BlackBerry addresses OpenSSL Heartbleed vulnerability

By Bla1ze on 10 Apr 2014 08:11 pm EDT

By now, most folks are likely getting tired of hearing about the OpenSSL Heartbleed vulnerability but it's an insanely important thing to address and chances are we're going to be hearing about it for quite some time now as companies get their software, services, websites, apps and more in the clear of the issue entirely.

I've not noticed a lot of concerned BlackBerry users but if you are among those wondering how BlackBerry is handling it and what, if any, software or services were affected by it we now have a full knowledge base article from BlackBerry covering it.

BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.

The OpenSSL heartbeat extension read overflow is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This issue was addressed in OpenSSL 1.0.1g and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2014-0160.

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

Affected Software

  • BBM for iOS and Android - There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.
  • Secure Work Space for iOS and Android - There are no mitigations for this vulnerability for Secure Work Space for iOS and Android.
  • BlackBerry Link for Windows - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
  • BlackBerry Link for Mac OS - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.

Non-Affected Software

  • BlackBerry Enterprise Service 10
  • BlackBerry Enterprise Server 5
  • BlackBerry Universal Device Server
  • BlackBerry® 10 OS
  • BlackBerry® 7.1 OS and earlier
  • BBM for BlackBerry smartphones

BlackBerry smartphones are NOT affected by this issue and BlackBerry notes, as the investigations into the affected offerings continues the knowledge base article will be updated accordingly. If you're looking for more info, you can hit the source link to view the entire knowledge base article on the matter.

To be clear though, just because smartphones are unaffected that doesn't instantly mean everything is in the clear. If you're concerned, you should be checking with developers and vendors and resetting your passwords where and when advised to do so.

Topics: News & Rumors

Reader comments

BlackBerry addresses OpenSSL Heartbleed vulnerability


This is an opportunity for Blackberry to capitalize on it's higher security
as compared to Windows, iOS, and Android OS's

Rest assured BlackBerry will not capitalise on the enhanced security of its core products. They will keep promoting the ability of BlackBerry OS 10 to run Google Android applications. They will continue sending mixed messages to enterprise clients as well as consumers. The company needs a die-hard BlackBerry user as it's CEO and in every SVP and VP position. John Chen has yet to prove he is the right person for the task.

Posted via CB10 on BlackBerry Q5

It depends.
Either BB must go alle in (only native BB10 apps) for the die-hard security BB fans, which IMHO is not enogh to keep a BB10 production alive.
Alternatively they must listen to the existing userbase and try to fullfill their needs: Apps.

I think Mr. Chen is smart enough to figure that one out.

They need to create a lot of share-able content we can help plaster around on social media :)

BlackBerry needs to scream this stuff from the rooftops

Posted with a Verizon Z30 running and CB10. [URL="bbmc:C0004F9BB"] My channel with zero subscribers [/URL]

Not that much actually, since this is a server issue, the exploitation of user devices isn't a common scenario with it.

I.e. While your phone might not be effected, if the server of a service you used (social media sites, banking etc.) is vulnerable, this doesn't help you at all, your data is still at risk.

It's good that BES is not affected though, since that is a server-side software.

Posted via CB10

Precisely why BlackBerry has to stay in the handset business. This provides the proof that Android and IOS are vulnerable and if the Enterprise Customers trying to still stick with other platforms using BES they will be better off going the whole nine yards and jump on the BlackBerry Device wagon and secure a true end to end Solution.

Posted via CB10

Double well said. Now all I need is a Blackberry computer and I can sleep safe at night. :)

Blackberry keeps Johnson National LLC moving

I read an article yesterday about this which listed who was vulnerable and it said 'none of Apples properties including icloud and iTunes have been affected' also no mention of Blackberry!

Posted via CB10

Apple is infected through the "gotofail; gotofail;" code in iOS.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

^ really wish BlackBerry's original guard did this poise with BES5/Fusion when USA national banks jumped on the iOS bandwagon.

Personally I like iOS and it's ecosystem; because I'm a Mac OS X user at home until recently.

But I'm a BB user, a Canadian, and I love BB10 as a core usability system more. If BB doesn't wow me with the Z30 or it's successor I may just have to leave for my personal phone of choice. That said ... Z30 will be my corporate phone so I may just stick to the beast of fun I know. I'm on the wary fence because I'm skeptical that the high-end touch will do everything it should, attract MORE developers, entice existing ones to bump up their homework and deliver improvements and new apps - like blaq's developer does (he continues to strive for perfection, and as a brotha that speaks bounds to me on a personal note).

yeah ... I'll stick to BB10.

BlackBerry ... it's time to highlight not only BES10/5.5's strengths but also BB10!
1. Full page spread about this in the Financial Times, New Yorker, Globe and Mail (missed!!)
2. Continued strength and brand name recognition targeted ads on BES10 and upcoming BES12 with BB10.
3. Target BB10's unparalleled prowess of language support - use nationally accepted primary and secondary languages in the national newspapers in the countries you issue ads in!! Make these ads short, concise and directly to the point! Effectiveness is the KEY!! No stupid ads for hipsters done by hipster staff within waiting to demolish BB.

People should jump ship and buy Blackberry devices. Then they won't have to care about their hearts bleeding, or whatever the problem is. Hohoho!

Posted via CB10

Pretty much anybody that are in a relationship will potential be a victim of Heartbleed...

 CB10 

The PB OS is no longer supported. It would be odd if they had mentioned it, since that would constitute supporting it.

Its still recent enough that they should include a third section in the KB to address the Playbook which is EOL and possibly a fourth regarding the infrastructure.

BBM really oughtn't have needed to appear on that list at all. Would have been a better show if it didn’t.

Posted via CB10

This isn't really a good look for BlackBerry MDM solution then :(.

Posted via the Android CrackBerry App!

Everybody and their mother was affected by this in one way or another. You'd be hard pressed to find another MDM solution or service provider that didn't have to update SOMETHING along the way. Even if services weren't directly affected you still had to update.

True. I guess it's better that they all update. I'm still interested in their BES Cloud service though. Hopefully, it comes out this year.

Posted via the Android CrackBerry App!

Finally someone understand the description. !!!

This means BlackBerry infrastructure is so far secure but not the same luck with BBM on other OS neither Work Space.

Posted via CB10

Ups sorry neither is Link secure, as mentioned before, Link is used by some users to connect remotely to your computer and there is the possibility you connect to public networks

Posted via CB10

The value of end-to-end security is hopefully now understood.

Having BES managing Android or iOS relies to an extent on security implementations on these OSes, you can only make them (even a secure workspace) as secure as they permit.

In case of BlackBerry, they can adapt everything as needed and streamline the process, it's a one-vendor solution.

Zzzzwiped from a Zedevice....

Technically, you can fix it yourself by enabling your firewall even though it's not really an issue as it never really touches outside services anyway, at least not in a business environment.

This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.

It's just due diligence for them to list it.

Isn't Link what we use to connect to our computers through our phones, over the net? For file access.

Tim Smith from my Z10 on Rogers

Doesn't stop others on the business network (or cafe wifi hotspot) from exploiting.

Close link while not using it, make sure it's stopped and likely other Link related services too.

BRON: a cron-like scheduler for BlackBerry 10.

That was a relief. Kind of sucks BBM for iOS and Android are affected by this vulnerability but hey this shows that BlackBerry is superior to the other devices due to security. If a person wants to be safe on their phones theirs no better device than a BlackBerry.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

I'm cautiously happy with this as there's no absolute security online these days.

Posted via CB10

Thats Good news For BlackBerry.

Yahoo is having trouble with this. Still working on fix.

Since MH370 crash more Power user TV journalist are praising their trusted BlackBerry to get instant latest information from their sources.

Here's a few World leaders using BlackBerry.Germany's Angela Merkel is now BlackBerry fan since NSA leak on her.

Hey if it's good for them it's good for us!

BlackBerry Lead
Do not Follow

Which phones are the world leaders using? - Telegraph

Posted via CB10

BBM for iOS and Android - There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.


sam :-)

They are trying to say, right now is not secure, but to break the security it is kind complicated. (would you feel secure with that? )

Notice the didn't even say the same about Work Space?

I would translate it to : right now is not secure.

Posted via CB10

"There's a heartbleed beat,
And it feels like love,
There's a heartbleed beat,
And it feels like love..."

Ooops, wrong lyrics... ;-)

Great news for BlackBerry.

Unfortunately I work for a massive American company with close to 60k employees that claim security is crucial (hard drive encryption, USB drives disabled, about 3 passwords to get on any system) but is almost complete in switching to iphones from BlackBerry.

Posted via CB10

Yes, I agree with you.
The marketing message should say use just BlackBerry.

But the market doesn't care much about that scenario, the market was interested in MDM and that just failed. They taking long to address this :(

Posted via CB10

Reuters might of played around with John Chen words in the interview, but JC has be key focused on security number one.
And that only means BlackBerry phones will be here for a long time but needs to be profitable via efficiency.

Z30 : posted via CB10 app

What do they mean by non trivial. I'm asking about the bbm for ios and android how is it being affected?

Posted via CB10

Well, I manage servers(Citrix/Windows/Vmware) and this is a big issue in our environment. Our security team is replacing the certs after obtaining new CSRs from Verisign

I honestly did not even think about my BlackBerry being insecure. Concern is towards my Windows laptop.

Loving my Zed 10!!

There's Security...and then there's BLACKBERRY SECURITY...

Well played BlackBerry

BlackBerry... Get it done!!!!

Posted via CB10

I hope BlackBerry plays this up in the media. I always find the media is super quick to talk bad about BlackBerry but never highlight these types of examples of how BlackBerry phones and OS are secure compared to iOS and Android. In my opinion, using any of those two operating systems is basically the same as posting all your personal details free online!

Posted via CB10

Yep, anything you put into a Google phone is readily harvested by marketing or vulnerable to security exploits.

Not sure about iOS, but iOS apps don't seem to be respecting users' privacy that much. Sorry, no link.

Zzzzwiped from a Zedevice....

I'm not happy with this statement.

Basically they're saying BBM on iOS and Android is vulnerable, and Link is vulnerable, and people are celebrating that?

BS on this "...typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment..." crap.

Think about how many people sit in an Internet cafe exposed to whatever micreants hop on that public hotspot. If this was not an issue then no one should have sounded the alarm about Firesheep either.

I recently installed Link on my Laptop so I could use Sachesi and so on on more than one computer, now I have to go investigate whether or not it is leaving those server processes running and vulnerable even when Link is not running. And if they only run when Link is running, I have to be extra careful to make sure it is protected.

As far as blocking "heartbeat", I'd be very surprised if any personal firewall products have that granular of a filtering capability for a minor sub-component of SSL.

BlackBerry ABSOLUTELY needs to release a new build of Link built against a newer OpenSSL library.

I have no idea what the problem with BBM on Android/iOS is, they don't say. Neither do they attempt to claim, in that statement, that the fault is with the OS.

So TBH it sounds to me like a bunch of doubletalk, instead of updates to BBMx clients and Link, which is what they REALLY need to do.

What is wrong with you?

I mean you are TOTALLY RIGHT and as long as I am reading this comments just about 5 other people understand this issue.

So MDM doesn't offer the same security as BES and Link is vulnerable but BlackBerry says it is not that bad.


Posted via CB10

Thank you.
About time someone recognised that bbm on other devices are the responsibility of blackberry.
And quite frankly I too am not impressed by their attitude towards their affected services.
Just a reminder that no other mobile os was affected with the exception of Android 4.1

Posted via the Android CrackBerry App!

Thank you for clarifying the double speak. I'm not a computer tech, but I was getting a feeling of unease from reading the article snips. But then the comments seemed happy with BlackBerry and I was confused.

Posted via CB10

It's worse than that... They haven't talked about the rest of their infrastructure, some of which was vulnerable.
It doesn't matter if BBM on BlackBerry was not affected if the domain to which it connects to was vulnerable. Someone could have stolen the keys to decrypt all traffic.
I'm waiting for the full disclosure on that...

So as an everyday BlackBerry Link user how can I simply protect myself today?

Posted by Phobe's Owner on the BlackBerry Q10

The word I have from a BlackBerry insider is that other than for Android, where they are dependent on what version of OpenSSL the host Android OS provides, they already have patches for all the rest of their affected software and it is just undergoing testing before release..

Posted via CB10

So at work we have a security guard at the door, will probably lay him back and just put bb10, bes10, just any BlackBerry item!! =)

My z10

Posted via CB10

Si I guess TLS can fail even when talking on a BB BBM to an ANdroid BBM? The only 'safe way is from BB to BB'?

For some reason Blackberry has never capitalized of security issues that plague other phones, to me this is a good selling point however, one does not want to make the mighty Apple or Samsung or whoever mad, time for Blackberry to grow some and tell the world that their product is superior to any other brand when it comes to security, and quality

NnnnnoooooOOoo. ,,





Nope. They haven't given us the full story here yet and their attitude is appalling

Posted via the Android CrackBerry App!

So PlayBook os? Or do they not give a shit anymore? One way or another I'd like to know if it's affected as I still use mine so how about doing some customer service blackberry

Posted via the Android CrackBerry App!

So how can this be good for BlackBerry?
If they prepare patches, they were affected..
Why no word on the PlayBook?
Om the Linux forums this bug was known for more than 5 month.
Just do a search on NSA and Linux.
Funnily enough windows seems to be unaffected but all linux based systems seem to be.
Apple may indeed be unaffected now because their SSL bug was different and already uncovered two months ago...

Posted via CB10

Welp. It's impossible to not mention the coincidence of this Heartblead situation popping up in the midst of the Blackberry vs All Other Mobile Devices sparring that has been going on so heavily lately. Hmm..... What do ya know?! Blackberry devices aren't vulnerable, who could have seen that one coming?? (sarcasm, in case it's unclear). The same can't be said for Android and Apple devices....... It's a real good day to be a BB user.

Is the heartbleed the reason I cannot seem to use any of my amazon android apps for BlackBerry? (via the Amazon App Store App). For the last couple of days both Candy Crush Saga and Google Maps closes for no reason.

Why do people want apps?
Why do people want android apps if they have a blackberry?
Why would you carry a blackberry if you did not care about security?

Posted via CB10

That's a silly question(s).
Regardless how secure BBRY devices are, apps are important regardless of platform. Thanks to the ability to directly download and install Android apps on BB10 devices.

I want a Secure Platform with the App offering, and BBRY is the only platform that offers this.

Hopefully this security breach makes companies understand BBRY is the solution to secure the company 100% and some.

Damn heartbleed shit, luckily blackberry isn't affected.

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.

Anybody know how I can get Yahoo Mail to work again? I changed all my email passwords after reading all about this blasted Heartbleed thing. After doing so, I tried changing passwords on my Q10 but there's always an error. Gmail worked fine though.

Posted via CB10

The problem is not with your Q10 or my Z10, the issue lies with Yahoo. I had issues with my PlayBook too regarding Yahoo. Gmail, Outlook/Hotmail absolutely no issues.

Oh thank you! That's nice to hear. I thought I need to do something with my phone settings or whatever. Yahoo has to get it fixed ASAP.

Posted via CB10

Forget about all the childish BS about apps etc. That is NOT what BBry is about.

It is, and always has been one of promoting its secure communication ability.

HeartBleed reaffirms this in the Strongest way. And it is secure comm that should be first and foremost on BBry's mind when Marketing BBry product.

Mr Chen, you have been handed a PLATINUM opportunity, do not dither..if there ever was a time to go all in, now may well be it.

Via what's really, a BOLD X....on X.II.I

This is what happens to companies that use other than BBRY as a complete solution.

And a testament that you cannot become masters of Security and Management overnight like Apple and Samsung have been trying to do.

BlackBerry ='s SECURITY. FACT

Eh Hello CRACKBERRY - ANYONE notice specifically Blackberry PlayBook OS is NOT mentioned anywhere ?

And proof whoring out BBM etc cross platform does a security company NO favours is...Heartbleed, well done BB you were warned!

BlackBerry response to OpenSSL “Heartbleed” vulnerability
Affected Software
BBM for iOS and Android
Secure Work Space for iOS and Android
BlackBerry Link for Windows
BlackBerry Link for Mac OS
Non-Affected Software
BlackBerry Enterprise Service 10 
BlackBerry Enterprise Server 5
BlackBerry Universal Device Server 
BlackBerry®  10 OS 
BlackBerry® 7.1 OS and earlier
BlackBerry® Infrastruc...
BBM for BlackBerry smartphones
BlackBerry® PlayBook™ ...
Are BlackBerry smartphones affected?
Nuff said... BlackBerry 10 is bullet proof.

Where did you see an official announcement from blackberry that the PlayBook was NOT affected?

I use the PlayBook and it would be reassuring to know that it is safe.

Are android apps safe on BlackBerry?
BBM for android is not, according to Blackberry. I know it runs on Android phones and it is not the same As android apps running on a BB phone.

Just asking

Posted via CB10

I got a" SSL Handshake Failed" error code on my Z30 last week. In the the end it was a simple fix. I couldn't use, Google search, BlackBerry World wasn't responding to download apps. Yahoo and Bing were working. But not Google??? Tried everything to fix it. Two hours.As I scrolled left and right I noticed that my calendar read April 9 and the true date was April 24. So I went to Settings set it to Auto Update Time/Date. It had set itself to manual update. As soon as I did this EVERYTHING worked again. Lovin my Z30 for ever. If I have to, I will buy another unlocked Z30 if I break this one. Their is no denying, this is the best phone on the market. I've played with the others out there and they come up short. Great system. Great job BB 10.

Posted via CB10