-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
No. See the bottom of Incident Response Team - United States. I see a LOT more than 17 since 2008.
Low CVE counts aren't necessarily indicative of high security. Blackberry's tiny remaining market share doesn't make a particularly juicy nor interesting target for hackers, those writing malware, and researchers now. If you are trying to affect the most # of people, the biggest targets would be the ones that have the highest market share and/or a large installed base.
strider
Active Member
Per the website you linked, there were 6 advisories in 2015. 2 are for 3rd party apps, 1 is for the FREAK OpenSSL vulnerability that as I already stated affected everyone, 1 is for their Android phone to fix Android vulnerabilities, 1 is for their Enterprise BES server product, and the last one affects the BB Link software to sync your phone with your PC. So in reality, 0 were for problems with the OS actually running on the phone.
Your premise about BB not being a target doesn't hold water. Please recall that effectively the entire US govt (and many other govt's) uses Blackberry. Why is that? And if that isn't a tempting target for attack by both state and non-state actors I don't know what is.
The SSL vulnerability of which I speak was from 2014. It was in iOS itself and so affected the phone and every app on it (save Chrome and Firefox as they do their own SSL processing). The vulnerability was that iOS wasn't checking validity of SSL certificates. This means that was trivial to spoof a website or app destination and the phone will trust it an happily give credentials or whatever else. Here are a few links:
Apple's SSL iPhone vulnerability: how did it happen, and what next? | Technology | The Guardian
What you need to know about Apple's SSL bug | Macworld
This is not some obscure corner-case thing. Verifying that SSL certificates are handled correctly is security-101 kind of stuff. This should have been detected in QA regression testing but it persisted in the OS for a year and a half.
The second one that I was thinking about was actually a Samsung flaw in their keyboard code that I remembered incorrectly. But there have been other Apple exploits that allow data to be extracted silently like this one:
iOS 9 to fix critical Apple AirDrop vulnerability - Telegraph
My point stands and the volumes of vulnerabilities in iOS and Android speak for themselves. If you care about security you should use a Blackberry. Of course security is a spectrum and there are absolutely trade offs to increasing your security posture. If you really need 25,000 apps and/or specific apps that don't work on BB10 then you should use an iPhone or Android. But it is a plain fact that you are paying for that usability with decreased security. If you're fine with that then you're fine with that and you should enjoy your phone. I work in the internet security space and so this is important enough to me that I will deal with things like the map not displaying on the Tesla app.
Smorg, you made a lot of mentions around app security. I don't hold manufacturers liable for app vulnerabilities. And you are correct that iOS 9 has improved controls around what access app can have. But BB10 has had these controls since day 1 and they have always fully sandboxed every app from the phone and from itself. Also you cannot jailbreak a Blackberry so there's no possible way for someone to "root" the device. I find it comical that anyone would bring up TouchID in a security context. Anyone who's seen any James Bond movie could copy the user's fingerprint and access the device. I have no doubt that Apple says they care about security. What company would say otherwise? But the vulnerabilities that continue to emerge indicate a lack of time and resources being spent on the security of iOS itself. Also, it took Apple many years to give users the ability to nuke a stolen phone which BB10 has had since day 1. If they had done so the black market for said phones would have been almost zero and yet Apple was quite happy to sell people replacement phones. Finally, you are correct that iOS is more secure than Android. But that's really not saying a lot.
Last edited:
Since you mention BB10, it looks like it was released in 2013.
Remote wipe has been available on iOS (before it was called iOS) since iPhone OS 3.0 (Inside IPhone 3.0's Remote Wipe Feature | PCWorld) which came out in June 2009. The first iPhone didn't become available until June 29, 2007.
That said, I'd imagine earlier versions of Blackberry's/RIM's phone software had remote wipe, likely before 2009.
- - - Updated - - -
Take a look at About the security content of iOS 9.2 - Apple Support, for example and notice who's been finding these vulnerabilities. Do you think those same researchers and software developers are real interested in finding vulnerabilities in something that has 0.3% share (IDC: Smartphone OS Market Share 2015, 2014, 2013, and 2012) or that they're even writing any software for Blackberry devices and thus stumble across vulnerabilities during their own security testing and review process?
If you were someone out w/bad intentions out to affect (e.g. make money, do DDoS attacks, etc.) or steal information from the most # of people, which smartphone OS would you target? Ones with over 82% share, and over 13% share or one with 0.3%?
And, 44.7 million tablets were shipped in 2Q 2015 per Worldwide Tablet Market Continues to Decline; Vendor Landscape is Evolving, According to IDC - prUS25811115. Most of the above vulnerabilities would also be found on those tablets. In comparison, Blackberry never got any traction w/the Playbook before killing it.
For some other numbers, in a recent quarter, Blackberry sold about 700K handsets (BlackBerry Jumps as Software Goal, Handset Profit in Sight - Bloomberg Business). For Apple (Apple - Press Info - Apple Reports Record Fourth Quarter Results), they sold 48 MILLION iPhones and almost 9.9 million iPads. Again, if you were someone w/malintent, which is/are juicier? Android and iOS or Blackberry?
Last edited:
thecloud
As rhythm raced inside, the ship came alive
Ah, you're talking about the "goto fail" bug. I did read about that, 2 years ago when it was fixed. You used the present tense ("if you don't mind that your phone ignores SSL certificates") to deliberately make it sound as if iOS devices were still not checking SSL certificates.
That's obviously bad, but it's also something Apple fixed. Your statement about "anyone being able to access and download everything off your phone whenever they want" does not seem to be true for current versions of iOS.
Perhaps iOS will someday attain the same level of security you claim Blackberry has, now that they have hired the person who was responsible for the Blackberry OS (Sebastien Marineau-Mes).
HankLloydRight
No Roads
I hate to jump in the middle of a religious debate (I have no dog in this fight), but come on, using a James Bond movie as a reality check for what people can do with fingerprints? Might you have a more, umm, realistic example of fingerprint cloning?
(backs away slowly).
strider
Active Member
I mention BB10 because that is when I became a customer and am unfamiliar with their capability prior to then. I used Windows phones back in the 90's/early 00's until I switched to an iPhone 3G. I used iPhones (except a short run w/ a Galaxy S3) until I learned about BB10 and switched to a Z10.
I wasn't just talking about remote wipe. I was talking about the ability to completely disable the phone remotely. If someone were to steal my Passport I could log into a BB website and disable that handset. That handset will not work for anyone EVER again (save govt-mandated ability to call 911). I don't even know if this is possible with an iPhone. Can someone jailbreak a stolen phone to get around the lock? That isn't possible with a BB as every phone has a burned-in PIN that cannot be changed and the phone will not function without validating its PIN with BB. This lowers the value of a stolen phone to almost zero. Because iPhones phone home whenever they are on Apple could have included this feature but instead was (are?) quite happy to keep selling people new phones after theirs are stolen.
While it's possible that the popularity of iOS and Android is related to weak security (they are easier to use and do more "cool stuff" because security isn't slowing the user down or making them jump through hoops and apps are easier to write because the systems are more open, etc) your presumption that there is a correlation between popularity and vulnerability count is specious. As for targets, did you even read my post? The Pentagon and every other Federal agency uses Blackberry. So while their user count is small, the value of the data on those devices is quite large. You don't think there's value in exploiting those devices? Plenty of people are looking.
Further, there are still a ton of apps natively written for BB10. All the brokerage houses, FB, Twitter, LinkedIn, Evernote, Box, etc, etc. so there are plenty of people developing apps for Blackberry that could "stumble" across vulnerabilities.
Look, if you trust your data and communications to Apple then by all means do so. I will not.
Well, the gotofail bug was in the code for 1.5 years so who knows what's in there now (though the same could be said for BB). But my point is that BB has a history of spending the time and money it takes to build secure code. Apple does not. I used the GTF bug as an example of a basic flaw (seriously, "check whether SSL certs are validated correctly" should be a part of every single build regression) that Apple didn't have the systems and processes in place to find.
Maybe they've turned a corner. The vulnerability counts in 2015 don't support that assertion but I'm open to changing my opinion. I hope Apple does get serious about security and Sebastien could certainly help. Everyone deserves devices with good security. Heck, my wife uses an iPhone so I do hope they continue to improve.
I guess you're looking at Blackberry : Products and vulnerabilities . Right or wrong, some of them got lumped under RIM : Products and vulnerabilities .
Again, I'm not convinced that low CVE counts are an indication of security. I found Apple : Products and vulnerabilities . Does that mean that Apple was doing a great job w/security in 1999 thru 2003 and a crappy job now? The tools to find vulnerabilities have got a lot better (e.g. file fuzzing tools, static analysis tools on code, etc.). People have learned a lot about new types and classes of vulnerabilities that hadn't even been imagined before (beyond just say buffer overflows or bypassing some cross-site security in browsers). I don't know for certain the first example of https://cwe.mitre.org/data/definitions/191.html was from 2004, but that doesn't mean that vulnerabilities didn't exist in other software prior to 2004.
There are now many bad guys in it for financial gain now (stealing credentials, compromising banks and retailers, identify theft, ransomware, etc.) vs. it being just a bunch of people screwing around a decode or two ago.
And again, the larger players are really juicy targets compared to the small players. This is part of why Windows has so much more malware and the like written for it than say Ubuntu Linux, or some other random Linux distribution.
From Vulnerabilities – Application Security – Google
"Vulnerabilities
Keeping Internet users safe is more than just making sure Google's products are secure. Google engineers also contribute to improving the security of non-Google software that our products and users rely on.
Provided below is a list of software vulnerabilities discovered or fixed by Googlers, along with presentations we've given at industry security conferences. You can also find publications about security, cryptography, and privacy work in Google's main research portal. "
Google Chrome used to use WebKit for its rendering engine, so if Google finds a vulnerability in Google Chrome, well, Apple needs also fix it and issue an update/patch.
And now back to our regularly scheduled program…I have a Pebble smartwatch. Yes, the cheapster's version of Apple's watch, but it does what I want and costs a proverbial fraction of Apple's. I'm connected to an iPhone but haven't tried any Tesla manoeuvres on the watch yet, mostly because the phone will do that, and it's convenient enough.
Willing to be a Tesla-Pebble guinea pig for $1,000 a minute :tongue:
Willing to be a Tesla-Pebble guinea pig for $1,000 a minute :tongue:
mknox
Well-Known Member
But fading fast. My company was a BB only shop until users finally said "enough". They support BB and Apple right now with Android apparently coming, but use a BES server and (kinda crappy) BlackBerry app on the iPhone for mail and calendar. I think BlackBerry will focus on their apparently quite good secure software going forward and let the phones just fade away.
- - - Updated - - -
I also have a Pebble and actually bought it because of the Tesla Control App by Erik de Bruijn. Unfortunately what I didn't realize is that the app only works when the Pebble is paired with an Android phone, and I have an iPhone.
strider
Active Member
Yes, RIM changed their name to Blackberry in 2013. Even if you add in the older BB phone vulnerabilities (not fair to include the BES or other software products as we're focusing on phones here) it's still a tiny fraction of iOS.
I think you have it exactly backwards. I believe that popularity and vulnerabilities go hand in hand but not for the reason you say. People want products that do a lot of cool stuff and are easy to use. Those two goals are at odds with strong security without a colossal investment in time and money (I hope Apple is ready to make this investment - I applaud hiring Sebastien). Apple products are popular precisely because they deliver what the people want and the people do not demand secure products. I do believe iOS was more secure in the old days because it was much simpler. People want features like Airdrop and every time you add a feature like that it creates a new attack vector. Furthermore, people want everything synced up with iCloud and iTunes and whatever so everything is seamless but that means that if someone does compromise any one piece the whole system comes down. Again, Apple is simply giving the people want they want and they are very successful because of it. But that commercial success is in spite of iOS's vulnerabilities not because of it.
smorgasbord
Active Member
I'm a bit sorry to resurrect this tangent, but this news story today caught my eye: Apple ordered to aid FBI in unlocking California shooter's phone
If it's good enough to keep the FBI out for months now, it's probably pretty decent, eh?
strider
Active Member
Having strong storage-level encryption with an auto-wipe after too many failed logins is absolutely a good thing. I hope Apple sticks to their principles as introducing a back door would be exploited instantly (who would decide who gets the backdoor key and how could you control it?) and also set a bad precedent for other manufacturers.
However the vulnerabilities I discuss in this thread involve gaining access by an app or iOS feature itself while the phone is unlocked and therefore has access to the storage and/or the phone doesn't follow security standard. For example, during the period that iOS stopped validating SSL certs, it would allow someone to spoof a valid site and trick the user into entering their credentials or installing malware. Storage-level encryption wouldn't help with this kind of attack.
int32_t
Tesla Spotter
+1. This is my experience. Good security, decent reliability and (very slightly) above average software quality. Atrocious is not a word I would use. Nobody ever said Blackberry wasn't secure … but I've got to wonder about Android sometimes.
Similar threads
