
Blueborne – A new attack vector endangering major operating systems - syvanen
https://www.armis.com/blueborne/
======
glandium
_Google has issued a patch and notified its partners. It will be available
for:

    
    
        Nougat (7.0)
        Marshmallow (6.0)
    

Google has issued a security update patch and notified its partners. It was
available to Android partners on August 7th, 2017, and made available as part
of the September Security Update and Bulletin. We recommend that users check
that Bulletin for the latest most accurate information. Android users should
verify that they have the September 9, 2017 Security Patch Level_

Take Nexus 5.

Opens Settings, Device information.

Android Version: 6.0.1. Great.

Android Security Level: 2016-10-5. A year old. Great.

Tap System update, force check... no update. Great.

Thank you Google.

~~~
mixedCase
I recommend you switch to Lineage OS. Once the manufacturer drops the device
you're SoL.

------
hkothari
Am I missing something? The first line says: "Armis Labs revealed a new attack
vector endangering major mobile, desktop, and IoT operating systems, including
Android, iOS, Windows, and Linux, and the devices using them."

Why is the title singling out Linux? Reading through the rest of it, it seems
like this is on pretty much everything.

~~~
sverige
Windows was patched in July. Google has provided a patch for Android.
Therefore, Linux is the only one left to make an announcement.

~~~
codewiz
> Windows was patched in July. Google has provided a patch for Android.
> Therefore, Linux is the only one left to make an announcement.

For some reason, this vuln was not promptly disclosed to the Kernel security
team. From the article:

    
    
      Google – Contacted on April 19, 2017
      Microsoft – Contacted on April 19, 2017
      Apple – Contacted on August 9, 2017
      Linux – Contacted August 15 and 17, 2017
    

Oh, and the most amusing one:

    
    
        Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.

------
dom0
Title is inaccurate, Windows, Linux and macOS are all affected.

> Microsoft is issuing security patches to all supported Windows versions at
> 10 AM, Tuesday, September 12.

> Information on Linux updates will be provided as soon as they are live.

> All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and
> AppleTV devices with version 7.2.2 and lower are affected by the remote code
> execution vulnerability. This vulnerability was already mitigated by Apple
> in iOS 10, so no new patch is needed to mitigate it. We recommend you
> upgrade to the latest iOS or tvOS available.

------
Aaron1011
Based on the white paper, "Blueborne" is really a collection of distinct
vulnerabilities in various implementations of the Bluetooth protocol. This is
in contrast to something like the 'Over the air' vulnerability
([https://googleprojectzero.blogspot.com/2017/04/over-air-
expl...](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-
broadcoms-wi-fi_4.html)), which was a bug in the firmware shared by Android
and iOS.

------
r1ch
This looks very scary, especially given how many Android devices are out there
that receive few or no security updates.

~~~
padde
Agreed. And just checked - my Samsung Galaxy S8 is vulnerable, no update
available. Thanks Samsung!

This one will get nasty...

~~~
wohlergehen
Well, I've been meaning to root mine and flash crDroid... This is certainly
the final push.

They state 10% of all Android devices are vulnerable and won't get patches,
and since the vulnearbility is arguably wormable I can't see how these devices
will stay clean.

~~~
yumaikas
Does keeping the BlueTooth radio turned off help here?

~~~
sevensor
I have the same question -- I turned off the Bluetooth radio on my phone the
day I got it, and I've never turned it back on. But does that mean the radio
is actually powered down, or is the phone blocking Bluetooth at a higher
level? Similarly, or possibly the same question, is an rfkill soft block
adequate for a laptop with bluetooth?

~~~
kelnos
On a laptop, if you want to be sure, you can at least do `sudo modprobe -r
btusb` (or whatever your particular chipset's BT driver is called).

~~~
sevensor
A very good point -- that's definitely better than rfkill.

------
amluto
Is there an exploit that works on systems with stack canaries? If not, then
sensible Linux devices (which may well be a small minority) are not so
severely affected.

I'm more worried about higher value targets like cars and things like
lightbulbs that never get updated. This could be an amazing wormable bug.

~~~
Aaron1011
From the white paper:

> Despite this, the Linux Kernel is lagging behind in implementing some modern
> mitigations in its default configuration. Both stack canaries - which
> protect against stack overflows, and KASLR (kernel address space layout
> randomization) are lacking in most devices running Linux today

It seems that they opted not to try to bypass stack canaries, probably because
of the number of Android devices running old versions of Linux.

It seems inaccurate for them to categorize this as a problem with kernel
itself, however. The kernel itself isn't "lagging behind" if mobile/embedded
devices won't update to never versions containing newer mitigation techniques.

~~~
5travac
True. The real interesting part would have been how they bypassed ASLR, DEP
and stack canaries.

------
Ajedi32
Previous discussion:
[https://news.ycombinator.com/item?id=15227021](https://news.ycombinator.com/item?id=15227021)

------
mrguyorama
For a moment I was excited, as I thought this might finally be an avenue to
root my abandoned, older android phones, however, looks like the permissions
given to the bluetooth service are not actually full scale root (which is
reasonable of course).

I wonder whether it is still worth investigating?

~~~
kbenson
What you probably want is this combined with some privilege escalation
technique. If you feel like doing the work, have at it.[1]

1:
[https://www.cvedetails.com/vendor/1224/Google.html](https://www.cvedetails.com/vendor/1224/Google.html)

~~~
mrguyorama
If I already had a working privilege escalation strategy, wouldn't I just be
able to run that from a terminal emulator program on the phone? Or using an
adb shell? My problem is exactly that there is no privilege escalation
vulnerability in my version of the OS (that I know of)

~~~
language
I think DirtyCOW (CVE-2016-5195) had been dormant in the kernel for a long
time. If I remember correctly the PoC demonstrated writing on root-owned
files. Might be relevant.

[https://github.com/dirtycow/dirtycow.github.io/wiki/Vulnerab...](https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails)

------
sctb
Another discussion:
[https://news.ycombinator.com/item?id=15227021](https://news.ycombinator.com/item?id=15227021)

