BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices

An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).

A headphone jack would be nice right about now

Am I right?

Re:A headphone jack would be nice right about now

Sure, but you're a pussy. I'm courageous for using BT.

Re:A headphone jack would be nice right about now

[Trax3001BBS]

Am I right?

While I have a cable to connect the two, Bluetooth connected headphones are just much nicer/easier. And BlueBorne found my Moto G4 vulnerable.

Re:A headphone jack would be nice right about now

[JustAnotherOldGuy]

Yes, you are correct. But hey, "courage", right?

Re:A headphone jack would be nice right about now

[Dr.+Evil]

The iphone 7 shipped with iOS 10 which is not affected by this issue.

Re:A headphone jack would be nice right about now

That's why we wanted to get rid of them, you inconsiderate clod!

- The RIAA

Re:A headphone jack would be nice right about now

It's a good thing that iOS10 was installed on the headphones too.

Just in time

for the new iPhone! How do those new earbuds sound? Are they making a "hacking" noise?

Re: Just in time

Actually, iOS 10 (and likely newer versions) aren't vulnerable to BlueBorne. Although older iOS systems are vulnerable, iOS 10 is not. Therefore, this is not a legitimate excuse to whine about Apple removing the headphone jack.

Re:Just in time

From the link above, it Does not impact iOS 10 or higher so not an issue for updated iPhones. Or updated Macs.

Re: Just in time

[that+this+is+not+und]

It only impcts all the bluetooth peripherals and headphones you might connect to your new iPhone.

Re: Just in time

[that+this+is+not+und]

Except for all the peripherals out there that iOS users are likely to connect to the 'virtual headphone jack' of their sparkly new gadget.

I guess if it's a speaker or headphone that's not overpriced for sale in the Apple Store, it probably shouldn't be trusted.

Re:Just in time

[Actually,+I+do+RTFA]

Unlike Android devices, iDevices still get updates 5 years later. And this should be fixed on up to date OSes (I believe).

Re:Just in time

[BronsCon]

How do you check the firmware version on your headphones?

You do get that this affects all bluetooth devices and not just phones, right?

Re:Just in time

[Actually,+I+do+RTFA]

I totally get it, although I'm sure my headphones aren't affected. (They are wired). But the context of the post I was responding to was about the timing being convenient vis-a-vis the new iPhone coming out. You know, so although what you said is true, it's immaterial.

That said, you can usually query the firmware via your desktop Bluetooth to find out the firmware version/do an OTA update.

Re:Just in time

[BronsCon]

Okay, and everyone who uses bluetooth accessories (like headphones) with their "safe" iOS devices? What access might those accessories have once paired to the phone? You might want to look into that, and I'm not so sure I'd call it immaterial given that supposedly patched devices can still be affected.

That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard (or any other device) and execute any number of exploits once paired to a supposedly patched phone. That's actually not something your phone can be patched to protect against, so as long as the accessories are vulnerable, so is the phone they're used with. In fact, even if the exploits mentioned in TFA didn't exist, a rogue bluetooth device you pair with your phone can still PWN it. Hardly immaterial.

Unless, of course, you truly believe the fact that a fully patched and up-to-date iPhone can still be (indirectly) affected by this exploit is immaterial; in which case, please stay away from the security industry.

Re:Just in time

[Actually,+I+do+RTFA]

What access might those accessories have once paired to the phone?

Umm.... quite little. The protocols for non-BLE devices are pretty strict, and BLE is entirely dependent on the phone to pull information from the device.

That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard

That is a concern, but not significantly more than a generic malicious device. I'm not 100% sure about most OSes, but most I've seen require you to select a device both by name and (iconagraphically) by type of device (headset, headphones, keyboard, mouse, etc.).

a rogue bluetooth device you pair with your phone can still PWN it.

Probably. I'm not sure, I haven't seen many attacks of that type.

Unless, of course, you truly believe the fact that a fully patched and up-to-date iPhone can still be (indirectly) affected by this exploit is immaterial;

It's not immaterial, but it's not as critical as a bug in the Bluetooth stack. I consider your complaint to be analogous to responding to a statement about Heartbleed not affecting, I dunno, FreeBSD OSes with "but they might still download and run software from hacked servers." While true, and not totally to be discounted, it's important to note which OSes are directly affected.

Re:Just in time

[BronsCon]

It's not immaterial, but it's not as critical as a bug in the Bluetooth stack.

Right. Now, consider it in concert with a bug in the bluetooth stack that allows any once-trusted device already paired with your phone to suddenly become a rogue device.

The reality is, that's exactly what we've got here and, as you admit:

a rogue bluetooth device you pair with your phone can still PWN it.

Probably. I'm not sure, I haven't seen many attacks of that type.

If you'd not seen it at all you'd have said so, which tells me you've seen it at least once and are slyly owning to the possibility.

See the problem yet?

Let me spell it out for you: unlike your Heartbleed/FreeBSD statement, which requires the end user (likely a qualified sysadmin) to do something stupid, your iOS device can still be affected by this without your intervention if you use any bluetooth accessories.

Re:Just in time

[Gr8Apes]

The reality is, it's the same base issue as with the USB bus or any insufficiently protected external protocol.

Re: Just in time

[BronsCon]

Bingo. So many people, even here where the same story about such literally un-patchable vulnerabilities has been posted more than a handful of times, choose to remain ignorant of reality, though.

The difference here, from a typical USB device, however, is that your affected Bluetooth accessories may have their firmware "updated" without any physical interaction, whereas you would have to be duped into running a rogue firmware installer or plugging the device into a malicious machine to have your USB devices reprogrammed in such a manner.

That said, with unknown and untrusted (read: found or of dubious origin or manufacture) devices, you're just as vulnerable pairing a Bluetooth device as you are plugging in a USB device.

Again, you know this, I know this, but the masses remain ignorant of it. Even here.

Re: Just in time

[Gr8Apes]

From a security standpoint, BT should be off on your devices except when you explicitly need to use them. There's far more reasons than just this vulnerability for that statement. In fact, ideally, you would turn off all radios on your phone when you're not needing it and for the tinfoil hat crowd, drop it into a heavy duty electrostatic bag.

That said, wrt to BT vs USB vulnerabilities that I'm aware of, both require action by the user to actually work (BT requires pairing, USB requires you to plug it in) The USB one appears to be a greater risk, as that can operate in the true virus sense and infect everything you connect. The BT path just opens a potential vector. I'm not sure why both ends of a BT pairing cannot specify what the device operations are limited to. That seems to be a grossly neglected level of operational security that should have just been part of the protocol handshake - hi, I'm an audio device, hello, you have audio capabilities and are authorized for audio. Done.

In fact, you'd think they would have included that in USB as well, although that doesn't prevent the firmware attacks. There's no reason for a mouse to be able to do anything other than return clicks and locations for example. That could be handled by OS upgrades to the default drivers though even if it's one sided. BT could be handled the same way I guess.

Re: Just in time

[BronsCon]

Ugh... I had typed out an in-depth response to this, hit preview, then closed the window. I'll try to recreate as much of that as possible, but I reserve the right to post updates and corrections. I'll also skip the bits about how disappointed I am in you having missed the glaring obviousness of the vulnerability here (especially as it's discussed in TFS) as I don't think that really needed two paragraphs, even if I have come to expect better from you, and get right to the meat and potatoes.

The long and the short is that you have to have a USB device plugged into an infected system to have an issue with USB, while just having a vulnerable bluetooth device (which includes the current majority of accessories, and likely will for the foreseeable future) in the same general area as an infected device can infect it. I can set a rogue USB drive on top of my computer and leave it there indefinitely and nothing happens; if I walk by someone with infected headphones, though, my own headphones may become infected. My own headphones, which are already paired to my phone, mind you. This isn't something the pairing process can save me from; I'm not pairing someone else's already fucked headphones to my phone, my already paired headphoens are getting fucked.

Regarding USB, we have things like Logitech's Unifying receiver, which presents a generic interface (for pairing control) and up to 6 keyboards and mice, and we have things like mice with extra buttons that send keystrokes (the non-programmable ones actually act as keyboards, no special driver emulating the keystrokes) that need to be considered before we can say one physical device == one logical device. Even if we did say that, those could still exist because that logical device could simply be a hub with virtual devices plugged into it; which, of course, would still allow things like BadUSB to work. Rest assured it's been done in a lab, and that is not conjecture.

We don't have bluetooth hubs, so we could technically implement that for bluetooth, but it would almost immediately make the technology immensely less popular. Some people actually use the feature of their pricey bluetooth speakers, headphones, and cars wherein the device pulls a copy of your phone book and offers its own voice-dialing functionality based on that data. That requires your "audio device" to also be a "dialing device" and a "phonebook device". Even more use the play control and volume buttons, which act as a "keyboard device". Sure, these are all still usable as audio devices if we remove multi-function capabilities from the protocol, but it becomes a lot less attractive to the end user; and do you really want your average driver having to fuck with their phone to change songs?

Beyond that, we already have the ability to see what services a paired bluetooth device exposes and enable/disable them at will, at least on Android. A new pairing resets that (and should; often times that's the first suggested -- and most effective -- step in troubleshooting in case someone's fucked with those settings) and all a newly-infected device need do is "oops I glitched out and forgot my pairing" force the user to re-pair in order to reset any restrictions. And we already know that relying on users to secure themselves is folly; most won't know what the individual permissions even mean and the rest won't connect why some might or might not be needed. Case in point, the woman in front of me in the Target customer service line about a year and a half ago, returning a bluetooth speaker, ranting about how she's a security researcher with a Masters in CS and how she's "appalled that it wants to act as an input device and read her phone book which, of course, I did not allow -- and, by the way, the play and skip buttons don't work." Of course they didn't work, she disabled its ability to act as an input device, while claiming to hold a degree in Computer Science.

See the problem yet?

The industry has dumbed itself down to allow anyone a

Re: Just in time

[Gr8Apes]

I hear you, however, my point was don't have BT on unless you need it. In my case, that's very very very seldom with anything except my HTPC. I admit I skimmed TFS and didn't believe the severity that was stated. I was under the impression that computers and laptops were "ok" but devices attached to them weren't. That's probably some misinformation from some responses I also read across the couple of days, so what I read probably got shoved aside by other concerns, as I'm not a big BT user (ie, I didn't pay as much attention as I would have if, say, SSDs had been the problem device) That said, if this truly is as bad as BadUSB with effectively you plugging in every single USB device you pass, then its a really huge problem.

Case in point, the woman in front of me in the Target customer service line about a year and a half ago, returning a bluetooth speaker, ranting about how she's a security researcher with a Masters in CS and how she's "appalled that it wants to act as an input device and read her phone book which, of course, I did not allow -- and, by the way, the play and skip buttons don't work."

Quite honestly, I get the input device for play/skip buttons, but phone book? And input device seems overly generic and broad for "audio input device" functionality, which would only have limited input functionality, no general keyboard.

Finally, I agree, you can't fix stupid. And stupid is what a large segment of the consumer base is when it comes to these devices, and when it comes to security, well, it's like finding a needle in all the haystacks in a country. Sadly, that not just related to computers. An astoundingly small percentage of people can fix their own brakes, change their own oil, repair a sprinkler head, replace a faucet, sharpen a mower blade, or even hammer a nail to hold a fence board it seems, never mind working on anything connected to an electrical power source of any sort.

When a patch or update is issued...

[fustakrakich]

You're device will be too old to update. You'll have to buy a new one. Neat trick, huh?

Re:When a patch or update is issued...

[arth1]

You're device

No, I'm human. Mostly.

Re:When a patch or update is issued...

[PolygamousRanchKid+]

No, I'm human. Mostly.

Yes, you are . . . Number Six . . .

Re:When a patch or update is issued...

[fustakrakich]

More likely you are mostly bacteria that assumes a human form. Your intelligence comes from the super worms living in your digestive tract.

Though I'm not ungrateful for your reminder, most people can let the typos slide

Re:When a patch or update is issued...

[Solandri]

TFA linked in summary had a lot of scary hype and little info. The vulnerability was found earlier this year and affected companies were notified in April. So they've had several months to work on fixes. The vulnerability was made public recently after giving these companies time to prepare patches.

• Microsoft patched it in Windows back in July (Windows Phone was not affected, if you're one of the handful of people still using it).
• Apple has fixed it in iOS version 10, but is not patching older version of iOS (they want you to update to version 10).
• Google is patching all versions of Android from version 4.4.4 (Kit Kat) and newer. But whether manufacturers and carriers will pass on those patches to end-user devices remains to be seen.
• Samsung declined to comment.

Re:When a patch or update is issued...

[JustAnotherOldGuy]

Yes, you are . . . Number Six . . .

I am not a number, I am a free man!

Re:When a patch or update is issued...

[Big+Hairy+Ian]

Good luck trying to get this patched on your Android device and what about all the devices we connect to

Re:When a patch or update is issued...

[ggendel]

This is the reason I picked up a Blackberry Android device. If nothing else, Blackberry has been true to their word about keeping their phones secure. I ran the vulnerability checker and it claims that my Priv is properly patched (at least by the first week of September when the last monthly patches came).

Re:When a patch or update is issued...

[arth1]

Though I'm not ungrateful for your reminder, most people can let the typos slide

Writing "yoir" instead of "your" would be a typo.
Writing "you're" instead of "your" is not a typo; it's ignorance.

Re:When a patch or update is issued...

[fustakrakich]

:-) Sure, anything you say. I'm not one to argue pedantry. I'll leave all that up to yoi

Bluetooth now useless for many Android devices

I'd like to think these vulnerabilities will be fixed, but many Android devices don't get updates in a timely manner if at all. Must Bluetooth be permanently disabled on many of those devices?

Re:Bluetooth now useless for many Android devices

[darth+dickinson]

Yeah that's what I'm worried about. I have a couple of LG devices (a V10 and an X-Pad) and it took them forever to get Android 7. I have yet to see any kind of security update for them, including the year leading up to the Android N upgrade.

Although the BlueBorne checker that I downloaded seems to indicate that if your device isn't discoverable, that it can't be infected. I'm probably wrong on that, however.

Re:Bluetooth now useless for many Android devices

Android is shit. Majority of Android devices older than 1-2 years can be pwned remotely over the air via either WiFi (shitty Broadcom drivers) or Bluetooth (shitty stack) over the air.

Good luck.

Re:Bluetooth now useless for many Android devices

[that+this+is+not+und]

But it's highly likely they won't.

So...

[locater16]

So just turn off bluetooth forever and keep it off? I've got a wireless mouse but that's all I use bluetooth for. I suppose the most vulnerable devices would be phones in close proximity, a densely populated city or something.

Re:So...

[PolygamousRanchKid+]

So just turn off bluetooth forever and keep it off? .

Gee, that old-fashioned audio jack ain't lookin' too bad right now . . .

I usually leave Bluetooth off anyway, because of the battery drain.

Re:So...

[berj]

Having a device that actually gets timely updates is what's actually not lookin' too bad right now.

And as a point of reference.. this vulnerability was patched in iOS before Apple released the first phone without a standard headophone jack.

Though even if that *weren't* the case.. one can still plug in normal headphones..

Re:So...

If you own Android device (which means you likely already stopped receiving updates or will stop receiving updates in 1 year or so) the solution is to torn your device off and keep it off forever.

Broadcom WiFi drivers, now this. This is just awesome. Cheers.

Re:So...

Having a Windows phone is what's actually not lookin' too bad right now. It didn't have the vulnerability to begin with.

Re:So...

[that+this+is+not+und]

Or, continue to use your device, but not for critical things like financial transactions.

I don't care if they steal my contacts list. Are they going to steal my precious cookies and post pro-Apple spam under my name on Slashdot? (That I would worry about)

Re:So...

[BronsCon]

Ah, yes, but the headphones themselves will still be vulnerable... then you'll connect pair them to your phone and... well? What security actually is there at that point? I'm not saying there isn't any, I'm asking.

What data might infected headphones, or an infected speaker, or an older iPad that can't run iOS 10, or whatever else have you, be able to exfiltrate from your non-vulnerable iPhone, Windows phone, Mac, or PC? Or, really, from anything else it connects to (including patched Android devices)?

I haven't really seen anyone considering that in this discussion thus far. I feel like most people assume (and probably correctly) that there is little or no risk from this, but who's verified it? I'm certainly not qualified to and I feel as though those who are have not.

I also wonder if my car's bluetooth implementation is vulnerable and, if so, will it receive a patch when I take it in for the airbag recall that is currently pending?

This isn't just about your phone, people...

Re:So...

or just turn bluetooth... that's a whole lot easier. snarky iphone owners acting like they're upper class douchebags, which is normal.

Eh?

[Hognoxious]

So does almost everybody in the world own a BT device?

Re:Eh?

[darth+dickinson]

Either that, or many people own multiple. There are four sitting on my desk here at work (although two belong to my employer).

Re: Eh?

No, genius, many people have multiple Bluetooth-enabled devices like phones, tablets, laptops, and perhaps older devices they still own but have retired from active use.

Re:Eh?

[Paradise+Pete]

So does almost everybody in the world own a BT device?

On average, I suppose, but just off the top of my head I own more than a dozen.

Re:Eh?

[PolygamousRanchKid+]

So does almost everybody in the world own a BT device?

In Putinist Amerika . . . Bluetooth owns you!

Re:Eh?

[reboot246]

I own a phone that has Bluetooth available, but I never turn Bluetooth on because I have no use for it. Besides, it drains the battery faster. I also keep GPS and wifi turned off because I don't use them.

I have a Bluetooth remote for my Amazon FireTV, but I fail to see how it could get infected if it never leaves the house.

Re:Eh?

[viperidaenz]

I have many:
My phone
My watch
My headphones
My laptop
My PC
My 2 TV's
My speaker dock
My car stereo

My wife has many:
Her phone
Her headphones
Her iPod
Her laptop
Her tablet
Her car stereo

My son has a laptop with bluetooth

That's 16 devices in my house of 4 off the top of my head
Doesn't include all the old phones not actively used.
I've also got a bunch of other devices with bluetooth hardware but no software stack: Raspberry Pi 3, Asus Tinkerboard, Pine64... quite a few of those dev boards have Bluetooth.

Re:Eh?

[skids]

Don't forget the game consoles, often in use well past their EoS date.

Re:Eh?

[cfalcon]

> So does almost everybody in the world own a BT device?

Owning a single blutooth device means you aren't a BT user. Everyone who wants to use BT needs TWO of them, bare minimum, to get any utility from it. So you have "every single phone" accounting for whatever small percent of people own a SINGLE device, and then you have it placed on a variety of other things- mice, keyboards, headphones, peripherals- to actually interface with their computer/phone/console/car.

Re: Eh?

[that+this+is+not+und]

Then you also probably have an Amazon Fire TV with an active bluetooth transciever. What sort of OS is it running?

Re:Eh?

[GNious]

Lemme see, every mobile phone I've bought in this millennium has had BT support
Some of the land-line phones/handsets I bought a decade ago has BT support
I probably have 4-5 BT headsets somewhere (mono, stereo, headset-adapters)
My Bragi Dash have 2 BT implementations (one for music/phone, one for health-monitoring)
My PS3, along with its regular and Move controllers, use BT
The PS4 might too, not sure.
The Nintendo Wii's wiimotes are supposedly BT
Got an Ethernet-PAN gateway somewhere
A couple of keyboards using BT
Some computer-mice using BT
My Harmony remote base-station uses BT to control some devices (like the PS3, PS4 etc)
A LOT of the IoT stuff I've been looking at uses BT ...

Question is, who in the various 1st world countries, doesn't have at LEAST 1 BT enabled device these days?

great movie sequel title

[turkeydance]

the Bo(u)rne Vulnerabilities. well, not that great

Re:great movie sequel title

But Matt Damond will dead by then? Or maybe that become his vuulnerable.

Who is that ugly one who replaces him? in the snow movie. Who can be that ugly? I dont believe a manlet is a real supersoldj. Nobody thinks this. He is a gay you know? That man is also a gay

Re: great movie sequel title

[that+this+is+not+und]

Vulnerabilities in /bin/sh ?

My NetBSD box may be vulnerable.

Terrific!

I didn't really want to use my keyboard and mouse with my laptop when sitting at my desk anyway. I'll just go ahead and turn off bluetooth for all my devices. My Apple Pen and iPad should probably be locked down too. HELPFUL!

Re:Terrific!

    What about my car? It has several functions tied to BT

Re:Terrific!

[deviated_prevert]

What about my car? It has several functions tied to BT

One hack that might be useful is to pull up to the morons with their car stereos blasting away in a traffic jam and mute them! Apart from that and perhaps screwing up their hands free phone while they yap away while driving apart from that essentially nothing. Fun though if you could pull up and make their stereo play Le Sacre Du Printemps at full volume. The core functions of the auto if somehow connected to the entertainment/infotainment devices that can be accessed over the air waves would be a stupid design to say the least. This is the reason why I would never enable GM's onstar service, or buy any car with remote access capabilities other than a simple keyfob.

Re:Terrific!

[that+this+is+not+und]

make their stereo play Le Sacre Du Printemps at full volume.

No. Better. Find the resonant frequency of their automobile's chassis and literally shake it apart with subsonics.

My lettuce is wilting!

[A10Mechanic]

Good luck getting an update for your Bluetooth enabled refrigerator.

Re:My lettuce is wilting!

[scdeimos]

Good luck getting an update for your Lenovo devices, too.

Re:My lettuce is wilting!

I am more worried about my bluetooth enabled car.

I am shocked, shocked I tell you

[WillAffleckUW]

And there is no truth to the ability of the new iPhone X to use your face to allow the feds to unlock your phone and turn on bluetooth without telling you.

Really.

Trust us.

We would never do that.

By the way, you really need to get that mole looked at.

Re:I am shocked, shocked I tell you

Kind of like walking around with your password written on your forehead.

Re:I am shocked, shocked I tell you

[Jeremi]

If Apple wants to allow your iPhone to be surreptitiously unlocked by the feds, they have approximately 875 way to accomplish that, which would be less work and less noticeable than by introducing a vulnerability in their face-recognition software.

(OTOH it's not clear how facial recognition would prevent someone who has physical access to your phone from pointing the phone at your face and saying "hey, look at this")

Re: I am shocked, shocked I tell you

Probably the same way as the fingerprint reader - require passcode on boot. Of course then you have to turn it off before you expect a search.

Or just don't do anything stupid that would get your phone confiscated. I always love all these fat dudes in their moms basement worried that the Feds are gonna come get them and so they use that to justify not being able to afford an iPhone

Re:I am shocked, shocked I tell you

[rbgaynor]

iOS 11 allows you to lock out Touch ID and Face ID using the wake/sleep physical switch on the phone. So easy you can do it without taking the phone ou of your pocket.

Re:I am shocked, shocked I tell you

[rbgaynor]

iOS 10 (released in September 2016) fixed the Bluetooth vulnerability.

Re:I am shocked, shocked I tell you

[blindseer]

Ah, but you see I write my password backwards on my forehead. I'm the only one that can read it, using a mirror.

blueborn goes wild!

[jriding]

What and no exploit code released?

Bastards :-(

Re:blueborn goes wild!

the feds are awfully selfish when it comes to their toys, aren't they.

How convenient

[scdeimos]

Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions.

The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable.

Sounds like scare tactics to promote an app to me. What data will it be slurping up?

Re:How convenient

[InvalidsYnc]

What will it be infecting you with?

Re:How convenient

[markdavis]

>"Sounds like scare tactics to promote an app to me. What data will it be slurping up?"

It required no permissions at all, interestingly.

Re:How convenient

[that+this+is+not+und]

What I am wondering is, since scary dudes in Corporation on the linked video have designed a whole logo for this thing, and named the 'collection of vulnerabilities' have they also trademarked said logo and name? The video looks pretty slick and corporate and has a url at the end that we're all supposed to navigate to.

Crappy stacks.

Considering the generally crappy nature of most stacks this should not be a surprise.

Clarification

[ilsaloving]

Regarding Apple, *OLD* version of iOS have vulnerabilities. The 10.x series does not have the issues described.

https://www.armis.com/blueborn...

Also, OSX isn't vulnerable to the described exploits.

Re:Clarification

[93+Escort+Wagon]

I have an old, jailbroken iPad still sitting on iOS 8.4 - but it doesn't leave the house, so I'm not too worried.

There seems to be a bit of fear-mongering here with regards to iOS. As of July, 87% of iOS devices were running iOS 10.x... and so not vulnerable to this.

And as you mentioned - OS X / macOS devices are not vulnerable.

Re:Clarification

[that+this+is+not+und]

According to how the propaganda^d^d^d informative video put it, any other bluetooth device can travel into proximity to your old iPad and infect it. Your friend's phone, the UPS delivery guy's phone. Your sister's bluetooth vibrator...

Re:Clarification

Gold!

Re:Clarification

OSX and iOS 10.x are "vulnerable" with user concent - i.e. hacker keeps spamming SMP requests with "DisplayOnly" until user click yes... after that he can run pineaple via PAN and MITM all your network traffic.

I'd bet 95% of users will click "yes" on "device 'system update' would like to connect to bluetooth, allow?" if the notification is persistent (re-apears after clicking no)

Mainstream linux has it patched already

[deviated_prevert]

Redhat had it covered first. Debian now has it patched. I would imagine that MS Server, Win7 and Win10 might not be too far behind considering that the real danger of this exploit is access to corporate networks that use bluetooth devices. Fortunately most thin clients do not have bluetooth built in otherwise this could become another update nightmare for MS admins. Either way I don't think this will effect the Microsoft servers users too much. What I do foresee is a rapid removal of bluetooth mice and a server side disabling of the usb bluetooth stack happening in major business until Microsoft patches the windows bluetooth stack.

Re:Mainstream linux has it patched already

[deviated_prevert]

Sure enough it is serious enough and there is a Windows server patch available as of today. Koodos to Microsoft for getting it out quickly, now if it is applied effectively without updating the language packs by mistake it might make using bluetooth devices on your systems safe again. I doubt that the black hats have figured out how to exploit this hole remotely as of yet. But it would really be a PITA if the exploit could somehow be used over the web to compromise servers.

Re:Mainstream linux has it patched already

Sure enough it is serious enough and there is a Windows server patch available [microsoft.com] as of today. Koodos to Microsoft for getting it out quickly

Microsoft weren't the quick ones. From here:

Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.

...

Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.

Re:Mainstream linux has it patched already

[deviated_prevert]

Microsoft weren't the quick ones. From here:

Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.

...

Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.

What are you talking about Microsoft was quick, it only took them 5 and half months this time around which for Microsoft is at the speed of light when it comes to patching a serious hole. This is why the the hole was not disclosed earlier to the Linux crowd the bluez patch would have happened by late April giving time for the hackers to figure out how to hack the Windows bluetooth stack which the Linux pirates copied profusely to enable bluetooth devices on linux.

Re:Mainstream linux has it patched already

[that+this+is+not+und]

Is all information about this centered at this Armis Corporation? Seems they have a pretty big stake in any hysteria that can be spun up.

I looked at their website, but they won't tell me much about them without me telling NoScript that they are 'the good guys.'

Re: Mainstream linux has it patched already

?
What are you on about?
Trawling much?

Actually, Linux had Bluetooth implemented first, as USB2.
Which is natural, for a kernel developed as standalone, provided the hardware specs are made available.

Re:Mainstream linux has it patched already

Huh? Do you have a reading comprehension failure? "Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11." They fixed it and released a patch in just under 3 months. They kept silent for 2 more months as this was a coordinated patching effort being made by many vendors.

Fixed in iOS 10

Before anyone else has a headphone comment.

Re:Fixed in iOS 10

[that+this+is+not+und]

What about the thousands of different Bluetooth headphones that people might be using to connect to their iPhone?

Will Apple come out with a sticker 'Apple Approved Safe Bluetooth Device' and inform their customers that it's time to landfill all their old stuff and come flash plastic at the Apple Store?

Re: Fixed in iOS 10

What exactly is there to be hacked in a set of headphones? What is there to get shell on?

Re: Fixed in iOS 10

[that+this+is+not+und]

That's a worthy question.

You didn't provide an answer.

and in your CAR????

When will the updates come for all of those who have blueballs installed and use it in their vehicles?

Does one really need the BlueBorne app?

[Trax3001BBS]

Could be wrong as I don't know what BlueBorne app does. But reading the PDF it could be as easy as checking your "About Phone (device)" and seeing if your WiFi MAC address is one digit off of your Bluetooth MAC address. I show as vulnerable and my MAC addresses end with one a digit higher.

So one should be able to view MAC addresses and if sequential, vulnerable

Re:Does one really need the BlueBorne app?

[viperidaenz]

Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)

Re:Does one really need the BlueBorne app?

[Trax3001BBS]

Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)

From PDF in summery
"If the device generates no Bluetooth traffic, and is only listening, it is still possible to “guess” the
BDADDR, by sniffing its WiFi traffic. This is viable since WiFi MAC addresses appear unencrypted
over the air and due to the widely accepted norm of OEMs and hardware manufacturers that the
MACs of internal Bluetooth/WiFi adapters are either the same, or only differ in the last digit (one
being +1 of the other"

Re:Does one really need the BlueBorne app?

[Macfox]

Having the BDADDR enhances the attacks, by making it easier to connect to targets. The vulnerabilities are still needed, so the app should be checking SW builds/versions. One would hope the app is as sophisticated as the work gone into this discovery/release.

Patches for some systems already released

Ars Technica notes:
https://arstechnica.com/inform...

"Microsoft patched the vulnerabilities in July during the company's regularly scheduled Patch Tuesday. Company officials, however, didn't disclose the patch or the underlying vulnerabilities at the time. A Microsoft representative said Windows Phone was never vulnerable.

Google, meanwhile, provided device manufacturers with a patch last month. It plans to make the patch available starting today for users of the Pixel XL and other Google-branded phones, but if past security bulletins are any guide, it may take weeks before over-the-air fixes are available to all users.

Izrael said he expects Linux maintainers to release a fix soon.

Apple's iOS prior to version 10 was also vulnerable."

Re:Patches for some systems already released

[rbgaynor]

iOS 10 was initially released in September of 2016, so Apple devices have been safe for almost a year. macOS was not vulnerable.

Security fixes for android?

[mveloso]

I'm still waiting for the Broadcom wifi fix. At this rate it'll be 2100 before this BT bug will be patched.

Re:Security fixes for android?

[q4Fry]

+1 in the "Me, too" sense.

I have a prediction

[viperidaenz]

Lenovo won't release a security update for the Moto X 2014
It's still on August 2016 patch level, 13 months old now...

Already patched in iOS

[khchung]

In the article: "Who is affected.... All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower"

The latest version of iOS is 10.3.3. So it has long been patched in the current major version.

Sensationalist headline on /., why am I not surprised?

Re:Already patched in iOS

[madbrain]

Many iOS devices are not capable of being upgraded to iOS 10 . This is the case for my old iPad 2 which is on iOS 9.3.5 and can't be patched.

Ios10 and higher not exploitable

[sethmeisterg]

If you actually read the paper: Impact Due to the fact this vulnerability was mitigated in iOS version 10, a full exploit was not developed by us. Despite this, this vulnerability still poses a great risk to any iOS device prior to version 10, as it is does not require any user interaction or configuration of any sort on the targeted device, and can be leveraged by an attacker to gain remote code execution in a very high privileged context (the Bluetooth process).

Re:Ios10 and higher not exploitable

[that+this+is+not+und]

The iGadget is fine. Fort Knox secure. Not necessarily so for anything else that you connect to with your iGadget, though.

So don't be worried. Not at all. If your Bluetooth keyboard is compromised by some (any?) other random device that comes in range, you won't later use said keyboard to send any key critical information to your iPad. Right?

MacOSX

[manu0601]

MacOSX is oddly absent from the paper. If it had no flaws, it would have been worth a mention, so what? Not interesting to test?

Holy shit

[JustAnotherOldGuy]

"Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars."

Jesus fuckin' christ, could this get any worse? Yes, of course it can:

"...the vulnerabilities can be concocted into a self-spreading BlueTooth worm..."

Well that's just fucking great.

I can see a legit use for it

[menkhaura]

I can see a legitimate use for this vulnerability: disable mobiles of drivers who insist on texting while driving. With a little sophistication, it can be done automatically, with your own phone safely in your pocket.

Just Who Is "Armis, Inc."

[that+this+is+not+und]

Everything seems to reference back to them.

Is this an informercial for this outfit, who are showcasing the 'vulnerability' that they detected. Looking around on their webpage (with Noscript on, so there is probably 'stuff' they can't run in my browser that they want to run) it looks like they don't have a lot of customers. Is this their niche marketing angle?

Do they have the term they coined for this 'collection of vulnerabilities', 'BlueBorne' as a trademark. Is that scary logo they flash around in their video one of their trademarks?

Maybe somebody here on Slashdot, who isn't somebody who has just shown up with a fresh UID and is a 'big expert' on this sudden new phenomenon, can vouch for them.

Sensationalist sentence seems shockingly short!

This article makes it seem like the digital world is coming to an end, with BIG, BOLD headings like ALL BLUETOOTH DEVICES SINCE THW DAWN OF MAN ARE VULNERABLE and ONLY BURNING YOUR PHONE CAN KEEP YOU SAFE.

Until you read the actual report where they tell you that everyone has already released patches for all this stuff, except for maybe TizenOS which nobody really gives a shit about -- I think anyone with a Samsung TV containing a camera already knows they are being live streamed on YouTube.ru anyway.

So, come on Slashdot editors: don't contribute to this bullshit. Fine, post the article and link to the click bait, but also coke clean and say "this isn't a BFD like TFA makes it out to be".

the actual problem is : a buffer overflow...

[johnjones]

so yes its basically like wifi, cables are reliable

there is a buffer overflow in some versions of windows/linux/iOS

this has been patched in recent versions of all the OS's
its not a replicating worm per se unless you count all the people who have downloaded an "app" to check if they are vulnerable...

the videos and documentation on their website give absolutely no details and completely pointless, this is what happens when you let a media company deal with a buffer overflow

Actual information :

Background Information
The Logical Link Control and Adaptation Layer Protocol (L2CAP) works at the data link layer in the Bluetooth stack. It provides services such as connection multiplexing, segmentation and reassembly of packets for upper layer protocols such as Bluetooth. It facilitates higher level protocols to transmit and receive L2CAP data packets to and from clients.

A stack buffer overflow issue was found in various systems Bluetooth subsystem processing the pending configuration packets received from a client. As a result, a client could send arbitrary L2CAP configuration parameters which were stored in a stack buffer object. These parameters could exceed the buffer length, overwriting the adjacent kernel stack contents. This exchange occurs, prior to any authentication, when establishing a Bluetooth connection. An unauthenticated user, who is able to connect to a system via Bluetooth, could use this flaw to crash the system or potentially execute arbitrary code on the system if not secured correctly. if the Linux kernel stack protection feature (CONFIG_CC_STACKPROTECTOR=y) is on then your not going to be vulnerable.

Not impressed with the press release at all I'm afraid

It does show which vendors of equipment pay attention, develop patches and deserve respect

Regards

John Jones

Re:the actual problem is : a buffer overflow...

[Verdatum]

Still a pretty nasty vulnerability, and not super usual to have one that spans across OSs like this. Leaving this sort of interface open to buffer overflows all the way down at the link-layer is a rookie mistake, and rather alarming to find that it's not implemented with a bit more oversight. Decent static analysis can usually detect these sort of errors.

Re:the actual problem is : a buffer overflow...

[StikyPad]

The white paper is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something better.

A fully patched Samsung Galaxy S8+ is vulnerable

[xenobyte]

This is a flagship phone... Wonder how long it takes Samsung to patch.

No ASLR in Linux devices?

[mike10027]

The Ars article about BlueBorne cites someone from Armis claiming that "the majority of Linux devices on the market today don't use address space layout randomization," explaining that ASLR would mitigate the impact of the defect. Is that true about most Linux devices and ASLR? What kind of devices are they talking about? (It notes that Android is not in that category. I would think Android made up the majority of Linux devices, but I guess not.)

Not quite a driveby

The blueborn scanner says my bt headsets and ble devices are safe. Nearby phones are not seen unless bt settings are open and discoverable.