
Billions of devices imperiled by new clickless Bluetooth attack - mcone
https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/
======
sillysaurus3
Stuff like this is why physical pentesting is so effective. If you sneak into
a company and stick a raspi in a corner, nobody tends to notice a black box
amidst a bunch of cables. But that black box can attack the dev machines in a
variety of ways: it can be a honeypot wifi AP until someone accidentally
connects to it, at which point you have creds for the real network. Then you
can connect to the real network and look for workstations to attack. Or, as
this article points out, you might be able to use a tricky bluetooth attack to
get onto the workstations directly.

I'm not sure there's any way to protect against this. Physical pentesters tend
to get caught less than 10% of the time. It's very easy to sneak into a
building if you know what you're doing and have confidence. And "knowing what
you're doing" generally consists of "dress up like a construction worker xor
interviewee."

~~~
GFischer
Delivery people... I've had my laptop stolen by a fake delivery worker who
cleaned up the building.

An UPS or DHL uniform will get you most everywhere, and you have an excuse for
carrying bulky stuff.

Edit: Kevin Mitnick's The Art of Deception is an oldie but goodie detailing
most of this stuff.

[https://www.goodreads.com/book/show/18160.The_Art_of_Decepti...](https://www.goodreads.com/book/show/18160.The_Art_of_Deception)

~~~
StillBored
Hmm, what kind of company lets a UPS/etc man past the front desk? It seems
pretty standard practice everywhere I've ever worked that packages went to a
designated spot (front desk, loading dock, etc) and the final recipient was
pinged via email/whatever to come pick it up.

~~~
losteric
My huge employer does - UPS takes the cargo elevator but get access to the
mailroom, inside secured the premise.

Come to think of it, couldn't a device just be hidden in a package? Like a
small statue delivered to a bad address?

~~~
Splines
You don't even need physical access. Just stick it outside in a planter.

~~~
losteric
Brilliant, plant it by the smoking areas where there's captive targets

------
bjt2n3904
Link to the whitepaper.

[http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Pa...](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf)

Part of the attack is on BlueZ's implementation.

> In BlueZ’s case, L2CAP is included as part of the core Linux kernel code.
> This is a rather dangerous choice. Combining a fully exposed communication
> protocol, arcane features like EFS and a kernel space implementation is a
> recipe for trouble.

~~~
crescentfresh
Why are none of the CVE vulnerability ids from that paper coming up for me in
the CVE database? Eg
[http://www.cvedetails.com/cve/CVE-2017-14315/](http://www.cvedetails.com/cve/CVE-2017-14315/)

I tried all 8 of them, none found.

~~~
sillysaurus3
Depends on the newness of the attack. It can take awhile for an attack to get
into the CVE DB. Though usually it says "this CVE is reserved" rather than
"not found."

~~~
ghaff
It was only unembargoed at 9AM EDT. More details here:
[https://access.redhat.com/blogs/product-
security/posts/blueb...](https://access.redhat.com/blogs/product-
security/posts/blueborne)

------
brndnmtthws
As a slightly related side note, I pretty much only turn on bluetooth when I
actually need to use it (which is rarely, such as syncing my Garmin every now
and then). It's a waste of battery power to keep it on, and Bluetooth is also
often used to track people. For example, it's used by traffic monitoring
systems to measure the speed of traffic[1] by storing and tracking the MAC
address.

It would be nice if Android and iOS provided a convenient way to activate
Bluetooth temporarily, only when needed.

[1]: [http://www.tyco-its.com/products-and-services/urban-
traffic-...](http://www.tyco-its.com/products-and-services/urban-traffic-
control/bluetooth-travel-timespeed-measurement-system)

~~~
flachsechs
> _convenient way to activate Bluetooth temporarily, only when needed_

the slide-up menu in ios is pretty convenient.... you can do it when the phone
is locked, even. i use it all the time to disable and enable wifi and
bluetooth and use the flashlight.

~~~
brndnmtthws
It'd be nice to use NFC to temporarily activate Bluetooth for a given device,
for the duration of use. Even better if it generated a random MAC address
every time you established the connection, and handle auth entirely in
userspace through encrypted channels. You could bypass the stupid Bluetooth
auth.

~~~
tedunangst
Plus an option to temporarily enable and disable the NFC radio!

------
codedokode
From description of vulnerability in Linux Kernel bluetooth code:

> This function receives a configuration response buffer in the rsp argument,
> and its length in the len argument

> Each element it unpacks from the configuration response is validated and
> then packed back onto a response buffer, which is pointed to by the data
> argument.

> However, the size of this response buffer is not passed into the function

C developers are repeating the same mistake for years. Why don't they invent
some type or class for safe work with memory buffers?

~~~
hossbeast
Performance.

~~~
nomel
How would this be performance? Not checking a length, resulting in an
overflow, should be a warning. Whatever it takes to make that happen needs to
happen. This is beyond silly.

~~~
fulafel
This game of C vulnerabilities and patches has been going on on the Internet
for 20+ years. It's largely an awareness problem, and prejudice toward safer
languages.

------
joe890
>It's already patched.

This refrain is tired and myopic.

We must operate with the assumption that like BadUSB, heartbleed, and this
latest attack, there are likely devastating vulnerabilities present in all
devices we use and actors may have the chance to exploit them before we ever
become aware of them or have the opportunity to apply a patch.

------
debunn
We've had a number of folks at work ask if their Android phone will be
patched, so I thought it would be helpful to list the Android Open Source
Project (aka: device operating system) versions that will be receiving the
necessary patches [0]:

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0

Note: it will likely take some time for your handset manufacturer to test and
release the patch for your specific phone.

0:
[https://source.android.com/security/bulletin/2017-09-01](https://source.android.com/security/bulletin/2017-09-01)
(see CVE-2017-0781, 0782, 0783 and 0785)

------
blfr
Of course my Motorola (X Play) is getting no updates so I get to spend the
evening installing LineageOS and reconfiguring the phone. Should have treated
it like a computer: wipe the manufacturer's software right away and install a
free alternative.

Pretty sad that random opensource projects are offering better support than
the companies I paid for their products.

------
bauc
Is that why Google Play Protect was recommending to disable Bluetooth Share
which seems to have caused a lot of issues for people. Turning it back on
requires to reset all app preferences.

------
pmontra
I got the update from Sony while I was reading the post. It's an Xperia X
Compact and they've made a good job so far. Almost an update per month, it
started with Android 6 and it's on Android 7.1.1 now, September patch level,
which is safe according to the post.

Bluez for Ubuntu 16.04 LTS instead is old, from March 2016. There is a newer
Bluez from August 2017 but it's probably for newer versions of Ubuntu. I hope
they patch it quickly for everybody.

------
Animats
Is it a C buffer overflow?

\- Edit: Yes, it is, on the stack.

------
jgaa
So, I guess it's back to using wired headphones with the phone...

~~~
brndnmtthws
Wired headphones are superior anyway, IMO.

~~~
euyyn
Wireless ones are better for running, so it's not a Pareto dominance thing.
Both have pros and cons.

~~~
zeveb
Wireless headphones pop out when running; wired phones have a convenient wire
tethering them to one's phone.

~~~
euyyn
> pop out when running

There are many different ways wireless headphones prevent that from happening.

> wired headphones have a convenient wire tethering them to one's phone

The wire is convenient if you tend to drop them to the floor, which won't
happen to most wireless headphones. But it's hateful if it yanks them from
your ears, as is sometimes the case when you're exercising.

------
jasonmaydie
Chalk one up for Windows Phone. Security through obscurity, on a more serious
note does the flaw happen because of a common opensource implementation?

~~~
detaro
What makes you think that the Windows attack doesn't apply to Windows Phones?
At least Windows Phone 8 and 10 are based on the normal Windows kernel, and I
don't see why they wouldn't share the Bluetooth implementation as well.

~~~
jasonmaydie
> A Microsoft representative said Windows Phone was never vulnerable.

it says it right there in the article

~~~
detaro
whops, missed that.

------
baybal2
I wonder, if a physical "chain reaction" attack described is possible.

Back in mid naughties, the "MMS of death" chain reaction attacks on Sony
Ericsson phones were so intense, that they were taking down cell networks
through which they propagated, thus fizzling.

------
mpclark
I've noticed that, starting quite recently, Bluetooth has always been off
every time I've gone to use it on my trusty old Nexus 5. I figured it was the
sort of bug that tends to accumulate on old phones, but maybe not eh?

------
mtzaldo
Is the playstation 3/4 vulnerable to this?

------
azinman2
What is the actual exploit? Article was very thin on details....

~~~
Ajedi32
Here's the whitepaper:
[http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Pa...](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf)

