Today, BlackBerry has just released a security patch for the BlackBerry Android based devices including BlackBerry Priv and DTEK50. This patches corresponds to the publicly disclosed vulnerabilities on devices using the Qualcomm processors. With this, BlackBerry is the world’s first vendor to release patches against these vulnerabilities also known as Quadrooter.
The Quadrooter vulnerabilities was first unveiled by the security company Check Point last week at DEF CON 2016. In short, it is a series of 4 vulnerabilities that when used, allows the attacker to gain ‘root’ or administrative access to your device. Whilst the vulnerability is relatively tough to be exploited due to the presence of (Android OS) factory default settings and need for user interaction, because the exploits are announced into public domain, a creative attacker might just attempt to use it, hence, making this a high-severity issue.
That said, because of the secure boot chain in all BlackBerry devices, one of the 4 vulnerabilities has actually been mitigated already.
Quoting the words from BlackBerry Chief Security Officer, David Kleidermacher:
Some critical Android vulnerabilities – for example, one that can be easily and remotely exploited with a publicly disclosed method to execute ‘root’ privileged malware – simply can’t wait for a monthly update cycle.
Whilst this is great that BlackBerry is actively securing the devices as per their public commitment, the patches at this point is only available to devices purchased unlocked from ShopBlackBerry whereas carrier partners will see it later this week. However, the issue here now is, will users using carrier-devices such as AT&T (which is stuck on June Marshmallow patch), Verizon (June update) receive it in a timely manner? I sure do hope so.