Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Wireless Networking Android Communications Google IOS Network Networking Operating Systems Software Windows Apple Linux

BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices (bleepingcomputer.com) 121

An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).

BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices

Comments Filter:
  • by Anonymous Coward on Tuesday September 12, 2017 @05:27PM (#55184101)

    Am I right?

    • by Anonymous Coward

      Sure, but you're a pussy. I'm courageous for using BT.

    • Am I right?

      While I have a cable to connect the two, Bluetooth connected headphones are just much nicer/easier. And BlueBorne found my Moto G4 vulnerable.

      • by johnjones ( 14274 ) on Wednesday September 13, 2017 @01:30AM (#55186129) Homepage Journal

        so yes its basically like wifi, cables are reliable

        there is a buffer overflow in some versions of windows/linux/iOS

        this has been patched in recent versions of all the OS's
        its not a replicating worm per se unless you count all the people who have downloaded an "app" to check if they are vulnerable...

        the videos and documentation on their website give absolutely no details and completely pointless, this is what happens when you let a media company deal with a buffer overflow

        Actual information :

        Background Information
        The Logical Link Control and Adaptation Layer Protocol (L2CAP) works at the data link layer in the Bluetooth stack. It provides services such as connection multiplexing, segmentation and reassembly of packets for upper layer protocols such as Bluetooth. It facilitates higher level protocols to transmit and receive L2CAP data packets to and from clients.

        A stack buffer overflow issue was found in various systems Bluetooth subsystem processing the pending configuration packets received from a client. As a result, a client could send arbitrary L2CAP configuration parameters which were stored in a stack buffer object. These parameters could exceed the buffer length, overwriting the adjacent kernel stack contents. This exchange occurs, prior to any authentication, when establishing a Bluetooth connection. An unauthenticated user, who is able to connect to a system via Bluetooth, could use this flaw to crash the system or potentially execute arbitrary code on the system if not secured correctly. if the Linux kernel stack protection feature (CONFIG_CC_STACKPROTECTOR=y) is on then your not going to be vulnerable.

        Not impressed with the press release at all I'm afraid

        It does show which vendors of equipment pay attention, develop patches and deserve respect

        Regards

        John Jones

        • Still a pretty nasty vulnerability, and not super usual to have one that spans across OSs like this. Leaving this sort of interface open to buffer overflows all the way down at the link-layer is a rookie mistake, and rather alarming to find that it's not implemented with a bit more oversight. Decent static analysis can usually detect these sort of errors.
        • The white paper [armis.com] is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something

    • Yes, you are correct. But hey, "courage", right?

  • by Anonymous Coward on Tuesday September 12, 2017 @05:28PM (#55184105)

    for the new iPhone! How do those new earbuds sound? Are they making a "hacking" noise?

    • by Anonymous Coward

      From the link above, it Does not impact iOS 10 or higher so not an issue for updated iPhones. Or updated Macs.

    • Unlike Android devices, iDevices still get updates 5 years later. And this should be fixed on up to date OSes (I believe).

      • How do you check the firmware version on your headphones?

        You do get that this affects all bluetooth devices and not just phones, right?
        • I totally get it, although I'm sure my headphones aren't affected. (They are wired). But the context of the post I was responding to was about the timing being convenient vis-a-vis the new iPhone coming out. You know, so although what you said is true, it's immaterial.

          That said, you can usually query the firmware via your desktop Bluetooth to find out the firmware version/do an OTA update.

          • Okay, and everyone who uses bluetooth accessories (like headphones) with their "safe" iOS devices? What access might those accessories have once paired to the phone? You might want to look into that, and I'm not so sure I'd call it immaterial given that supposedly patched devices can still be affected.

            That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard (or any other device) and execute any number of exploits once paired to a supposedly patched ph
            • What access might those accessories have once paired to the phone?

              Umm.... quite little. The protocols for non-BLE devices are pretty strict, and BLE is entirely dependent on the phone to pull information from the device.

              That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard

              That is a concern, but not significantly more than a generic malicious device. I'm not 100% sure about most OSes, but most I've seen require you to select a device both by name

              • It's not immaterial, but it's not as critical as a bug in the Bluetooth stack.

                Right. Now, consider it in concert with a bug in the bluetooth stack that allows any once-trusted device already paired with your phone to suddenly become a rogue device.

                The reality is, that's exactly what we've got here and, as you admit:

                a rogue bluetooth device you pair with your phone can still PWN it.

                Probably. I'm not sure, I haven't seen many attacks of that type.

                If you'd not seen it at all you'd have said so, which tells me you've seen it at least once and are slyly owning to the possibility.

                See the problem yet?

                Let me spell it out for you: unlike your Heartbleed/FreeBSD statement, which requires the end user (likely a qualif

                • by Gr8Apes ( 679165 )
                  The reality is, it's the same base issue as with the USB bus or any insufficiently protected external protocol.
                  • Bingo. So many people, even here where the same story about such literally un-patchable vulnerabilities has been posted more than a handful of times, choose to remain ignorant of reality, though.

                    The difference here, from a typical USB device, however, is that your affected Bluetooth accessories may have their firmware "updated" without any physical interaction, whereas you would have to be duped into running a rogue firmware installer or plugging the device into a malicious machine to have your USB device
                    • by Gr8Apes ( 679165 )

                      From a security standpoint, BT should be off on your devices except when you explicitly need to use them. There's far more reasons than just this vulnerability for that statement. In fact, ideally, you would turn off all radios on your phone when you're not needing it and for the tinfoil hat crowd, drop it into a heavy duty electrostatic bag.

                      That said, wrt to BT vs USB vulnerabilities that I'm aware of, both require action by the user to actually work (BT requires pairing, USB requires you to plug it in)

                    • Ugh... I had typed out an in-depth response to this, hit preview, then closed the window. I'll try to recreate as much of that as possible, but I reserve the right to post updates and corrections. I'll also skip the bits about how disappointed I am in you having missed the glaring obviousness of the vulnerability here (especially as it's discussed in TFS) as I don't think that really needed two paragraphs, even if I have come to expect better from you, and get right to the meat and potatoes.

                      The long and t
                    • by Gr8Apes ( 679165 )
                      I hear you, however, my point was don't have BT on unless you need it. In my case, that's very very very seldom with anything except my HTPC. I admit I skimmed TFS and didn't believe the severity that was stated. I was under the impression that computers and laptops were "ok" but devices attached to them weren't. That's probably some misinformation from some responses I also read across the couple of days, so what I read probably got shoved aside by other concerns, as I'm not a big BT user (ie, I didn't pay
  • by fustakrakich ( 1673220 ) on Tuesday September 12, 2017 @05:30PM (#55184119) Journal

    You're device will be too old to update. You'll have to buy a new one. Neat trick, huh?

    • by arth1 ( 260657 )

      You're device

      No, I'm human. Mostly.

    • TFA linked in summary had a lot of scary hype and little info. The vulnerability was found earlier this year [zdnet.com] and affected companies were notified in April. So they've had several months to work on fixes. The vulnerability was made public recently after giving these companies time to prepare patches.
      • Microsoft patched it in Windows back in July (Windows Phone was not affected, if you're one of the handful of people still using it).
      • Apple has fixed it in iOS version 10, but is not patching older version o
    • Good luck trying to get this patched on your Android device and what about all the devices we connect to
    • This is the reason I picked up a Blackberry Android device. If nothing else, Blackberry has been true to their word about keeping their phones secure. I ran the vulnerability checker and it claims that my Priv is properly patched (at least by the first week of September when the last monthly patches came).

  • by Anonymous Coward

    I'd like to think these vulnerabilities will be fixed, but many Android devices don't get updates in a timely manner if at all. Must Bluetooth be permanently disabled on many of those devices?

    • Yeah that's what I'm worried about. I have a couple of LG devices (a V10 and an X-Pad) and it took them forever to get Android 7. I have yet to see any kind of security update for them, including the year leading up to the Android N upgrade.

      Although the BlueBorne checker that I downloaded seems to indicate that if your device isn't discoverable, that it can't be infected. I'm probably wrong on that, however.

    • by Anonymous Coward

      Android is shit. Majority of Android devices older than 1-2 years can be pwned remotely over the air via either WiFi (shitty Broadcom drivers) or Bluetooth (shitty stack) over the air.

      Good luck.

  • So just turn off bluetooth forever and keep it off? I've got a wireless mouse but that's all I use bluetooth for. I suppose the most vulnerable devices would be phones in close proximity, a densely populated city or something.
    • So just turn off bluetooth forever and keep it off? .

      Gee, that old-fashioned audio jack ain't lookin' too bad right now . . .

      I usually leave Bluetooth off anyway, because of the battery drain.

      • by berj ( 754323 )

        Having a device that actually gets timely updates is what's actually not lookin' too bad right now.

        And as a point of reference.. this vulnerability was patched in iOS before Apple released the first phone without a standard headophone jack.

        Though even if that *weren't* the case.. one can still plug in normal headphones..

        • Ah, yes, but the headphones themselves will still be vulnerable... then you'll connect pair them to your phone and... well? What security actually is there at that point? I'm not saying there isn't any, I'm asking.

          What data might infected headphones, or an infected speaker, or an older iPad that can't run iOS 10, or whatever else have you, be able to exfiltrate from your non-vulnerable iPhone, Windows phone, Mac, or PC? Or, really, from anything else it connects to (including patched Android devices)?

          I
  • So does almost everybody in the world own a BT device?

    • Either that, or many people own multiple. There are four sitting on my desk here at work (although two belong to my employer).

    • So does almost everybody in the world own a BT device?

      On average, I suppose, but just off the top of my head I own more than a dozen.

    • So does almost everybody in the world own a BT device?

      In Putinist Amerika . . . Bluetooth owns you!

    • I own a phone that has Bluetooth available, but I never turn Bluetooth on because I have no use for it. Besides, it drains the battery faster. I also keep GPS and wifi turned off because I don't use them.

      I have a Bluetooth remote for my Amazon FireTV, but I fail to see how it could get infected if it never leaves the house.
    • I have many:
      My phone
      My watch
      My headphones
      My laptop
      My PC
      My 2 TV's
      My speaker dock
      My car stereo

      My wife has many:
      Her phone
      Her headphones
      Her iPod
      Her laptop
      Her tablet
      Her car stereo

      My son has a laptop with bluetooth

      That's 16 devices in my house of 4 off the top of my head
      Doesn't include all the old phones not actively used.
      I've also got a bunch of other devices with bluetooth hardware but no software stack: Raspberry Pi 3, Asus Tinkerboard, Pine64... quite a few of those dev boards have Bluetooth.

    • by cfalcon ( 779563 )

      > So does almost everybody in the world own a BT device?

      Owning a single blutooth device means you aren't a BT user. Everyone who wants to use BT needs TWO of them, bare minimum, to get any utility from it. So you have "every single phone" accounting for whatever small percent of people own a SINGLE device, and then you have it placed on a variety of other things- mice, keyboards, headphones, peripherals- to actually interface with their computer/phone/console/car.

    • by GNious ( 953874 )

      Lemme see, every mobile phone I've bought in this millennium has had BT support
      Some of the land-line phones/handsets I bought a decade ago has BT support
      I probably have 4-5 BT headsets somewhere (mono, stereo, headset-adapters)
      My Bragi Dash have 2 BT implementations (one for music/phone, one for health-monitoring)
      My PS3, along with its regular and Move controllers, use BT
      The PS4 might too, not sure.
      The Nintendo Wii's wiimotes are supposedly BT
      Got an Ethernet-PAN gateway somewhere
      A couple of keyboards using

  • the Bo(u)rne Vulnerabilities. well, not that great
  • Terrific! (Score:2, Interesting)

    by Anonymous Coward

    I didn't really want to use my keyboard and mouse with my laptop when sitting at my desk anyway. I'll just go ahead and turn off bluetooth for all my devices. My Apple Pen and iPad should probably be locked down too. HELPFUL!

  • Good luck getting an update for your Bluetooth enabled refrigerator.
  • And there is no truth to the ability of the new iPhone X to use your face to allow the feds to unlock your phone and turn on bluetooth without telling you.

    Really.

    Trust us.

    We would never do that.

    By the way, you really need to get that mole looked at.

    • by Jeremi ( 14640 )

      If Apple wants to allow your iPhone to be surreptitiously unlocked by the feds, they have approximately 875 way to accomplish that, which would be less work and less noticeable than by introducing a vulnerability in their face-recognition software.

      (OTOH it's not clear how facial recognition would prevent someone who has physical access to your phone from pointing the phone at your face and saying "hey, look at this")

      • iOS 11 allows you to lock out Touch ID and Face ID using the wake/sleep physical switch on the phone. So easy you can do it without taking the phone ou of your pocket.

    • iOS 10 (released in September 2016) fixed the Bluetooth vulnerability.

  • by jriding ( 1076733 ) on Tuesday September 12, 2017 @05:50PM (#55184287)

    What and no exploit code released?

    Bastards :-(

  • Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions.

    The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable.

    Sounds like scare tactics to promote an app to me. What data will it be slurping up?

    • What will it be infecting you with?

    • >"Sounds like scare tactics to promote an app to me. What data will it be slurping up?"

      It required no permissions at all, interestingly.

    • What I am wondering is, since scary dudes in Corporation on the linked video have designed a whole logo for this thing, and named the 'collection of vulnerabilities' have they also trademarked said logo and name? The video looks pretty slick and corporate and has a url at the end that we're all supposed to navigate to.

  • Regarding Apple, *OLD* version of iOS have vulnerabilities. The 10.x series does not have the issues described.

    https://www.armis.com/blueborn... [armis.com]

    Also, OSX isn't vulnerable to the described exploits.

    • I have an old, jailbroken iPad still sitting on iOS 8.4 - but it doesn't leave the house, so I'm not too worried.

      There seems to be a bit of fear-mongering here with regards to iOS. As of July, 87% of iOS devices were running iOS 10.x [statista.com]... and so not vulnerable to this.

      And as you mentioned - OS X / macOS devices are not vulnerable.

      • According to how the propaganda^d^d^d informative video put it, any other bluetooth device can travel into proximity to your old iPad and infect it. Your friend's phone, the UPS delivery guy's phone. Your sister's bluetooth vibrator...

  • by deviated_prevert ( 1146403 ) on Tuesday September 12, 2017 @06:03PM (#55184403) Journal
    Redhat [redhat.com] had it covered first. Debian now has it patched. I would imagine that MS Server, Win7 and Win10 might not be too far behind considering that the real danger of this exploit is access to corporate networks that use bluetooth devices. Fortunately most thin clients do not have bluetooth built in otherwise this could become another update nightmare for MS admins. Either way I don't think this will effect the Microsoft servers users too much. What I do foresee is a rapid removal of bluetooth mice and a server side disabling of the usb bluetooth stack happening in major business until Microsoft patches the windows bluetooth stack.
    • Sure enough it is serious enough and there is a Windows server patch available [microsoft.com] as of today. Koodos to Microsoft for getting it out quickly, now if it is applied effectively without updating the language packs by mistake it might make using bluetooth devices on your systems safe again. I doubt that the black hats have figured out how to exploit this hole remotely as of yet. But it would really be a PITA if the exploit could somehow be used over the web to compromise servers.
  • Could be wrong as I don't know what BlueBorne app does. But reading the PDF it could be as easy as checking your "About Phone (device)" and seeing if your WiFi MAC address is one digit off of your Bluetooth MAC address. I show as vulnerable and my MAC addresses end with one a digit higher.

    So one should be able to view MAC addresses and if sequential, vulnerable

    • Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
      Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)

      • by Trax3001BBS ( 2368736 ) on Tuesday September 12, 2017 @07:22PM (#55184885) Homepage Journal

        Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
        Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)

        From PDF in summery
        "If the device generates no Bluetooth traffic, and is only listening, it is still possible to “guess” the
        BDADDR, by sniffing its WiFi traffic. This is viable since WiFi MAC addresses appear unencrypted
        over the air and due to the widely accepted norm of OEMs and hardware manufacturers that the
        MACs of internal Bluetooth/WiFi adapters are either the same, or only differ in the last digit (one
        being +1 of the other"

        • by Macfox ( 50100 )

          Having the BDADDR enhances the attacks, by making it easier to connect to targets. The vulnerabilities are still needed, so the app should be checking SW builds/versions. One would hope the app is as sophisticated as the work gone into this discovery/release.

  • I'm still waiting for the Broadcom wifi fix. At this rate it'll be 2100 before this BT bug will be patched.

  • by viperidaenz ( 2515578 ) on Tuesday September 12, 2017 @07:12PM (#55184849)

    Lenovo won't release a security update for the Moto X 2014
    It's still on August 2016 patch level, 13 months old now...

  • In the article: "Who is affected.... All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower"

    The latest version of iOS is 10.3.3. So it has long been patched in the current major version.

    Sensationalist headline on /., why am I not surprised?

    • by madbrain ( 11432 )

      Many iOS devices are not capable of being upgraded to iOS 10 . This is the case for my old iPad 2 which is on iOS 9.3.5 and can't be patched.

  • If you actually read the paper: Impact Due to the fact this vulnerability was mitigated in iOS version 10, a full exploit was not developed by us. Despite this, this vulnerability still poses a great risk to any iOS device prior to version 10, as it is does not require any user interaction or configuration of any sort on the targeted device, and can be leveraged by an attacker to gain r
    • The iGadget is fine. Fort Knox secure. Not necessarily so for anything else that you connect to with your iGadget, though.

      So don't be worried. Not at all. If your Bluetooth keyboard is compromised by some (any?) other random device that comes in range, you won't later use said keyboard to send any key critical information to your iPad. Right?

  • MacOSX is oddly absent from the paper. If it had no flaws, it would have been worth a mention, so what? Not interesting to test?
  • "Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars."

    Jesus fuckin' christ, could this get any worse? Yes, of course it can:

    "...the vulnera

  • by menkhaura ( 103150 ) <espinafre@gmail.com> on Tuesday September 12, 2017 @10:41PM (#55185689) Homepage Journal

    I can see a legitimate use for this vulnerability: disable mobiles of drivers who insist on texting while driving. With a little sophistication, it can be done automatically, with your own phone safely in your pocket.

  • Everything seems to reference back to them.

    Is this an informercial for this outfit, who are showcasing the 'vulnerability' that they detected. Looking around on their webpage (with Noscript on, so there is probably 'stuff' they can't run in my browser that they want to run) it looks like they don't have a lot of customers. Is this their niche marketing angle?

    Do they have the term they coined for this 'collection of vulnerabilities', 'BlueBorne' as a trademark. Is that scary logo they flash around in thei

  • This is a flagship phone... Wonder how long it takes Samsung to patch.

  • The Ars article [arstechnica.com] about BlueBorne cites someone from Armis claiming that "the majority of Linux devices on the market today don't use address space layout randomization," explaining that ASLR would mitigate the impact of the defect. Is that true about most Linux devices and ASLR? What kind of devices are they talking about? (It notes that Android is not in that category. I would think Android made up the majority of Linux devices, but I guess not.)

ASCII a stupid question, you get an EBCDIC answer.

Working...