BlackBerry Plans Heartbleed Patches But Says Its Own Phones Unaffected

BlackBerry works on Heartbleed patches for some services, but says its own handsets, BES 10 and its infrastructure aren’t affected

BlackBerry has confirmed the Heartbleed OpenSSL vulnerability does impact Android and iOS users of BlackBerry Messenger (BBM) and Secure Work Space, along with BlackBerry Link for Windows and Mac, but has stressed BlackBerry smartphones and BlackBerry Enterprise Service (BES) are not affected.

The Canadian firm says it is “not aware” of any attacks targeting BlackBerry customers but says it is working to determine the full impact of the issue and will provide fixes for its affected services.

“BlackBerry is diligently working to investigate the vulnerability, resolve the related issues as quickly as possible, and communicate the findings and resolution to our customers,” it says.

BlackBerry Heartbleed

Blackberry fruit nice and luscious © Anna Kucherova ShutterstockDiscovered last week, Heartbleed is a vulnerability lying in an extension of OpenSSL encryption known as Heartbeat.  It allows anyone on the Internet to read the memory of servers protected by vulnerable versions of OpenSSL, potentially compromising encryption keys, and allowing attackers to eavesdrop on communications and steal data.

BlackBerry adds that the flaw in BBM and Secure Work Space is mitigated by the fact that the services only connect to a known and trusted end point, while BlackBerry Link systems are not visible to the internet and external traffic is sent via a proxy in a business environment.

This, apparently, “significantly raises the difficulty” of exploiting these systems. There are no known workarounds for BBM and Secure Work Space, But BlackBerry advises that BlackBerry Link customers can use their firewall system to filter out requests from Heartbeat.

The Heartbleed flaw has affected a number of large technology firms, including Yahoo, Juniper and Cisco, with many websites urging their users to reset their passwords. Google has patched a number of its services, but says Android users are not affected unless they are using version 4.1.1, adding that it is working on a fix.

Are you a security pro? Try our quiz!