Hacker News new | comments | show | ask | jobs | submit login
Blueborne – A new attack vector endangering major operating systems (armis.com)
131 points by syvanen 11 months ago | hide | past | web | favorite | 33 comments

Google has issued a patch and notified its partners. It will be available for:

    Nougat (7.0)
    Marshmallow (6.0)
Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level

Take Nexus 5.

Opens Settings, Device information.

Android Version: 6.0.1. Great.

Android Security Level: 2016-10-5. A year old. Great.

Tap System update, force check... no update. Great.

Thank you Google.

I recommend you switch to Lineage OS. Once the manufacturer drops the device you're SoL.

Am I missing something? The first line says: "Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them."

Why is the title singling out Linux? Reading through the rest of it, it seems like this is on pretty much everything.

Windows was patched in July. Google has provided a patch for Android. Therefore, Linux is the only one left to make an announcement.

> Windows was patched in July. Google has provided a patch for Android. Therefore, Linux is the only one left to make an announcement.

For some reason, this vuln was not promptly disclosed to the Kernel security team. From the article:

  Google – Contacted on April 19, 2017
  Microsoft – Contacted on April 19, 2017
  Apple – Contacted on August 9, 2017
  Linux – Contacted August 15 and 17, 2017
Oh, and the most amusing one:

    Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.

My 'flagship' OnePlus 5 is vulnerable today, according to their linked app.

While I totally believe that my device will receive a patch at some point in time, the majority of devices out there will probably never receive the patch Google provided. And even this recent phone is now vulnerable to a vulnerability that was just disclosed to the public at large..

I'd say Android is pretty much in deep (or rather: deeper than usual) shit as well, not just Linux

Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12.

We've updated the title from “Blueborne – Stack buffer overflow in Linux kernel Bluetooth”.

Title is inaccurate, Windows, Linux and macOS are all affected.

> Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12.

> Information on Linux updates will be provided as soon as they are live.

> All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.

Based on the white paper, "Blueborne" is really a collection of distinct vulnerabilities in various implementations of the Bluetooth protocol. This is in contrast to something like the 'Over the air' vulnerability (https://googleprojectzero.blogspot.com/2017/04/over-air-expl...), which was a bug in the firmware shared by Android and iOS.

This looks very scary, especially given how many Android devices are out there that receive few or no security updates.

Agreed. And just checked - my Samsung Galaxy S8 is vulnerable, no update available. Thanks Samsung!

This one will get nasty...

Well, I've been meaning to root mine and flash crDroid... This is certainly the final push.

They state 10% of all Android devices are vulnerable and won't get patches, and since the vulnearbility is arguably wormable I can't see how these devices will stay clean.

Does keeping the BlueTooth radio turned off help here?

I have the same question -- I turned off the Bluetooth radio on my phone the day I got it, and I've never turned it back on. But does that mean the radio is actually powered down, or is the phone blocking Bluetooth at a higher level? Similarly, or possibly the same question, is an rfkill soft block adequate for a laptop with bluetooth?

On a laptop, if you want to be sure, you can at least do `sudo modprobe -r btusb` (or whatever your particular chipset's BT driver is called).

A very good point -- that's definitely better than rfkill.

At this point in time buying Samsung is just a bad decision. Have you checked out custom ROMs?

I got the August security update yesterday - how do I check if I'm vulnerable?

Thanks. Yep, the S8+ updated yesterday is vulnerable.

On other hand. My MiBox 3 suddenly received update.

Is there an exploit that works on systems with stack canaries? If not, then sensible Linux devices (which may well be a small minority) are not so severely affected.

I'm more worried about higher value targets like cars and things like lightbulbs that never get updated. This could be an amazing wormable bug.

From the white paper:

> Despite this, the Linux Kernel is lagging behind in implementing some modern mitigations in its default configuration. Both stack canaries - which protect against stack overflows, and KASLR (kernel address space layout randomization) are lacking in most devices running Linux today

It seems that they opted not to try to bypass stack canaries, probably because of the number of Android devices running old versions of Linux.

It seems inaccurate for them to categorize this as a problem with kernel itself, however. The kernel itself isn't "lagging behind" if mobile/embedded devices won't update to never versions containing newer mitigation techniques.

True. The real interesting part would have been how they bypassed ASLR, DEP and stack canaries.

I'd expect this to be a minimum requirement, especially if you're planning to make a logo and website for a Linux exploit...

For a moment I was excited, as I thought this might finally be an avenue to root my abandoned, older android phones, however, looks like the permissions given to the bluetooth service are not actually full scale root (which is reasonable of course).

I wonder whether it is still worth investigating?

What you probably want is this combined with some privilege escalation technique. If you feel like doing the work, have at it.[1]

1: https://www.cvedetails.com/vendor/1224/Google.html

If I already had a working privilege escalation strategy, wouldn't I just be able to run that from a terminal emulator program on the phone? Or using an adb shell? My problem is exactly that there is no privilege escalation vulnerability in my version of the OS (that I know of)

I think DirtyCOW (CVE-2016-5195) had been dormant in the kernel for a long time. If I remember correctly the PoC demonstrated writing on root-owned files. Might be relevant.


Since there are 34 "Gain Priv" listed on that page for Android (many versions) in 2017, and well over 200 listed for 2016, I would imagine with those as a starting point it might not be too hard to look for likely candidates that have been weaponized (or have working proof of concept code) if you search around a bit. It's not exactly easy, but given the huge number of exploits to work with, it would probably yield something without too much work.

I did notice that the entries there include whether there's a known metasploit module, which none that I looked at had one shown there. I googled metasploit and android and found some video tutorial for hacking a Android phone using metasploit from early 2017[1], so maybe that will help you. In any case, good luck if you try.

1: https://www.youtube.com/watch?v=gfAE1xVBNdo

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact