Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices (bleepingcomputer.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).

95 of 121 comments (clear)

  1. A headphone jack would be nice right about now by Anonymous Coward · · Score: 5, Funny

    Am I right?

    1. Re:A headphone jack would be nice right about now by Anonymous Coward · · Score: 1

      Sure, but you're a pussy. I'm courageous for using BT.

    2. Re:A headphone jack would be nice right about now by Trax3001BBS · · Score: 1

      Am I right?

      While I have a cable to connect the two, Bluetooth connected headphones are just much nicer/easier. And BlueBorne found my Moto G4 vulnerable.

    3. Re:A headphone jack would be nice right about now by JustAnotherOldGuy · · Score: 1

      Yes, you are correct. But hey, "courage", right?

      --
      Just cruising through this digital world at 33 1/3 rpm...
    4. Re:A headphone jack would be nice right about now by Dr.+Evil · · Score: 1

      The iphone 7 shipped with iOS 10 which is not affected by this issue.

  2. Just in time by Anonymous Coward · · Score: 3, Funny

    for the new iPhone! How do those new earbuds sound? Are they making a "hacking" noise?

    1. Re:Just in time by Anonymous Coward · · Score: 1

      From the link above, it Does not impact iOS 10 or higher so not an issue for updated iPhones. Or updated Macs.

    2. Re: Just in time by that+this+is+not+und · · Score: 1

      It only impcts all the bluetooth peripherals and headphones you might connect to your new iPhone.

    3. Re: Just in time by that+this+is+not+und · · Score: 1

      Except for all the peripherals out there that iOS users are likely to connect to the 'virtual headphone jack' of their sparkly new gadget.

      I guess if it's a speaker or headphone that's not overpriced for sale in the Apple Store, it probably shouldn't be trusted.

    4. Re:Just in time by Actually,+I+do+RTFA · · Score: 1

      Unlike Android devices, iDevices still get updates 5 years later. And this should be fixed on up to date OSes (I believe).

      --
      Your ad here. Ask me how!
    5. Re:Just in time by BronsCon · · Score: 1

      How do you check the firmware version on your headphones?

      You do get that this affects all bluetooth devices and not just phones, right?

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    6. Re:Just in time by Actually,+I+do+RTFA · · Score: 1

      I totally get it, although I'm sure my headphones aren't affected. (They are wired). But the context of the post I was responding to was about the timing being convenient vis-a-vis the new iPhone coming out. You know, so although what you said is true, it's immaterial.

      That said, you can usually query the firmware via your desktop Bluetooth to find out the firmware version/do an OTA update.

      --
      Your ad here. Ask me how!
    7. Re:Just in time by BronsCon · · Score: 1

      Okay, and everyone who uses bluetooth accessories (like headphones) with their "safe" iOS devices? What access might those accessories have once paired to the phone? You might want to look into that, and I'm not so sure I'd call it immaterial given that supposedly patched devices can still be affected.

      That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard (or any other device) and execute any number of exploits once paired to a supposedly patched phone. That's actually not something your phone can be patched to protect against, so as long as the accessories are vulnerable, so is the phone they're used with. In fact, even if the exploits mentioned in TFA didn't exist, a rogue bluetooth device you pair with your phone can still PWN it. Hardly immaterial.

      Unless, of course, you truly believe the fact that a fully patched and up-to-date iPhone can still be (indirectly) affected by this exploit is immaterial; in which case, please stay away from the security industry.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    8. Re:Just in time by Actually,+I+do+RTFA · · Score: 1

      What access might those accessories have once paired to the phone?

      Umm.... quite little. The protocols for non-BLE devices are pretty strict, and BLE is entirely dependent on the phone to pull information from the device.

      That innocuous pair of headphones (their bluetooth headphones, not your wired ones) may well emulate a keyboard

      That is a concern, but not significantly more than a generic malicious device. I'm not 100% sure about most OSes, but most I've seen require you to select a device both by name and (iconagraphically) by type of device (headset, headphones, keyboard, mouse, etc.).

      a rogue bluetooth device you pair with your phone can still PWN it.

      Probably. I'm not sure, I haven't seen many attacks of that type.

      Unless, of course, you truly believe the fact that a fully patched and up-to-date iPhone can still be (indirectly) affected by this exploit is immaterial;

      It's not immaterial, but it's not as critical as a bug in the Bluetooth stack. I consider your complaint to be analogous to responding to a statement about Heartbleed not affecting, I dunno, FreeBSD OSes with "but they might still download and run software from hacked servers." While true, and not totally to be discounted, it's important to note which OSes are directly affected.

      --
      Your ad here. Ask me how!
    9. Re:Just in time by BronsCon · · Score: 2

      It's not immaterial, but it's not as critical as a bug in the Bluetooth stack.

      Right. Now, consider it in concert with a bug in the bluetooth stack that allows any once-trusted device already paired with your phone to suddenly become a rogue device.

      The reality is, that's exactly what we've got here and, as you admit:

      a rogue bluetooth device you pair with your phone can still PWN it.

      Probably. I'm not sure, I haven't seen many attacks of that type.

      If you'd not seen it at all you'd have said so, which tells me you've seen it at least once and are slyly owning to the possibility.

      See the problem yet?

      Let me spell it out for you: unlike your Heartbleed/FreeBSD statement, which requires the end user (likely a qualified sysadmin) to do something stupid, your iOS device can still be affected by this without your intervention if you use any bluetooth accessories.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    10. Re:Just in time by Gr8Apes · · Score: 1

      The reality is, it's the same base issue as with the USB bus or any insufficiently protected external protocol.

      --
      The cesspool just got a check and balance.
    11. Re: Just in time by BronsCon · · Score: 1

      Bingo. So many people, even here where the same story about such literally un-patchable vulnerabilities has been posted more than a handful of times, choose to remain ignorant of reality, though.

      The difference here, from a typical USB device, however, is that your affected Bluetooth accessories may have their firmware "updated" without any physical interaction, whereas you would have to be duped into running a rogue firmware installer or plugging the device into a malicious machine to have your USB devices reprogrammed in such a manner.

      That said, with unknown and untrusted (read: found or of dubious origin or manufacture) devices, you're just as vulnerable pairing a Bluetooth device as you are plugging in a USB device.

      Again, you know this, I know this, but the masses remain ignorant of it. Even here.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    12. Re: Just in time by Gr8Apes · · Score: 1

      From a security standpoint, BT should be off on your devices except when you explicitly need to use them. There's far more reasons than just this vulnerability for that statement. In fact, ideally, you would turn off all radios on your phone when you're not needing it and for the tinfoil hat crowd, drop it into a heavy duty electrostatic bag.

      That said, wrt to BT vs USB vulnerabilities that I'm aware of, both require action by the user to actually work (BT requires pairing, USB requires you to plug it in) The USB one appears to be a greater risk, as that can operate in the true virus sense and infect everything you connect. The BT path just opens a potential vector. I'm not sure why both ends of a BT pairing cannot specify what the device operations are limited to. That seems to be a grossly neglected level of operational security that should have just been part of the protocol handshake - hi, I'm an audio device, hello, you have audio capabilities and are authorized for audio. Done.

      In fact, you'd think they would have included that in USB as well, although that doesn't prevent the firmware attacks. There's no reason for a mouse to be able to do anything other than return clicks and locations for example. That could be handled by OS upgrades to the default drivers though even if it's one sided. BT could be handled the same way I guess.

      --
      The cesspool just got a check and balance.
    13. Re: Just in time by BronsCon · · Score: 1

      Ugh... I had typed out an in-depth response to this, hit preview, then closed the window. I'll try to recreate as much of that as possible, but I reserve the right to post updates and corrections. I'll also skip the bits about how disappointed I am in you having missed the glaring obviousness of the vulnerability here (especially as it's discussed in TFS) as I don't think that really needed two paragraphs, even if I have come to expect better from you, and get right to the meat and potatoes.

      The long and the short is that you have to have a USB device plugged into an infected system to have an issue with USB, while just having a vulnerable bluetooth device (which includes the current majority of accessories, and likely will for the foreseeable future) in the same general area as an infected device can infect it. I can set a rogue USB drive on top of my computer and leave it there indefinitely and nothing happens; if I walk by someone with infected headphones, though, my own headphones may become infected. My own headphones, which are already paired to my phone, mind you. This isn't something the pairing process can save me from; I'm not pairing someone else's already fucked headphones to my phone, my already paired headphoens are getting fucked.

      Regarding USB, we have things like Logitech's Unifying receiver, which presents a generic interface (for pairing control) and up to 6 keyboards and mice, and we have things like mice with extra buttons that send keystrokes (the non-programmable ones actually act as keyboards, no special driver emulating the keystrokes) that need to be considered before we can say one physical device == one logical device. Even if we did say that, those could still exist because that logical device could simply be a hub with virtual devices plugged into it; which, of course, would still allow things like BadUSB to work. Rest assured it's been done in a lab, and that is not conjecture.

      We don't have bluetooth hubs, so we could technically implement that for bluetooth, but it would almost immediately make the technology immensely less popular. Some people actually use the feature of their pricey bluetooth speakers, headphones, and cars wherein the device pulls a copy of your phone book and offers its own voice-dialing functionality based on that data. That requires your "audio device" to also be a "dialing device" and a "phonebook device". Even more use the play control and volume buttons, which act as a "keyboard device". Sure, these are all still usable as audio devices if we remove multi-function capabilities from the protocol, but it becomes a lot less attractive to the end user; and do you really want your average driver having to fuck with their phone to change songs?

      Beyond that, we already have the ability to see what services a paired bluetooth device exposes and enable/disable them at will, at least on Android. A new pairing resets that (and should; often times that's the first suggested -- and most effective -- step in troubleshooting in case someone's fucked with those settings) and all a newly-infected device need do is "oops I glitched out and forgot my pairing" force the user to re-pair in order to reset any restrictions. And we already know that relying on users to secure themselves is folly; most won't know what the individual permissions even mean and the rest won't connect why some might or might not be needed. Case in point, the woman in front of me in the Target customer service line about a year and a half ago, returning a bluetooth speaker, ranting about how she's a security researcher with a Masters in CS and how she's "appalled that it wants to act as an input device and read her phone book which, of course, I did not allow -- and, by the way, the play and skip buttons don't work." Of course they didn't work, she disabled its ability to act as an input device, while claiming to hold a degree in Computer Science.

      See the problem yet?

      The industry has dumbed itself down to allow anyone a

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    14. Re: Just in time by Gr8Apes · · Score: 1
      I hear you, however, my point was don't have BT on unless you need it. In my case, that's very very very seldom with anything except my HTPC. I admit I skimmed TFS and didn't believe the severity that was stated. I was under the impression that computers and laptops were "ok" but devices attached to them weren't. That's probably some misinformation from some responses I also read across the couple of days, so what I read probably got shoved aside by other concerns, as I'm not a big BT user (ie, I didn't pay as much attention as I would have if, say, SSDs had been the problem device) That said, if this truly is as bad as BadUSB with effectively you plugging in every single USB device you pass, then its a really huge problem.

      Case in point, the woman in front of me in the Target customer service line about a year and a half ago, returning a bluetooth speaker, ranting about how she's a security researcher with a Masters in CS and how she's "appalled that it wants to act as an input device and read her phone book which, of course, I did not allow -- and, by the way, the play and skip buttons don't work."

      Quite honestly, I get the input device for play/skip buttons, but phone book? And input device seems overly generic and broad for "audio input device" functionality, which would only have limited input functionality, no general keyboard.

      Finally, I agree, you can't fix stupid. And stupid is what a large segment of the consumer base is when it comes to these devices, and when it comes to security, well, it's like finding a needle in all the haystacks in a country. Sadly, that not just related to computers. An astoundingly small percentage of people can fix their own brakes, change their own oil, repair a sprinkler head, replace a faucet, sharpen a mower blade, or even hammer a nail to hold a fence board it seems, never mind working on anything connected to an electrical power source of any sort.

      --
      The cesspool just got a check and balance.
  3. When a patch or update is issued... by fustakrakich · · Score: 5, Insightful

    You're device will be too old to update. You'll have to buy a new one. Neat trick, huh?

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:When a patch or update is issued... by arth1 · · Score: 2

      You're device

      No, I'm human. Mostly.

    2. Re:When a patch or update is issued... by PolygamousRanchKid+ · · Score: 1

      No, I'm human. Mostly.

      Yes, you are . . . Number Six . . .

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:When a patch or update is issued... by fustakrakich · · Score: 1

      More likely you are mostly bacteria that assumes a human form. Your intelligence comes from the super worms living in your digestive tract.

      Though I'm not ungrateful for your reminder, most people can let the typos slide

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:When a patch or update is issued... by Solandri · · Score: 2
      TFA linked in summary had a lot of scary hype and little info. The vulnerability was found earlier this year and affected companies were notified in April. So they've had several months to work on fixes. The vulnerability was made public recently after giving these companies time to prepare patches.
      • Microsoft patched it in Windows back in July (Windows Phone was not affected, if you're one of the handful of people still using it).
      • Apple has fixed it in iOS version 10, but is not patching older version of iOS (they want you to update to version 10).
      • Google is patching all versions of Android from version 4.4.4 (Kit Kat) and newer. But whether manufacturers and carriers will pass on those patches to end-user devices remains to be seen.
      • Samsung declined to comment.
    5. Re:When a patch or update is issued... by JustAnotherOldGuy · · Score: 1

      Yes, you are . . . Number Six . . .

      I am not a number, I am a free man!

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:When a patch or update is issued... by Big+Hairy+Ian · · Score: 1

      Good luck trying to get this patched on your Android device and what about all the devices we connect to

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    7. Re:When a patch or update is issued... by ggendel · · Score: 1

      This is the reason I picked up a Blackberry Android device. If nothing else, Blackberry has been true to their word about keeping their phones secure. I ran the vulnerability checker and it claims that my Priv is properly patched (at least by the first week of September when the last monthly patches came).

    8. Re:When a patch or update is issued... by arth1 · · Score: 1

      Though I'm not ungrateful for your reminder, most people can let the typos slide

      Writing "yoir" instead of "your" would be a typo.
      Writing "you're" instead of "your" is not a typo; it's ignorance.

    9. Re:When a patch or update is issued... by fustakrakich · · Score: 1

      :-) Sure, anything you say. I'm not one to argue pedantry. I'll leave all that up to yoi

      --
      “He’s not deformed, he’s just drunk!”
  4. Bluetooth now useless for many Android devices by Anonymous Coward · · Score: 2, Informative

    I'd like to think these vulnerabilities will be fixed, but many Android devices don't get updates in a timely manner if at all. Must Bluetooth be permanently disabled on many of those devices?

    1. Re:Bluetooth now useless for many Android devices by darth+dickinson · · Score: 1

      Yeah that's what I'm worried about. I have a couple of LG devices (a V10 and an X-Pad) and it took them forever to get Android 7. I have yet to see any kind of security update for them, including the year leading up to the Android N upgrade.

      Although the BlueBorne checker that I downloaded seems to indicate that if your device isn't discoverable, that it can't be infected. I'm probably wrong on that, however.

    2. Re:Bluetooth now useless for many Android devices by Anonymous Coward · · Score: 1

      Android is shit. Majority of Android devices older than 1-2 years can be pwned remotely over the air via either WiFi (shitty Broadcom drivers) or Bluetooth (shitty stack) over the air.

      Good luck.

    3. Re:Bluetooth now useless for many Android devices by that+this+is+not+und · · Score: 1

      But it's highly likely they won't.

  5. So... by locater16 · · Score: 1

    So just turn off bluetooth forever and keep it off? I've got a wireless mouse but that's all I use bluetooth for. I suppose the most vulnerable devices would be phones in close proximity, a densely populated city or something.

    1. Re:So... by PolygamousRanchKid+ · · Score: 2

      So just turn off bluetooth forever and keep it off? .

      Gee, that old-fashioned audio jack ain't lookin' too bad right now . . .

      I usually leave Bluetooth off anyway, because of the battery drain.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:So... by berj · · Score: 1

      Having a device that actually gets timely updates is what's actually not lookin' too bad right now.

      And as a point of reference.. this vulnerability was patched in iOS before Apple released the first phone without a standard headophone jack.

      Though even if that *weren't* the case.. one can still plug in normal headphones..

    3. Re:So... by that+this+is+not+und · · Score: 1

      Or, continue to use your device, but not for critical things like financial transactions.

      I don't care if they steal my contacts list. Are they going to steal my precious cookies and post pro-Apple spam under my name on Slashdot? (That I would worry about)

    4. Re:So... by BronsCon · · Score: 1

      Ah, yes, but the headphones themselves will still be vulnerable... then you'll connect pair them to your phone and... well? What security actually is there at that point? I'm not saying there isn't any, I'm asking.

      What data might infected headphones, or an infected speaker, or an older iPad that can't run iOS 10, or whatever else have you, be able to exfiltrate from your non-vulnerable iPhone, Windows phone, Mac, or PC? Or, really, from anything else it connects to (including patched Android devices)?

      I haven't really seen anyone considering that in this discussion thus far. I feel like most people assume (and probably correctly) that there is little or no risk from this, but who's verified it? I'm certainly not qualified to and I feel as though those who are have not.

      I also wonder if my car's bluetooth implementation is vulnerable and, if so, will it receive a patch when I take it in for the airbag recall that is currently pending?

      This isn't just about your phone, people...

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  6. Eh? by Hognoxious · · Score: 1

    So does almost everybody in the world own a BT device?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:Eh? by darth+dickinson · · Score: 1

      Either that, or many people own multiple. There are four sitting on my desk here at work (although two belong to my employer).

    2. Re:Eh? by Paradise+Pete · · Score: 1

      So does almost everybody in the world own a BT device?

      On average, I suppose, but just off the top of my head I own more than a dozen.

    3. Re:Eh? by PolygamousRanchKid+ · · Score: 1

      So does almost everybody in the world own a BT device?

      In Putinist Amerika . . . Bluetooth owns you!

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    4. Re:Eh? by reboot246 · · Score: 1

      I own a phone that has Bluetooth available, but I never turn Bluetooth on because I have no use for it. Besides, it drains the battery faster. I also keep GPS and wifi turned off because I don't use them.

      I have a Bluetooth remote for my Amazon FireTV, but I fail to see how it could get infected if it never leaves the house.

    5. Re:Eh? by viperidaenz · · Score: 1

      I have many:
      My phone
      My watch
      My headphones
      My laptop
      My PC
      My 2 TV's
      My speaker dock
      My car stereo

      My wife has many:
      Her phone
      Her headphones
      Her iPod
      Her laptop
      Her tablet
      Her car stereo

      My son has a laptop with bluetooth

      That's 16 devices in my house of 4 off the top of my head
      Doesn't include all the old phones not actively used.
      I've also got a bunch of other devices with bluetooth hardware but no software stack: Raspberry Pi 3, Asus Tinkerboard, Pine64... quite a few of those dev boards have Bluetooth.

    6. Re:Eh? by skids · · Score: 1

      Don't forget the game consoles, often in use well past their EoS date.

      --
      Someone had to do it.
    7. Re:Eh? by cfalcon · · Score: 1

      > So does almost everybody in the world own a BT device?

      Owning a single blutooth device means you aren't a BT user. Everyone who wants to use BT needs TWO of them, bare minimum, to get any utility from it. So you have "every single phone" accounting for whatever small percent of people own a SINGLE device, and then you have it placed on a variety of other things- mice, keyboards, headphones, peripherals- to actually interface with their computer/phone/console/car.

    8. Re: Eh? by that+this+is+not+und · · Score: 1

      Then you also probably have an Amazon Fire TV with an active bluetooth transciever. What sort of OS is it running?

    9. Re:Eh? by GNious · · Score: 1

      Lemme see, every mobile phone I've bought in this millennium has had BT support
      Some of the land-line phones/handsets I bought a decade ago has BT support
      I probably have 4-5 BT headsets somewhere (mono, stereo, headset-adapters)
      My Bragi Dash have 2 BT implementations (one for music/phone, one for health-monitoring)
      My PS3, along with its regular and Move controllers, use BT
      The PS4 might too, not sure.
      The Nintendo Wii's wiimotes are supposedly BT
      Got an Ethernet-PAN gateway somewhere
      A couple of keyboards using BT
      Some computer-mice using BT
      My Harmony remote base-station uses BT to control some devices (like the PS3, PS4 etc)
      A LOT of the IoT stuff I've been looking at uses BT ...

      Question is, who in the various 1st world countries, doesn't have at LEAST 1 BT enabled device these days?

  7. great movie sequel title by turkeydance · · Score: 1

    the Bo(u)rne Vulnerabilities. well, not that great

    1. Re: great movie sequel title by that+this+is+not+und · · Score: 1

      Vulnerabilities in /bin/sh ?

      My NetBSD box may be vulnerable.

  8. Terrific! by Anonymous Coward · · Score: 2, Interesting

    I didn't really want to use my keyboard and mouse with my laptop when sitting at my desk anyway. I'll just go ahead and turn off bluetooth for all my devices. My Apple Pen and iPad should probably be locked down too. HELPFUL!

    1. Re:Terrific! by deviated_prevert · · Score: 1

      What about my car? It has several functions tied to BT

      One hack that might be useful is to pull up to the morons with their car stereos blasting away in a traffic jam and mute them! Apart from that and perhaps screwing up their hands free phone while they yap away while driving apart from that essentially nothing. Fun though if you could pull up and make their stereo play Le Sacre Du Printemps at full volume. The core functions of the auto if somehow connected to the entertainment/infotainment devices that can be accessed over the air waves would be a stupid design to say the least. This is the reason why I would never enable GM's onstar service, or buy any car with remote access capabilities other than a simple keyfob.

      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    2. Re:Terrific! by that+this+is+not+und · · Score: 1

      make their stereo play Le Sacre Du Printemps at full volume.

      No. Better. Find the resonant frequency of their automobile's chassis and literally shake it apart with subsonics.

  9. My lettuce is wilting! by A10Mechanic · · Score: 1

    Good luck getting an update for your Bluetooth enabled refrigerator.

    1. Re:My lettuce is wilting! by scdeimos · · Score: 2

      Good luck getting an update for your Lenovo devices, too.

  10. I am shocked, shocked I tell you by WillAffleckUW · · Score: 2, Funny

    And there is no truth to the ability of the new iPhone X to use your face to allow the feds to unlock your phone and turn on bluetooth without telling you.

    Really.

    Trust us.

    We would never do that.

    By the way, you really need to get that mole looked at.

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:I am shocked, shocked I tell you by Jeremi · · Score: 1

      If Apple wants to allow your iPhone to be surreptitiously unlocked by the feds, they have approximately 875 way to accomplish that, which would be less work and less noticeable than by introducing a vulnerability in their face-recognition software.

      (OTOH it's not clear how facial recognition would prevent someone who has physical access to your phone from pointing the phone at your face and saying "hey, look at this")

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    2. Re:I am shocked, shocked I tell you by rbgaynor · · Score: 1

      iOS 11 allows you to lock out Touch ID and Face ID using the wake/sleep physical switch on the phone. So easy you can do it without taking the phone ou of your pocket.

      --
      "Good things don't end with eum, they end with mania or teria." - H. Simpson
    3. Re:I am shocked, shocked I tell you by rbgaynor · · Score: 1

      iOS 10 (released in September 2016) fixed the Bluetooth vulnerability.

      --
      "Good things don't end with eum, they end with mania or teria." - H. Simpson
    4. Re:I am shocked, shocked I tell you by blindseer · · Score: 1

      Ah, but you see I write my password backwards on my forehead. I'm the only one that can read it, using a mirror.

      --
      I am armed because I am free. I am free because I am armed.
  11. blueborn goes wild! by jriding · · Score: 2

    What and no exploit code released?

    Bastards :-(

    --
    love the taste, hate the texture
  12. Re:How convenient by InvalidsYnc · · Score: 1

    What will it be infecting you with?

  13. Clarification by ilsaloving · · Score: 1

    Regarding Apple, *OLD* version of iOS have vulnerabilities. The 10.x series does not have the issues described.

    https://www.armis.com/blueborn...

    Also, OSX isn't vulnerable to the described exploits.

    1. Re:Clarification by 93+Escort+Wagon · · Score: 1

      I have an old, jailbroken iPad still sitting on iOS 8.4 - but it doesn't leave the house, so I'm not too worried.

      There seems to be a bit of fear-mongering here with regards to iOS. As of July, 87% of iOS devices were running iOS 10.x... and so not vulnerable to this.

      And as you mentioned - OS X / macOS devices are not vulnerable.

      --
      #DeleteChrome
    2. Re:Clarification by that+this+is+not+und · · Score: 1

      According to how the propaganda^d^d^d informative video put it, any other bluetooth device can travel into proximity to your old iPad and infect it. Your friend's phone, the UPS delivery guy's phone. Your sister's bluetooth vibrator...

  14. Mainstream linux has it patched already by deviated_prevert · · Score: 5, Informative

    Redhat had it covered first. Debian now has it patched. I would imagine that MS Server, Win7 and Win10 might not be too far behind considering that the real danger of this exploit is access to corporate networks that use bluetooth devices. Fortunately most thin clients do not have bluetooth built in otherwise this could become another update nightmare for MS admins. Either way I don't think this will effect the Microsoft servers users too much. What I do foresee is a rapid removal of bluetooth mice and a server side disabling of the usb bluetooth stack happening in major business until Microsoft patches the windows bluetooth stack.

    --
    This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    1. Re:Mainstream linux has it patched already by deviated_prevert · · Score: 1

      Sure enough it is serious enough and there is a Windows server patch available as of today. Koodos to Microsoft for getting it out quickly, now if it is applied effectively without updating the language packs by mistake it might make using bluetooth devices on your systems safe again. I doubt that the black hats have figured out how to exploit this hole remotely as of yet. But it would really be a PITA if the exploit could somehow be used over the web to compromise servers.

      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    2. Re:Mainstream linux has it patched already by deviated_prevert · · Score: 1, Insightful

      Microsoft weren't the quick ones. From here:

      Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.

      ...

      Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.

      What are you talking about Microsoft was quick, it only took them 5 and half months this time around which for Microsoft is at the speed of light when it comes to patching a serious hole. This is why the the hole was not disclosed earlier to the Linux crowd the bluez patch would have happened by late April giving time for the hackers to figure out how to hack the Windows bluetooth stack which the Linux pirates copied profusely to enable bluetooth devices on linux.

      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    3. Re:Mainstream linux has it patched already by that+this+is+not+und · · Score: 1

      Is all information about this centered at this Armis Corporation? Seems they have a pretty big stake in any hysteria that can be spun up.

      I looked at their website, but they won't tell me much about them without me telling NoScript that they are 'the good guys.'

  15. Does one really need the BlueBorne app? by Trax3001BBS · · Score: 1

    Could be wrong as I don't know what BlueBorne app does. But reading the PDF it could be as easy as checking your "About Phone (device)" and seeing if your WiFi MAC address is one digit off of your Bluetooth MAC address. I show as vulnerable and my MAC addresses end with one a digit higher.

    So one should be able to view MAC addresses and if sequential, vulnerable

    1. Re:Does one really need the BlueBorne app? by viperidaenz · · Score: 2

      Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
      Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)

    2. Re:Does one really need the BlueBorne app? by Trax3001BBS · · Score: 5, Informative

      Looks like the vulnerabilities that impact Android are in the BlueZ bluetooth stack.
      Nothing to do with the MAC address of your Bluetooth/Wifi, of if Bluetooth and WiFi are contained in the same piece of hardware (I doubt any phone has a separate Bluetooth chip anyway, it would require a separate bluetooth antenna, cost more and take up more space)

      From PDF in summery
      "If the device generates no Bluetooth traffic, and is only listening, it is still possible to “guess” the
      BDADDR, by sniffing its WiFi traffic. This is viable since WiFi MAC addresses appear unencrypted
      over the air and due to the widely accepted norm of OEMs and hardware manufacturers that the
      MACs of internal Bluetooth/WiFi adapters are either the same, or only differ in the last digit (one
      being +1 of the other"

    3. Re:Does one really need the BlueBorne app? by Macfox · · Score: 1

      Having the BDADDR enhances the attacks, by making it easier to connect to targets. The vulnerabilities are still needed, so the app should be checking SW builds/versions. One would hope the app is as sophisticated as the work gone into this discovery/release.

      --
      Area51 - We are watching...
  16. Security fixes for android? by mveloso · · Score: 1

    I'm still waiting for the Broadcom wifi fix. At this rate it'll be 2100 before this BT bug will be patched.

    1. Re:Security fixes for android? by q4Fry · · Score: 1

      +1 in the "Me, too" sense.

  17. I have a prediction by viperidaenz · · Score: 2

    Lenovo won't release a security update for the Moto X 2014
    It's still on August 2016 patch level, 13 months old now...

  18. Re:How convenient by markdavis · · Score: 1

    >"Sounds like scare tactics to promote an app to me. What data will it be slurping up?"

    It required no permissions at all, interestingly.

  19. Already patched in iOS by khchung · · Score: 1

    In the article: "Who is affected.... All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower"

    The latest version of iOS is 10.3.3. So it has long been patched in the current major version.

    Sensationalist headline on /., why am I not surprised?

    --
    Oliver.
    1. Re:Already patched in iOS by madbrain · · Score: 1

      Many iOS devices are not capable of being upgraded to iOS 10 . This is the case for my old iPad 2 which is on iOS 9.3.5 and can't be patched.

      --
      -- Julien Pierre http://www.madbrain.com/blog
  20. Re:Patches for some systems already released by rbgaynor · · Score: 1

    iOS 10 was initially released in September of 2016, so Apple devices have been safe for almost a year. macOS was not vulnerable.

    --
    "Good things don't end with eum, they end with mania or teria." - H. Simpson
  21. Ios10 and higher not exploitable by sethmeisterg · · Score: 1

    If you actually read the paper: Impact Due to the fact this vulnerability was mitigated in iOS version 10, a full exploit was not developed by us. Despite this, this vulnerability still poses a great risk to any iOS device prior to version 10, as it is does not require any user interaction or configuration of any sort on the targeted device, and can be leveraged by an attacker to gain remote code execution in a very high privileged context (the Bluetooth process).

    1. Re:Ios10 and higher not exploitable by that+this+is+not+und · · Score: 1

      The iGadget is fine. Fort Knox secure. Not necessarily so for anything else that you connect to with your iGadget, though.

      So don't be worried. Not at all. If your Bluetooth keyboard is compromised by some (any?) other random device that comes in range, you won't later use said keyboard to send any key critical information to your iPad. Right?

  22. MacOSX by manu0601 · · Score: 1

    MacOSX is oddly absent from the paper. If it had no flaws, it would have been worth a mention, so what? Not interesting to test?

  23. Holy shit by JustAnotherOldGuy · · Score: 1

    "Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars."

    Jesus fuckin' christ, could this get any worse? Yes, of course it can:

    "...the vulnerabilities can be concocted into a self-spreading BlueTooth worm..."

    Well that's just fucking great.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  24. I can see a legit use for it by menkhaura · · Score: 2

    I can see a legitimate use for this vulnerability: disable mobiles of drivers who insist on texting while driving. With a little sophistication, it can be done automatically, with your own phone safely in your pocket.

    --
    Stupidity is an equal opportunity striker.
    Fellow slashdotter Bill Dog
  25. Re:How convenient by that+this+is+not+und · · Score: 1

    What I am wondering is, since scary dudes in Corporation on the linked video have designed a whole logo for this thing, and named the 'collection of vulnerabilities' have they also trademarked said logo and name? The video looks pretty slick and corporate and has a url at the end that we're all supposed to navigate to.

  26. Re:Fixed in iOS 10 by that+this+is+not+und · · Score: 1

    What about the thousands of different Bluetooth headphones that people might be using to connect to their iPhone?

    Will Apple come out with a sticker 'Apple Approved Safe Bluetooth Device' and inform their customers that it's time to landfill all their old stuff and come flash plastic at the Apple Store?

  27. Just Who Is "Armis, Inc." by that+this+is+not+und · · Score: 1

    Everything seems to reference back to them.

    Is this an informercial for this outfit, who are showcasing the 'vulnerability' that they detected. Looking around on their webpage (with Noscript on, so there is probably 'stuff' they can't run in my browser that they want to run) it looks like they don't have a lot of customers. Is this their niche marketing angle?

    Do they have the term they coined for this 'collection of vulnerabilities', 'BlueBorne' as a trademark. Is that scary logo they flash around in their video one of their trademarks?

    Maybe somebody here on Slashdot, who isn't somebody who has just shown up with a fresh UID and is a 'big expert' on this sudden new phenomenon, can vouch for them.

  28. Re: Fixed in iOS 10 by that+this+is+not+und · · Score: 1

    That's a worthy question.

    You didn't provide an answer.

  29. the actual problem is : a buffer overflow... by johnjones · · Score: 4, Informative

    so yes its basically like wifi, cables are reliable

    there is a buffer overflow in some versions of windows/linux/iOS

    this has been patched in recent versions of all the OS's
    its not a replicating worm per se unless you count all the people who have downloaded an "app" to check if they are vulnerable...

    the videos and documentation on their website give absolutely no details and completely pointless, this is what happens when you let a media company deal with a buffer overflow

    Actual information :

    Background Information
    The Logical Link Control and Adaptation Layer Protocol (L2CAP) works at the data link layer in the Bluetooth stack. It provides services such as connection multiplexing, segmentation and reassembly of packets for upper layer protocols such as Bluetooth. It facilitates higher level protocols to transmit and receive L2CAP data packets to and from clients.

    A stack buffer overflow issue was found in various systems Bluetooth subsystem processing the pending configuration packets received from a client. As a result, a client could send arbitrary L2CAP configuration parameters which were stored in a stack buffer object. These parameters could exceed the buffer length, overwriting the adjacent kernel stack contents. This exchange occurs, prior to any authentication, when establishing a Bluetooth connection. An unauthenticated user, who is able to connect to a system via Bluetooth, could use this flaw to crash the system or potentially execute arbitrary code on the system if not secured correctly. if the Linux kernel stack protection feature (CONFIG_CC_STACKPROTECTOR=y) is on then your not going to be vulnerable.

    Not impressed with the press release at all I'm afraid

    It does show which vendors of equipment pay attention, develop patches and deserve respect

    Regards

    John Jones

    1. Re:the actual problem is : a buffer overflow... by Verdatum · · Score: 1

      Still a pretty nasty vulnerability, and not super usual to have one that spans across OSs like this. Leaving this sort of interface open to buffer overflows all the way down at the link-layer is a rookie mistake, and rather alarming to find that it's not implemented with a bit more oversight. Decent static analysis can usually detect these sort of errors.

    2. Re:the actual problem is : a buffer overflow... by StikyPad · · Score: 1

      The white paper is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something better.

      --
      https://www.eff.org/https-everywhere
  30. A fully patched Samsung Galaxy S8+ is vulnerable by xenobyte · · Score: 1

    This is a flagship phone... Wonder how long it takes Samsung to patch.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
  31. No ASLR in Linux devices? by mike10027 · · Score: 1

    The Ars article about BlueBorne cites someone from Armis claiming that "the majority of Linux devices on the market today don't use address space layout randomization," explaining that ASLR would mitigate the impact of the defect. Is that true about most Linux devices and ASLR? What kind of devices are they talking about? (It notes that Android is not in that category. I would think Android made up the majority of Linux devices, but I guess not.)