BlackBerry Apps

Scan for threats in the background as Max Mobile Security goes headless


Black Hat 2013 session on BlackBerry 10 security fails to offer anything interesting

News & Rumors

BlackBerry 7 is named the most secure mobile platform for enterprises

Oh so pretty

Still not sold on the BlackBerry Passport?

pre release review

BlackBerry Passport gets a full video walkthrough


Labor Day Sale: 20% off all BlackBerry accessories

Not official but they're there

BlackBerry OS autoloaders now available

Affordable. Classic. Innovative. Prestige.

BlackBerry 2014 device roadmap

Legal wins are good

BlackBerry lands another legal win over Typo keyboard

No “substantial evidence” found

BlackBerry did not infringe Mformation Technologies patents

For the people who dig specs

BlackBerry Passport spec sheet offers a few new details

Worst kept secret

Newer BlackBerry Blend retail demo found in OS

hey big spender

BlackBerry Porsche Design P'9983 in full glory

Still unofficial but it looks great

Hands-on with BlackBerry Assistant

Leading the way

John Chen one of Canada's most powerful business people

It's all about mobility

Mobility - a priority for Indian organizations

Aiming to create new revenue streams

BlackBerry opens Technology Solutions Business Unit

Grab that update

Sprint rolling out OS for the BlackBerry Q10

Passport sneak peek

BlackBerry Passport coming to Carphone Warehouse

trackpad fans rejoice

BlackBerry Classic internal specs appear via Geekbench

< >

BlackBerry patches buffer overflow vulnerability discovered in BlackBerry OS 10.1

By Bla1ze on 9 Apr 2014 10:14 pm EDT

Back in June of 2013, the BlackBerry Security Incident Response Team was advised by modzero that a buffer overflow vulnerability was discovered in BlackBerry 10 OS versions earlier than version As part of the process, the modzero team contacted BlackBerry to reveal their findings and laid out what exactly the issue was. In that time, BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS version and later.

A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone.

Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user's BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).

An attacker can exploit this vulnerability in the following ways:

  • Over Wi-Fi - In order to exploit this vulnerability, an attacker must send a specially crafted message to the qconnDoor service on a smartphone located on the same Wi-Fi network. The smartphone user must have also enabled development mode on the smartphone before an attack.

  • Over USB - In order to exploit this vulnerability, an attacker must gain physical access to a smartphone and then send a specially crafted message to the qconnDoor service over USB.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.9. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses. - CVE-2014-1468

If you're running BlackBerry OS and later, you're no longer affected by this issue and no known attacks using this exploit have been reported. If you're still running an earlier version of BlackBerry 10 then it is suggested that you update your OS as soon as possible. If you do not have any software updates available to you, customers should contact their wireless service provider to request BlackBerry 10 OS version or later.

Thanks, Ronen!



First time I'm hearing about this

Posted via CB10


I believe that's the intent. If no one is told about it, you can't very well exploit it unless you find it on your own. :)


Funny, all BlackBerry "hacks" need you to have physical acces to the device.
Unlike iOS and Android where mallware is used without having any physical acces to the device.
Or in this case somebody must be on the same wifi network while you have your device in developer mode AND send you some kind of message.
Worried? Hell no!


True, and some may not even know about "Development mode" let alone having it on at the time of an attack. It usually turns itself "off" even after legitimate uses.
Still...better safe than sorry. :)


Blaize.....on a "different topic"....

"Thanks" for recommending Snap as a way to port Android apps....I used DDPB, or whatever the acronym is, and now - for the first time in owning about 8 BlackBerry devices - I have HBO Go on my Z30...

Watched the finale of "True Detective" again....awesome.

As the Founding Member of "Club Z30", I am declaring the App Gap "Dead"....long live the app gap...

Thanks, again, Blaize - I thought you might be interested in some very good news....

Founding Member of "Club Z30 "..... the most exclusive club in mobile


Also, just download an official OS using Sachesi if you don't have 10.2.1 available lol.


Can you do an article on how to use the Sachesi BB10 App please?

Posted via CB10


Thanks for the info, interesting read.

Posted via CB10


Maybe this will influence att to push the update.

Posted via CB10


AT&T will release 10.2 when the moon becomes a square

Posted via CB10


I was just looking out the window, and down my street, I saw an old man. He was staring straight at the sky. Of course anyone would wonder, what was the man staring at? At that time I turned straight to the sky to see. Was it a bird? A duck? A cow? A ufo? God?? No. All I saw was the moon. Then as I was looking at it, I realized something was different about it. It made me think. I remembered the time, the time I was going to eat moon cake. I asked myself the question, why was this particular moon cake square? Circle was the standard shape. What made me remember this is... todays moon is square.... it is the time at&t comes out with 10.2.1 after today, take my word for it, and all should go out fine.


I've had quite a bit to drink this evening but you my friend sound like you're on something a lot more lethal (aka fun) than alcohol....


+1 lol

Posted via CB10


LMAO!!!!!!!!! ROGLMAO, my thoughts exactly - but what a trip reading that tho!

By that both your posts are the best of this month!!

BlackBerry Q10  & Full Metal CB10!


Lmao you read my mind lmfao.

Posted via CB10


You live in Colorado, don't you?

Founding Member of "Club Z30 "..... the most exclusive club in mobile


Or when the moon turns "red"....which BTW will be happening next week....coincedence?

Founding Member of "Club Z30 "..... the most exclusive club in mobile


Is it Sprint or AT&T that is still running 10.1? They need an update!

Posted via CB10


AT&T, Sprint started the roll out to 10.2xx already.


Wow. Can't belive ATT is still on 10.1. It's just unbelievable.

It's been almost half a year since 10.2.0 was released around most of the world.

Posted via CB10


Yup I still have AT&T 's "latest software" of

Posted via CB10


Amazing, yet unlikely to exploit!

Posted Via CB10 on my Zed 10


Someone with AT&T should complain, maybe they will finally upgrade the software.

David Tyler

I've complained so many times, with only varying and vague responses. Their current line is, "We're still testing." I finally decided I'd hang up the Z10 for an unlocked Z30 from ShopBlackBerry. At least that way, I won't have to wait on AT&T for upgrades.

Posted via CB10


You application for "Club Z30" membership is in the mail....Congrats

Founding Member of "Club Z30 "..... the most exclusive club in mobile


Do you actually think no one has complained to Latet&t regarding software updates? At this time I believe most if not all at&t customers know they don't care about BlackBerry, updates and BlackBerry customers.

Posted via CB10


Agreed. I'm bailing from ATT the minute my contract expires. If any of you are considering switching to them, think again. BlackBerrys are basically unsupported at this point.

Loving my Q10


I have also complained to AT&T but I got the same answers: "It's in testing" and "We'll let you know when it's ready". I got sick of waiting and went with Sachesi to the land of 10.2.1.

Posted via CB10


Thanks for the heads up.

Posted via Verizon Z10 - OS v10.1.2.2174

Adam Fox2

Security flaw or not, the odds of getting hit with this are pretty low.........the attacker must either have physical access to the phone or be on the same wifi network while the victim has dev mode on.....I only turn on Dev Mode if i need to side-load and that is rare....then i turn it right back off.....the iPhone SMS hack from 2009 was much more of a security threat than this......


Yeah, can't believe they rated that a 7.9. Of course I don't know what that means or what it is out of, but may as well be out of 100. Who walks around with Dev mode on all the time?

I do appreciate that BlackBerry patched it rather "quickly".

Posted via CB10


Fat chance that ATT will do anything about this.

Posted via CB10


English please!

 BlackBerry Q10 


  • BlackBerry responded accordingly and fixed what was broke.
  • 99.99% of people were never affected by this and now, never will be.
  • If you're on or later you can skip reading.
  • We totally missed out on having 'root' access to BB10 devices. Though it's usefulness in the real world and average users is questionable anyway even if it was obtained. See: PlayBook root.
  • AT&T sucks.

That about sums it up.


"AT&T sucks." Lol!

Posted via CB10


this comment wins CrackBerry for today

Posted via CB10 on my Z10STL100-


Now that's pure English

From Zarafet my Z30.


AT&T Customers, now would be a good time to unite and speak up to them - to freakin' release an official update, aka long awaited 10.2.1

Posted via CB10


NOW would be a good time ??? LOL A year ago would have been a good time. Now it's just pathetic, AT&T so pathetic. I will never get a phone form them again.


I think the only carrier in the world still running 10.1 is AT&T. So glad I switched to Verizon.

Posted via CB10


I feel sorry for those on AT&T who don't update leaks/use Sachesi...

Posted via the super amazing BlackBerry Q10


Nothing to worry about, BBRY rectified this minor issue quite fast with 10.2 update. Its too bad lazy carriers are taking there deer time with the updates.


Everyone on ATT, please raise hell


Crackberrians. All full force complaint tweets at AT&T!!!!!!!!

Prem WatsApp

The NSA is having some fun with 10.1 users, hey?

"No Q10?" -> "Buy from Chen... "


Great to hear this level of security is being tested and fixed.

This would only affect a very low instance of people...same network, with dev mode enabled, not very likely, but great to see these being plugged.

Considering the scope of holes being plugged by Apple / Android on a regular basis, this level of security detail is great to see.


Well this sucks for AT&T customers. One thing for sure is that they wouldn't have to worry much. An attacker would have to have physical interactions with their device. I guess they shouldn't use WiFi or use Dev Mode.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

Nickolay Usov

Modzero should had create tool for jailbreaking BB OS using this vulnerability.


You can't really jailbreak BBOS/BB10. This is a vulnerability with WiFi and within Dev Mode. It has nothing to do with rooting the device because it's near impossible to root BBOS/BB10.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

Nickolay Usov

According to vulnerability description: "attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser)". I.e. rooting, isn't it?


Well I guess you proved me wrong but whatever. All I know nothing has been exploited and we got updates so I'm good. Nothing is 100 % but I'm still pretty content with my phones security. My device never falls into the wrong hands.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

Nickolay Usov

I love BB OS 10's security, it's really great. Thanks to Blackberry team that no one was remotely compromised. But ability to root BB 10 device could give us more options to customize our devices.


Still harder to exploit than iOS's SSH one lol

Posted via CB10


If you don't have it contact your carrier and ask for new OS? WTH kind of security patching is this? This makes Microsoft look like a world class security company.

You got a security flaw? Fix it yourself moron.

Posted via CB10


I guess it could be the new moto for BlackBerry, lol.

Posted via CB10

Prem WatsApp

Motto,... moto sounds like a competitor's product or two, lol ;-)

"No Q10?" -> "Buy from Chen... "


Sorry, dual language keyboard. It's moto in the other language, motto in English :) but thanks!

Posted via CB10


Impressed with the keyboard

From Zarafet my Z30.


Ms.B♋™ ‌@german_chick
@ATTCustomerCare why is #TeamBlackBerry Still waiting on the #BlackBerry10 10.2.1 update??? #Sprint #Verizon and #TMobile have released it!

@german_chick AT&T is continuing to work on the latest 10.2.1 software update for the Blackberry Q10 and Z10. We will release the update as soon as testing is complete. Thanks for your patience as we ready this software update for our customers. 2/2 ^LloydJ

I tweet them every so often...this was a couple days ago. sigh

 Z10STL100-3/ on ATT 


One point is crucial - development mode has to be on.
I.e. Something that should not be on on a daily use device anyway.

Is it a problem stock vulnerability - yes. Is it life threatening? No. Most people have development mode off anyway.
Still, it is bad news for those who cannot get the 10.2.x updates yet.

Posted via CB10


99.999999% of users don't even know what development mode is about ;)
More this dev mode is disabling itself after a number of days (10 by default), so that even if they accidentally turned it on, it will resume to normal mode after this delay .


A phone reboot / reset turns off dev mode too. ;)

Posted via CB10


So all the people on AT&T who haven't loaded a leak are vulnerable. WTG AT&T


Only if x,y,z conditions apply. It's not as simple as not having the current OS.

Re-read articles for x,y,z conditions.

Posted via CB10


NSA proof :)

Posted via CB10 & my kick ass BlackBerry Z30

Ray UM

No, no, noooo lol.

An ATT user already commented earlier that they are currently on ATTS official release .2074, so clearly they are already past. 1055.

Sure they need to step up to 10.2, but this 'security flaw' isn't going to affect ANYBODY using their carrier's current least not in the US.

Who do these ridic news stories come from? "News" like this helps to create a negative image of BBRY, although it is obviously old, relatively irrelevant, and written in such a way that most people don't even understand how pointless the info is.

People gettn all scared lol...the problem was fixed a year ago.

Posted via CB10

Ray UM

Oh wait...10.2 had this problem a year ago? We're all screwed then, especially if ur an ATT user.

Carry on with your fear mongering lol.

Posted via CB10


Most welcome.

Founding Member of "Club Z30 "..... the most exclusive club in mobile


For those who thought that this bug could have resulted in "rooting" of BB10, please go and read up on the concept of Mandatory Access Control. QNX is *NOT* like a typical UN*X OS in that once you get "root", you have the keys to the kingdom.. In an OS with mandatory access control, it is possible to assign very specific privileges to even the root user, so if you managed an exploit of this bug, you might have gotten "root" user identity (which I suppose is something), but you would still have been constrained by the permissions assigned to the process (ie, if the original process was granted permissions to only able to read/write to one file as root, that's what you'd now have: you could read/write to that one file, and nothing else, it doesn't matter that you have the "root" identity.. BlackBerry has been very diligent in scrubbing their OS so that 1) there are not that many root processes left and 2) those processes that do have to run as root have only the very specific set of permissions needed to do their job and nothing else. Then combine this with the unique message-passing microkernel architecture of QNX and you are not likely to be able to do much..

The direction of most OSes these days has been to go the direction of Mandatory Access Control as it greatly raises the bar: Apple iOS has it (but iOS is still more of a monolithic-looking architecture which is vulnerable to many other attacks, despite Mach branding itself as a "microkernel"); Android 4.3+ has the NSA-developed SELinux kernel, which implements, among other things, mandatory access control (now whether the policies are set to something that is truly secure is another matter, as this tends to break some applications- this is also possibly why we are still stuck with older versions of Android runtime for BlackBerry: it's probably a pretty complex process to map the SELinux controls back to QNX controls; in the previous versions, they addressed Android permissions by creating a "fake root" user specifically for the Android runtime (ie, even if you managed to "root" Android on a BlackBerry device, it does not equate to "root" on the QNX side of things)); full-blown SEAndroid not only has the SELinux kernel, but extends mandatory access control to apps (set at install-time, but that's still better than nothing).


Hey AT&T service provider! That's you!.... yep, failure to upgrade has made your customers vulnerable!... Lets get with the program here!



I'm covered. :)

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.