major Bluetooth security issue: BlueBorne

[madires]

The article: https://www.bleepingcomputer.com/news/security/blueborne-vulnerabilities-impact-over-5-billion-bluetooth-enabled-devices/
And the whitepaper with all the details: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

If you got any project/product with Bluetooth you might want the check the Bluetooth stack or check for updates.

[Bruce Abbott]

And the cause? Bloat.

Bluetooth is complicated. Too complicated. Too many specific applications are defined in the stack layer, with endless replication of facilities and features...

Bluetooth’s complexity kept researchers from auditing its implementations at the same level of scrutiny that other highly exposed protocols and outwards-facing interfaces have been treated to.

[Mr. Scram]

Even though the potential consequences are horrible, I'm really glad that hardware and firmware security is finally gaining some momentum. For too long has the focus been on the main OS for mobile devices, with all the dirty secrets below the surface completely ignored.

[Neilm]

Given that even reasonably low spec cars come equiped with Bluetooth wired into the entertainment systems, I wonder if the car manufacturers will be issuing updates any time soon.

[Bruce Abbott]

I wonder if the car manufacturers will be issuing updates any time soon.

If they do, will the updates be secure?

[jnz]

I'm a little interested in how they're (magically) going from BT chipset to admin privileges and ruuning code on the CPU and OS in those examples - anyone?

[julian1]

With a buffer overflow in the bluetooth kernel module, you can execute code to modify kernel data structures.

[cdev]

I'm really glad that all the governments of the world are so conscientious about security..

 I am sure that they will share any back-doors they find, equally.

[Vtile]

#internetofshit

[nidlaX]

I'm a little interested in how they're (magically) going from BT chipset to admin privileges and ruuning code on the CPU and OS in those examples - anyone?

Read their technical white paper, each exploit is discussed in detail with offending code snippets from the OS stack source / disassembled stack binaries.

[cdev]

Either those three letter agencies are really smart, or people aren't.

[Bruce Abbott]

#internetofshit

QFT.

IOT, wireless this, wireless that, scripting languages everywhere - and security is always an afterthought. I cringe when someone talks about connecting their home appliances to the internet.

I'm really glad that all the governments of the world are so conscientious about security..

 I am sure that they will share any back-doors they find, equally.

My government certainly is conscientious about security, but sharing 'backdoors' is not their responsibility. Private companies are  producing insecure devices and selling them to unsuspecting consumers, and most cybercrime is committed by miscreant individuals who are looking to steal or trash your stuff. If you want to prevent it then you have to be conscientious about security.
 

[jnz]

With a buffer overflow in the bluetooth kernel module, you can execute code to modify kernel data structures.

Read their technical white paper, each exploit is discussed in detail with offending code snippets from the OS stack source / disassembled stack binaries.

I read the technical paper, well, skimmed to the best of my attention span; Bluetooth is tough for the very reasons this hack exists it doesn't use a separate layer like TCPIP it just has all the packing and protocols built in - super dumb, kinda hard to follow. Anyhow, I am STILL not seeing how BT data is becoming OS level instructions. He talks about how the linux kernel is particularly susepible to this exploit because you will have some awareness of the kernel calls and structures.

I guess my issue is I'm coming from Bluetooth modules that run their own stacks and the host CPU just interfaces, almost never applications where the host CPU is running the BT stack itself. That said... since a lot of the hack involves L2CAP, and BLE uses the same L2CAP as BT, I wonder if low energy exploits may be coming.

[madires]

It boils down to a classic buffer overflow. If you're using BT modules an attack would just harm the module, but that could also have an impact on the communication between module and MCU. I'd check if the modules are affected by BlueBorne and upgrade the firmware.

[nidlaX]

I guess my issue is I'm coming from Bluetooth modules that run their own stacks and the host CPU just interfaces, almost never applications where the host CPU is running the BT stack itself. That said... since a lot of the hack involves L2CAP, and BLE uses the same L2CAP as BT, I wonder if low energy exploits may be coming.

These hacks are specific to software stacks run by the computer's OS as drivers. They don't apply to your Bluetooth over UART dongles or whatever.

That being said, the overall structure of the attacks in question are malformed or otherwise unanticipated packets sent during discovery and link negotiation. The driver stack code does not anticipate the structure and/or length of these packets, leading to buffer overflows. Overall, it's a result of the system designers not anticipating the ease of sending requests to "hidden" nodes.

I'm not an expert, so someone can come put me in my place.

[tszaboo]

Given that even reasonably low spec cars come equiped with Bluetooth wired into the entertainment systems, I wonder if the car manufacturers will be issuing updates any time soon.

And what would they do, if they take over? Play Genesis "I know what I like" on the stereo?

[CM800]

Given that even reasonably low spec cars come equiped with Bluetooth wired into the entertainment systems, I wonder if the car manufacturers will be issuing updates any time soon.

And what would they do, if they take over? Play Genesis "I know what I like" on the stereo?

Suddenly play multiple frequencies that the ear is most sensitive too, at max volume, (and if it can possibly detect) right at the point when the car is going fast, weather conditions are the worst (weather info), and the car is surrounded with other cars (distance sensors)

[tszaboo]

Given that even reasonably low spec cars come equiped with Bluetooth wired into the entertainment systems, I wonder if the car manufacturers will be issuing updates any time soon.

And what would they do, if they take over? Play Genesis "I know what I like" on the stereo?

Suddenly play multiple frequencies that the ear is most sensitive too, at max volume, (and if it can possibly detect) right at the point when the car is going fast, weather conditions are the worst (weather info), and the car is surrounded with other cars (distance sensors)

OK, so you need to have someone within some 30, for around half a minute drive next to you, with the attempt to kill you. Luckily today nobody tried assassinating me yet today. Also, my car doesnt have BLE.
And before you ask, no, the car radio doesnt get the radar info, doesnt get the weather info. In fact, I was very suprised how little info I get on the car's CAN bus. I know, in hacker movies everything is hackable, which is connected together with a wire, but that isnt real life.

[madires]

And what would they do, if they take over? Play Genesis "I know what I like" on the stereo?

If you're lucky you will be just rick-rolled

[cdev]

The media hasn't covered this story as it should, as far as I can tell.

[Bruce Abbott]

OK, so you need to have someone within some 30[m], for around half a minute drive next to you, with the attempt to kill you.

Maybe not so close...

Host XR3 Dongle (a.k.a. extend your bluetooth range)

...is equipped with an extremely-powerful, highly-sensitive Bluetooth transmitter, can achieve an unparalleled range of up to 30 km! With a 9 dBi omni-directional antenna, the extended range is up to 2 km, and with the 18 dBi directional antenna, it is up to 10 km. Additionally, given its high sensitivity, it can extend the range of weaker Bluetooth devices like cell phones and headsets by hundreds of meters.

And before you ask, no, the car radio doesnt get the radar info, doesnt get the weather info. In fact, I was very suprised how little info I get on the car's CAN bus. I know, in hacker movies everything is hackable, which is connected together with a wire, but that isnt real life.

With modern devices having field-updatable firmware I wouldn't be so sure about that.

[MT]

MQTT protocol that makes you cringe!

Slogan:
Its one thing when you spam your neighbors fridge, but a very different thing when billions of fridges spamming you.



https://www.wired.com/2013/07/shodan-search-engine/