Feeds

back to article BB10's 'dated' crypto lets snoops squeeze the juice from your BlackBerry – researcher

BlackBerry BB10 OS uses dated protocols that leave users at risk of cryptographic attacks, according to a security researcher. The latest version of the smartphone maker's operating system, BlackBerry 10, uses TLS 1.0, while competitors use TLS 1.2. The post on the CrackBerry forum contains a screenshot from the howsmyssl.com …

COMMENTS

This topic is closed for new posts.
Silver badge

Copy / Paste

They forgot:

Our customers data is the most important thing, blah,, blah, blah.....

0
1
Anonymous Coward

Surprise!

Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

People need to give themselves a shake and stop using MS products!

3
5
Silver badge
WTF?

Re: Surprise!

Er, where in the article did it mention Microsoft?

2
1
Anonymous Coward

Re: Surprise!

What has this article got to do with Microsoft? Was the spring so coiled and ready to launch a rabid attack upon them that you just couldn't hold back?

3
1
Anonymous Coward

Re: Surprise!

Nice one! it's like watching lemmings run off a cliff ;-)

1
0
Anonymous Coward

And that ..

kills off one of the main arguments why people still bought Blackberry. Disappointing - they started so well with QNX, but it was a sign on the wall they were not all THAT bothered about their perceived edge in security when they announced they would support Android apps on the platform.

What's left is the keyboard, I think.

0
3
Silver badge
Mushroom

Re: And that ..

And this is why Blackberry are getting such negative press.

Idiots posting as facts total rubbish. If you had half a brain you would check what you are going to post and find that the "Android" apps are "sandboxed" and so are no problem to run unless you enter data directly.

And don't forget that BB10 also seperates work from peronal so Android can be restricted to the personal side only leaving a safe phone for work purposes.

Now go away and read data to correct your "opinion" so you can start to post facts instead.

5
1
Silver badge
Meh

Re: the "Android" apps are "sandboxed"

Oh well that's absolutely fine then! While they may have fucked up their encryption software I'm sure they can build a bug free sandbox.

1
2
Anonymous Coward

Re: the "Android" apps are "sandboxed"

I mean, isn't Java supposed to run in a sandbox, too? Thing is, sandboxes have proven notoriously difficult to harden against escape attacks.

0
2
Bronze badge
Happy

Re: And that ..

I would still get another Blackberry, last update added a torch which was the only app I required so I'm all set.

2
0
Anonymous Coward

Client says "Your client is not vulnerable to the BEAST attack. While it's using TLS 1.0 in conjunction with Cipher-Block Chaining cipher suites, it has implememted the 1/n-1 record splitting mitigation" - https://howsmyssl.com

2
0

This post has been deleted by its author

Bronze badge

Mixed result

From my Q5:

Version: Bad blah blah blah susecptible to the BEAST attack blah blah blah

BEAST Vulnerability: Good blah blah blah Cipher-Block Chaining blah blah blah

Seriously, please make up your bloody mind! Is it good or bad?!?

0
0
Anonymous Coward

FreeBSD 10 (released 2014-01-20) has no better scoring than BB10 OS, unless one was to install OpenSSL from ports.

0
0

True, but it's not like we can install our own libraries on non-rooted phones ;)

0
0

Great! Someone who knows what they are talking about who can explain security to us.

So, we all know the 'BEAST' attack leverages client side web-browser right( correct me whenever you can)?

And BB10 uses webkit based browser similar to Apple, OS X, Google, and Nokia, which was presumably patched 3 years ago by client side browser update.

So, how is it vulnerable to the attack? Just tested my browser and it seemed ok.

0
0

conservative

One must remember that RIM takes an extremely conservative approach to crypto--by design. Their primary customers are now governments that require this. For example FIPS is dated and some of the ciphers compromised, but the overall FIPS approach and framework is highly secure and that's what the customer demands.

BEAST is for the most-part mitigated on the server side by all significant web sites. The case against RC4 is far from convincing, as the very-pointy-headed folks at Google have discerned--Google continues to prefer it.

http://googleonlinesecurity.blogspot.com/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html

"Better the devil you know than the one you don't" as the saying goes. No doubt the latest EC crypto is great stuff, but it's still relatively young and not enough rocks have been thrown yet for utter confidence.

1
1

Re: conservative

Thanks for the link! Very informative :)

0
0
Anonymous Coward

BlackBerry

They still around?

0
1
Boffin

Great, let's see if the 10.3 update comes with new encryption protocols, really looking forward to it.

As for the rest here, I know why I use a blackberry z30 and most of you do not, as I have written repeatedly in the past. Look up my comments before you down vote, might learn something.

0
0
This topic is closed for new posts.