Today, BlackBerry became the first company to release a critical security patch designed to prevent the QuadRooter exploit from taking hold of the BlackBerry PRIV and DTEK50 devices. The QuadRooter exploit actually consists of four high-severity critical vulnerabilities present in close to a billion Qualcomm-powered Android devices. BlackBerry’s blog on the subject explained how three of these rooting vulnerabilities had already been fixed for the PRIV thanks to the August Marshmallow security patch and on all DTEK50 models. BlackBerry go on to explain that the secure boot chain that BlackBerry use in their devices mitigated the remaining rooting threat and that the company were not aware of any examples of the exploit being used in the wild, but of course they are taking no chances. The term “rooting” means granting an application full access to the drive. This means that all data and applications are available, which in turns means that potentially sensitive information is exposed. When an application has root access, it is able to change and adjust system settings. It is also able to look through potentially sensitive parts of a device, such as message stores and similar. This is the reason why the more sensitive and personal applications, such as banking and financial applications, will not run on a device that has been rooted.
When BlackBerry released the PRIV at the end of 2015, the Canadian smartphone manufacturer promised to deliver monthly critical security patches. At the time, BlackBerry also explained that critical Android vulnerabilities could not wait for a monthly update cycle and with this in mind, the business would release patches for these issues as soon as it could. As soon as BlackBerry got wind of the QuadRooter issue, they started working on the necessary security patches. This process – which involves developing, testing and integrating new code into the operating system – is the reason why some device manufacturers take several weeks if not months to release patches. And whilst BlackBerry only have two devices to release patches to, their Android development team are surely less experienced than many competitors in the market today. This makes their achievement at pushing the QuadRooter fix to devices commendable. The fourth vulnerability associated with QuadRooter is set to be fixed in the September patch, but despite the BlackBerry devices already being hardened against the threat the company decided to release the update anyway.
For customers with either the new DTEK50 or the PRIV unlocked, the device will check and download the update automatically, but may be prompted by visiting Settings, About Phone, System Updates. The device will then download the patch and prompt the user to reboot to complete the update process. Customers with a device bought via a carrier should expect the update to arrive in the next few days, once the carrier has approved the patch.