not by BlackBerry, they may very well suffer from the same flaws.
    Thing is though, it's not just the drivers, is it? It's the drivers and the interaction with the OS. These vulnerabilities give root access to the Android OS. I'm not saying it's impossible, but it would need to be different malicious code.
    08-09-16 08:01 PM
  25. Premium1's Avatar
    Android bug fear in 900 million phones - BBC News

    I have been posing that question here for over two years.
    Again this proves that without controlling hardware, including designing your own integrated circuits and not buying them from others, a company like BlackBerry cannot claim security.
    It's interesting that Samsung with Equinox processor (and Apple) are not on the list because they do not use the Qualcomm chip. They have their own.

    This also goes back to the security (lack thereof) of a phone designed and assembled in China whose hardware integrity one might fully control.
    Seems unless you side load apps you should be alright. With that being said, Qualcomm has really dropped the ball the past few years with their chips and now the security issues. Would love if Blackberry used the Exynos chips in their device rather than the Qualcomm chips. Here is the article from android central Google confirms 'Verify Apps' can block apps using QuadRooter vulnerabilities | Android Central
    08-09-16 08:36 PM
225 ... 789

Similar Threads

  1. WTT Z30 + Z10 for Priv
    By OTCHRussell in forum Buy, Sell, Trade - Sold / Archived
    Replies: 16
    Last Post: 10-05-16, 08:47 PM
  2. BlackBerry 10 128gb micro SD problem
    By skstrials in forum BlackBerry 10 OS
    Replies: 26
    Last Post: 08-12-16, 08:26 PM
  3. DTEK50 Cheapest BlackBerry since (BBOS 10)
    By schumi_xtreme01 in forum BlackBerry DTEK50
    Replies: 40
    Last Post: 08-12-16, 12:45 AM
  4. When will Best Buy have the new Blackberry D50?
    By Trentp03 in forum Ask a Question
    Replies: 3
    Last Post: 08-10-16, 02:30 AM
  5. I can not open the installed software
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 08-09-16, 11:20 PM
LINK TO POST COPIED TO CLIPBOARD