BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices (bleepingcomputer.com) 121
An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).
A headphone jack would be nice right about now (Score:5, Funny)
Am I right?
Re: (Score:1)
Sure, but you're a pussy. I'm courageous for using BT.
Re: (Score:2)
Am I right?
While I have a cable to connect the two, Bluetooth connected headphones are just much nicer/easier. And BlueBorne found my Moto G4 vulnerable.
the actual problem is : a buffer overflow... (Score:5, Informative)
so yes its basically like wifi, cables are reliable
there is a buffer overflow in some versions of windows/linux/iOS
this has been patched in recent versions of all the OS's
its not a replicating worm per se unless you count all the people who have downloaded an "app" to check if they are vulnerable...
the videos and documentation on their website give absolutely no details and completely pointless, this is what happens when you let a media company deal with a buffer overflow
Actual information :
Background Information
The Logical Link Control and Adaptation Layer Protocol (L2CAP) works at the data link layer in the Bluetooth stack. It provides services such as connection multiplexing, segmentation and reassembly of packets for upper layer protocols such as Bluetooth. It facilitates higher level protocols to transmit and receive L2CAP data packets to and from clients.
A stack buffer overflow issue was found in various systems Bluetooth subsystem processing the pending configuration packets received from a client. As a result, a client could send arbitrary L2CAP configuration parameters which were stored in a stack buffer object. These parameters could exceed the buffer length, overwriting the adjacent kernel stack contents. This exchange occurs, prior to any authentication, when establishing a Bluetooth connection. An unauthenticated user, who is able to connect to a system via Bluetooth, could use this flaw to crash the system or potentially execute arbitrary code on the system if not secured correctly. if the Linux kernel stack protection feature (CONFIG_CC_STACKPROTECTOR=y) is on then your not going to be vulnerable.
Not impressed with the press release at all I'm afraid
It does show which vendors of equipment pay attention, develop patches and deserve respect
Regards
John Jones
Re: (Score:2)
Re: (Score:2)
The white paper [armis.com] is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something
Re: (Score:2)
Yes, you are correct. But hey, "courage", right?
Re: (Score:2)
The iphone 7 shipped with iOS 10 which is not affected by this issue.
Just in time (Score:3, Funny)
for the new iPhone! How do those new earbuds sound? Are they making a "hacking" noise?
Re: (Score:1)
Except for all the peripherals out there that iOS users are likely to connect to the 'virtual headphone jack' of their sparkly new gadget.
I guess if it's a speaker or headphone that's not overpriced for sale in the Apple Store, it probably shouldn't be trusted.
Re: (Score:1)
From the link above, it Does not impact iOS 10 or higher so not an issue for updated iPhones. Or updated Macs.
Re: Just in time (Score:1)
It only impcts all the bluetooth peripherals and headphones you might connect to your new iPhone.
Re: (Score:2)
Unlike Android devices, iDevices still get updates 5 years later. And this should be fixed on up to date OSes (I believe).
Re: (Score:2)
You do get that this affects all bluetooth devices and not just phones, right?
Re: (Score:2)
I totally get it, although I'm sure my headphones aren't affected. (They are wired). But the context of the post I was responding to was about the timing being convenient vis-a-vis the new iPhone coming out. You know, so although what you said is true, it's immaterial.
That said, you can usually query the firmware via your desktop Bluetooth to find out the firmware version/do an OTA update.
Re: (Score:2)
That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard (or any other device) and execute any number of exploits once paired to a supposedly patched ph
Re: (Score:2)
Umm.... quite little. The protocols for non-BLE devices are pretty strict, and BLE is entirely dependent on the phone to pull information from the device.
That is a concern, but not significantly more than a generic malicious device. I'm not 100% sure about most OSes, but most I've seen require you to select a device both by name
Re: (Score:3)
It's not immaterial, but it's not as critical as a bug in the Bluetooth stack.
Right. Now, consider it in concert with a bug in the bluetooth stack that allows any once-trusted device already paired with your phone to suddenly become a rogue device.
The reality is, that's exactly what we've got here and, as you admit:
a rogue bluetooth device you pair with your phone can still PWN it.
Probably. I'm not sure, I haven't seen many attacks of that type.
If you'd not seen it at all you'd have said so, which tells me you've seen it at least once and are slyly owning to the possibility.
See the problem yet?
Let me spell it out for you: unlike your Heartbleed/FreeBSD statement, which requires the end user (likely a qualif
Re: (Score:1)
Re: Just in time (Score:2)
The difference here, from a typical USB device, however, is that your affected Bluetooth accessories may have their firmware "updated" without any physical interaction, whereas you would have to be duped into running a rogue firmware installer or plugging the device into a malicious machine to have your USB device
Re: (Score:1)
From a security standpoint, BT should be off on your devices except when you explicitly need to use them. There's far more reasons than just this vulnerability for that statement. In fact, ideally, you would turn off all radios on your phone when you're not needing it and for the tinfoil hat crowd, drop it into a heavy duty electrostatic bag.
That said, wrt to BT vs USB vulnerabilities that I'm aware of, both require action by the user to actually work (BT requires pairing, USB requires you to plug it in)
Re: (Score:2)
The long and t
Re: (Score:1)
When a patch or update is issued... (Score:5, Insightful)
You're device will be too old to update. You'll have to buy a new one. Neat trick, huh?
Re: (Score:3)
You're device
No, I'm human. Mostly.
Re: (Score:2)
No, I'm human. Mostly.
Yes, you are . . . Number Six . . .
Re: (Score:2)
Yes, you are . . . Number Six . . .
I am not a number, I am a free man!
Re: (Score:1)
More likely you are mostly bacteria that assumes a human form. Your intelligence comes from the super worms [wp.com] living in your digestive tract.
Though I'm not ungrateful for your reminder, most people can let the typos slide
Re: (Score:2)
Though I'm not ungrateful for your reminder, most people can let the typos slide
Writing "yoir" instead of "your" would be a typo.
Writing "you're" instead of "your" is not a typo; it's ignorance.
Re: (Score:1)
:-) Sure, anything you say. I'm not one to argue pedantry. I'll leave all that up to yoi
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
This is the reason I picked up a Blackberry Android device. If nothing else, Blackberry has been true to their word about keeping their phones secure. I ran the vulnerability checker and it claims that my Priv is properly patched (at least by the first week of September when the last monthly patches came).
Bluetooth now useless for many Android devices (Score:2, Informative)
I'd like to think these vulnerabilities will be fixed, but many Android devices don't get updates in a timely manner if at all. Must Bluetooth be permanently disabled on many of those devices?
Re: (Score:2)
Yeah that's what I'm worried about. I have a couple of LG devices (a V10 and an X-Pad) and it took them forever to get Android 7. I have yet to see any kind of security update for them, including the year leading up to the Android N upgrade.
Although the BlueBorne checker that I downloaded seems to indicate that if your device isn't discoverable, that it can't be infected. I'm probably wrong on that, however.
Re: (Score:1)
Android is shit. Majority of Android devices older than 1-2 years can be pwned remotely over the air via either WiFi (shitty Broadcom drivers) or Bluetooth (shitty stack) over the air.
Good luck.
Re: (Score:1)
But it's highly likely they won't.
So... (Score:2)
Re: (Score:3)
So just turn off bluetooth forever and keep it off? .
Gee, that old-fashioned audio jack ain't lookin' too bad right now . . .
I usually leave Bluetooth off anyway, because of the battery drain.
Re: (Score:2)
Having a device that actually gets timely updates is what's actually not lookin' too bad right now.
And as a point of reference.. this vulnerability was patched in iOS before Apple released the first phone without a standard headophone jack.
Though even if that *weren't* the case.. one can still plug in normal headphones..
Re: (Score:2)
What data might infected headphones, or an infected speaker, or an older iPad that can't run iOS 10, or whatever else have you, be able to exfiltrate from your non-vulnerable iPhone, Windows phone, Mac, or PC? Or, really, from anything else it connects to (including patched Android devices)?
I
Re: (Score:1)
Or, continue to use your device, but not for critical things like financial transactions.
I don't care if they steal my contacts list. Are they going to steal my precious cookies and post pro-Apple spam under my name on Slashdot? (That I would worry about)
Eh? (Score:2)
So does almost everybody in the world own a BT device?
Re: (Score:2)
Either that, or many people own multiple. There are four sitting on my desk here at work (although two belong to my employer).
Re: (Score:1)
On average, I suppose, but just off the top of my head I own more than a dozen.
Re: (Score:2)
So does almost everybody in the world own a BT device?
In Putinist Amerika . . . Bluetooth owns you!
Re: (Score:2)
Re: Eh? (Score:1)
Then you also probably have an Amazon Fire TV with an active bluetooth transciever. What sort of OS is it running?
Re: (Score:2)
I have many:
My phone
My watch
My headphones
My laptop
My PC
My 2 TV's
My speaker dock
My car stereo
My wife has many:
Her phone
Her headphones
Her iPod
Her laptop
Her tablet
Her car stereo
My son has a laptop with bluetooth
That's 16 devices in my house of 4 off the top of my head
Doesn't include all the old phones not actively used.
I've also got a bunch of other devices with bluetooth hardware but no software stack: Raspberry Pi 3, Asus Tinkerboard, Pine64... quite a few of those dev boards have Bluetooth.
Re: (Score:2)
Don't forget the game consoles, often in use well past their EoS date.
Re: (Score:2)
> So does almost everybody in the world own a BT device?
Owning a single blutooth device means you aren't a BT user. Everyone who wants to use BT needs TWO of them, bare minimum, to get any utility from it. So you have "every single phone" accounting for whatever small percent of people own a SINGLE device, and then you have it placed on a variety of other things- mice, keyboards, headphones, peripherals- to actually interface with their computer/phone/console/car.
Re: (Score:2)
Lemme see, every mobile phone I've bought in this millennium has had BT support
Some of the land-line phones/handsets I bought a decade ago has BT support
I probably have 4-5 BT headsets somewhere (mono, stereo, headset-adapters)
My Bragi Dash have 2 BT implementations (one for music/phone, one for health-monitoring)
My PS3, along with its regular and Move controllers, use BT
The PS4 might too, not sure.
The Nintendo Wii's wiimotes are supposedly BT
Got an Ethernet-PAN gateway somewhere
A couple of keyboards using
great movie sequel title (Score:2)
Re: great movie sequel title (Score:1)
Vulnerabilities in /bin/sh ?
My NetBSD box may be vulnerable.
Terrific! (Score:2, Interesting)
I didn't really want to use my keyboard and mouse with my laptop when sitting at my desk anyway. I'll just go ahead and turn off bluetooth for all my devices. My Apple Pen and iPad should probably be locked down too. HELPFUL!
Re: (Score:1)
What about my car? It has several functions tied to BT
One hack that might be useful is to pull up to the morons with their car stereos blasting away in a traffic jam and mute them! Apart from that and perhaps screwing up their hands free phone while they yap away while driving apart from that essentially nothing. Fun though if you could pull up and make their stereo play Le Sacre Du Printemps at full volume. The core functions of the auto if somehow connected to the entertainment/infotainment devices that can be accessed over the air waves would be a stupid de
Re: (Score:1)
make their stereo play Le Sacre Du Printemps at full volume.
No. Better. Find the resonant frequency of their automobile's chassis and literally shake it apart with subsonics.
My lettuce is wilting! (Score:2)
Re: (Score:3)
I am shocked, shocked I tell you (Score:2, Funny)
And there is no truth to the ability of the new iPhone X to use your face to allow the feds to unlock your phone and turn on bluetooth without telling you.
Really.
Trust us.
We would never do that.
By the way, you really need to get that mole looked at.
Re: (Score:2)
Ah, but you see I write my password backwards on my forehead. I'm the only one that can read it, using a mirror.
Re: (Score:2)
If Apple wants to allow your iPhone to be surreptitiously unlocked by the feds, they have approximately 875 way to accomplish that, which would be less work and less noticeable than by introducing a vulnerability in their face-recognition software.
(OTOH it's not clear how facial recognition would prevent someone who has physical access to your phone from pointing the phone at your face and saying "hey, look at this")
Re: (Score:1)
iOS 11 allows you to lock out Touch ID and Face ID using the wake/sleep physical switch on the phone. So easy you can do it without taking the phone ou of your pocket.
Re: (Score:1)
iOS 10 (released in September 2016) fixed the Bluetooth vulnerability.
blueborn goes wild! (Score:3)
What and no exploit code released?
Bastards :-(
How convenient (Score:1)
Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions.
The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable.
Sounds like scare tactics to promote an app to me. What data will it be slurping up?
Re: (Score:1)
What will it be infecting you with?
Re: (Score:2)
>"Sounds like scare tactics to promote an app to me. What data will it be slurping up?"
It required no permissions at all, interestingly.
Re: (Score:1)
What I am wondering is, since scary dudes in Corporation on the linked video have designed a whole logo for this thing, and named the 'collection of vulnerabilities' have they also trademarked said logo and name? The video looks pretty slick and corporate and has a url at the end that we're all supposed to navigate to.
Clarification (Score:2)
Regarding Apple, *OLD* version of iOS have vulnerabilities. The 10.x series does not have the issues described.
https://www.armis.com/blueborn... [armis.com]
Also, OSX isn't vulnerable to the described exploits.
Re: (Score:2)
I have an old, jailbroken iPad still sitting on iOS 8.4 - but it doesn't leave the house, so I'm not too worried.
There seems to be a bit of fear-mongering here with regards to iOS. As of July, 87% of iOS devices were running iOS 10.x [statista.com]... and so not vulnerable to this.
And as you mentioned - OS X / macOS devices are not vulnerable.
Re: (Score:1)
According to how the propaganda^d^d^d informative video put it, any other bluetooth device can travel into proximity to your old iPad and infect it. Your friend's phone, the UPS delivery guy's phone. Your sister's bluetooth vibrator...
Mainstream linux has it patched already (Score:5, Informative)
Re: (Score:1)
Re: (Score:1, Insightful)
Microsoft weren't the quick ones. From here [armis.com]:
Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
...
Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.
What are you talking about Microsoft was quick, it only took them 5 and half months this time around which for Microsoft is at the speed of light when it comes to patching a serious hole. This is why the the hole was not disclosed earlier to the Linux crowd the bluez patch would have happened by late April giving time for the hackers to figure out how to hack the Windows bluetooth stack which the Linux pirates copied profusely to enable bluetooth devices on linux.
Re: (Score:1)
Is all information about this centered at this Armis Corporation? Seems they have a pretty big stake in any hysteria that can be spun up.
I looked at their website, but they won't tell me much about them without me telling NoScript that they are 'the good guys.'
Does one really need the BlueBorne app? (Score:2)
Could be wrong as I don't know what BlueBorne app does. But reading the PDF it could be as easy as checking your "About Phone (device)" and seeing if your WiFi MAC address is one digit off of your Bluetooth MAC address. I show as vulnerable and my MAC addresses end with one a digit higher.
So one should be able to view MAC addresses and if sequential, vulnerable
Re: (Score:3)
Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)
Re:Does one really need the BlueBorne app? (Score:5, Informative)
Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)
From PDF in summery
"If the device generates no Bluetooth traffic, and is only listening, it is still possible to “guess” the
BDADDR, by sniffing its WiFi traffic. This is viable since WiFi MAC addresses appear unencrypted
over the air and due to the widely accepted norm of OEMs and hardware manufacturers that the
MACs of internal Bluetooth/WiFi adapters are either the same, or only differ in the last digit (one
being +1 of the other"
Re: (Score:2)
Having the BDADDR enhances the attacks, by making it easier to connect to targets. The vulnerabilities are still needed, so the app should be checking SW builds/versions. One would hope the app is as sophisticated as the work gone into this discovery/release.
Security fixes for android? (Score:2)
I'm still waiting for the Broadcom wifi fix. At this rate it'll be 2100 before this BT bug will be patched.
Re: (Score:2)
+1 in the "Me, too" sense.
I have a prediction (Score:3)
Lenovo won't release a security update for the Moto X 2014
It's still on August 2016 patch level, 13 months old now...
Already patched in iOS (Score:2)
In the article: "Who is affected.... All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower"
The latest version of iOS is 10.3.3. So it has long been patched in the current major version.
Sensationalist headline on /., why am I not surprised?
Re: (Score:2)
Many iOS devices are not capable of being upgraded to iOS 10 . This is the case for my old iPad 2 which is on iOS 9.3.5 and can't be patched.
Ios10 and higher not exploitable (Score:1)
Re: (Score:1)
The iGadget is fine. Fort Knox secure. Not necessarily so for anything else that you connect to with your iGadget, though.
So don't be worried. Not at all. If your Bluetooth keyboard is compromised by some (any?) other random device that comes in range, you won't later use said keyboard to send any key critical information to your iPad. Right?
MacOSX (Score:2)
Holy shit (Score:2)
"Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars."
Jesus fuckin' christ, could this get any worse? Yes, of course it can:
"...the vulnera
I can see a legit use for it (Score:3)
I can see a legitimate use for this vulnerability: disable mobiles of drivers who insist on texting while driving. With a little sophistication, it can be done automatically, with your own phone safely in your pocket.
Just Who Is "Armis, Inc." (Score:1)
Everything seems to reference back to them.
Is this an informercial for this outfit, who are showcasing the 'vulnerability' that they detected. Looking around on their webpage (with Noscript on, so there is probably 'stuff' they can't run in my browser that they want to run) it looks like they don't have a lot of customers. Is this their niche marketing angle?
Do they have the term they coined for this 'collection of vulnerabilities', 'BlueBorne' as a trademark. Is that scary logo they flash around in thei
A fully patched Samsung Galaxy S8+ is vulnerable (Score:2)
This is a flagship phone... Wonder how long it takes Samsung to patch.
No ASLR in Linux devices? (Score:1)
Re: (Score:1)
iOS 10 was initially released in September of 2016, so Apple devices have been safe for almost a year. macOS was not vulnerable.
Re: (Score:1)
What about the thousands of different Bluetooth headphones that people might be using to connect to their iPhone?
Will Apple come out with a sticker 'Apple Approved Safe Bluetooth Device' and inform their customers that it's time to landfill all their old stuff and come flash plastic at the Apple Store?
Re: (Score:1)
That's a worthy question.
You didn't provide an answer.