Domain: armis.com
Stories and comments across the archive that link to armis.com.
Comments · 8
-
Re:Huawei U8150
-
Two good reasons
Reason 1:
https://www.krackattacks.com/Reason 2:
https://www.armis.com/blueborn...Those are two fairly major vulnerabilities that worked at a wireless level. Some vendors got it fixed fairly quickly, a lot did not (especially Android vendors). I love my Android phone feature-wise, but the platform is completely fuckadoo in terms of updates, and various models often have lingering security issues or even ones that get completely abandoned/unpatched, making them not just a risk to the owner but possibly nearby devices or infrastructure.
Realistically Android needs better central control, and much as I'm loath to give Google more control, I believe they should take more ownership of the base OS and patching, allowing for core updates to come from *them* as part of the platform rather than waiting on the vendors to implement their fixes. Make it like more like a Linux OS where they own the kernel and core, and vendors can add their stuff as packages and/or submit any special drivers back to Google for inclusion/patching.
-
Re:This is why I refuse to update my iphone
One of the Bluetooth vulnerabilities cited as a motivation for turning BT off actually was fixed in every release subsequent to 9.3.5.
But, I mean, you do you -- if you really think having to go to Settings to power off the radio is so bad that you are willing to forego this (and many other) security fix(es), go for it. We won't feel bad if you get pwned by a long-since-patched bug though.
-
Re:the actual problem is : a buffer overflow...
The white paper is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something better.
-
Re:Buy AppleCare+ for it
Not get remotely rooted by Blueborne? https://www.armis.com/blueborn...
-
Re:Mainstream linux has it patched already
Microsoft weren't the quick ones. From here:
Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
...
Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.
What are you talking about Microsoft was quick, it only took them 5 and half months this time around which for Microsoft is at the speed of light when it comes to patching a serious hole. This is why the the hole was not disclosed earlier to the Linux crowd the bluez patch would have happened by late April giving time for the hackers to figure out how to hack the Windows bluetooth stack which the Linux pirates copied profusely to enable bluetooth devices on linux.
-
Re:Mainstream linux has it patched already
Sure enough it is serious enough and there is a Windows server patch available [microsoft.com] as of today. Koodos to Microsoft for getting it out quickly
Microsoft weren't the quick ones. From here:
Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
...
Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.
-
Clarification
Regarding Apple, *OLD* version of iOS have vulnerabilities. The 10.x series does not have the issues described.
https://www.armis.com/blueborn...
Also, OSX isn't vulnerable to the described exploits.