Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Wednesday September 13, @01:13AM   Printer-friendly
from the color-us-blue dept.

Submitted via IRC for TheMightyBuzzard

Billions of Android, iOS, Windows and Linux devices that use Bluetooth may be exposed to a new attack that can be carried out remotely without any user interaction, researchers warned.

Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices, has discovered a total of eight Bluetooth implementation vulnerabilities that expose mobile, desktop and IoT systems to an attack it has dubbed "BlueBorne."

According to the security firm, the attack only requires Bluetooth to be enabled on the targeted device – no pairing is needed between the victim and the attacker's device, and the Bluetooth connection does not even have to be discoverable.

A hacker who is in range of the targeted device can exploit one of the several Bluetooth implementation vulnerabilities that can lead to remote code execution, information disclosure or man-in-the-middle (MitM) attacks. The attacker only needs to determine what type of operating system the target is using in order to deploy an exploit specific to that platform.

BlueBorne does not require the targeted user to click on a link or open a file, and the malicious activities can take place in the background, making it less likely for the victim to notice anything suspicious. And since the attack leverages Bluetooth, a less common attack vector, many security solutions may not detect the malicious activity, Armis said.

With all the smartphones out there whose manufacturers and carriers refuse to update them after a year or so, I can see this being a big, big problem.

Source: http://www.securityweek.com/billions-devices-potentially-exposed-new-bluetooth-attack

Armis Labs. US-CERT.


Original Submission

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Wednesday September 13, @01:50AM (4 children)

    by Anonymous Coward on Wednesday September 13, @01:50AM (#567044)

    In IoT
    - the I is for "Internet"
    - the O is for "of"
    - the T is for "Things"
    - the S is for "Security"
    - the P is for "Privacy".

    • (Score: 0) by Anonymous Coward on Wednesday September 13, @02:05AM (2 children)

      by Anonymous Coward on Wednesday September 13, @02:05AM (#567048)

      IsTop

      • (Score: 2) by SanityCheck on Wednesday September 13, @04:17AM (1 child)

        by SanityCheck (5190) on Wednesday September 13, @04:17AM (#567073)

        I think the joke is that the S and P are not there.

        • (Score: 0) by Anonymous Coward on Wednesday September 13, @06:41AM

          by Anonymous Coward on Wednesday September 13, @06:41AM (#567104)

          No Salt or Pepper?! Outrageously bland I tell you, like English cooking. Add some spice! :)

          On a Linux fun fact side of it .. the bluetooth update already arrived a few hours ago. Good luck for Win/Mac/Android users, a longer wait awaits ye.

    • (Score: 3, Insightful) by Wootery on Wednesday September 13, @08:47AM

      by Wootery (2341) on Wednesday September 13, @08:47AM (#567136)

      The joke works better in its original form.

      The 'S' in 'IOT' stands for 'Security'.

  • (Score: 3, Insightful) by c0lo on Wednesday September 13, @02:05AM (12 children)

    by c0lo (156) Subscriber Badge on Wednesday September 13, @02:05AM (#567049)

    Just disable Bluetooth.

    • (Score: 3, Informative) by Runaway1956 on Wednesday September 13, @02:15AM (5 children)

      by Runaway1956 (2926) Subscriber Badge on Wednesday September 13, @02:15AM (#567053) Journal

      That - and/or don't use your mobile device for banking and other sensitive uses.

      It's probably a little more difficult for someone to exploit bluetooth on most people's desktops. Getting in range of my desktop means you're on my property, or at least, standing at the end of my driveway. I just might notice you there, and wonder WTF you're doing. That telephone? Even those of us who live in rural areas pass within bluetooth range of hundreds of people on a daily basis. Even those of us who hate Walmart end up visiting the damned place pretty often, we stop for gas, visit a parts house now and then, etc etc.

      --
      This broadcast is intended for mature audiences.
      • (Score: 0) by Anonymous Coward on Wednesday September 13, @03:21AM (4 children)

        by Anonymous Coward on Wednesday September 13, @03:21AM (#567061)

        Getting in range of my desktop means you're on my property, or at least, standing at the end of my driveway.

        (Unrelated question, why isn't blockqoute working in preview? I wonder if it will work when this posts. The line above should be blockqouted.)

        Um, no.

        https://www.youtube.com/watch?v=qlf6xQ0fMoU [youtube.com]

        Unless, of course, you live out in the sticks and own several thousand acres of land. Or you own a typical desktop computer that doesn't have Bluetooth. But this likely won't be used in a targeted attack that way. This will be used by an asshole sitting in a panel van with a "cell phone" antenna on the roof parked in front of wally world spreading a ransomware worm to every poor schmuck that walks within 100 feet of him.

        Speaking of which, time to go pull a new nandroid backup from my geriatric smartphone...

        • (Score: 2) by JNCF on Wednesday September 13, @04:10AM (1 child)

          by JNCF (4317) Subscriber Badge on Wednesday September 13, @04:10AM (#567070) Journal

          <quote>

          (Unrelated question, why isn't blockqoute working in preview? I wonder if it will work when this posts. The line above should be blockqouted.)

          </quote>
          Works for me. Did you type <blockquote> instead of <quote>, perhaps?

          • (Score: 0) by Anonymous Coward on Wednesday September 13, @04:13AM

            by Anonymous Coward on Wednesday September 13, @04:13AM (#567071)

            Blockquote

            works

            just

            fine.

            - another AC

        • (Score: 2) by c0lo on Wednesday September 13, @05:13AM (1 child)

          by c0lo (156) Subscriber Badge on Wednesday September 13, @05:13AM (#567080)

          Unrelated question, why isn't blockqoute working in preview? I wonder if it will work when this posts. The line above should be blockqouted.

          Spell it right and it will work.

          • (Score: 0) by Anonymous Coward on Wednesday September 13, @06:28AM

            by Anonymous Coward on Wednesday September 13, @06:28AM (#567100)

            Spell it right and it will work.

            It would help if I could type and proofread, wouldn't it?

    • (Score: 4, Interesting) by physicsmajor on Wednesday September 13, @02:28AM (4 children)

      by physicsmajor (1471) on Wednesday September 13, @02:28AM (#567055)

      Tell that to everyone who bought a phone without a headphone jack...

      • (Score: 4, Insightful) by edIII on Wednesday September 13, @02:49AM

        by edIII (791) Subscriber Badge on Wednesday September 13, @02:49AM (#567058)

        Yes, but those people sound like beaten wives and girlfriends. "Oh, he hit me again.... *sniff*... but I LOVE HIM". It's either that or Apple really is putting something in the koolaid served in the Walled Garden of Shiny People. It was no coincidence that it happened shortly before Apple released their ridiculous wireless earbuds.

        I've always had bluetooth off by default and only used it in controlled facilities, or home. Meaning, I'm highly doubtful anyone is getting to me while at home, and even more doubtful they are getting to me at my office. Cellular service and wifi have fairly significant problems getting in. Which is perfect for me.

        In public? I treat those places like the "worst toilet in all of Scotland" [youtube.com]. Bluetooth and Wifi is off. If I need Internet really badly I use a connection to my phone for a few minutes and then turn it off.

      • (Score: 2) by c0lo on Wednesday September 13, @03:02AM (2 children)

        by c0lo (156) Subscriber Badge on Wednesday September 13, @03:02AM (#567059)

        What's wrong with using the phone without headphones?
        It's primary function is to be a phone, dam'it. If it's not, then you (one instance of the "everyone who...") are the one who bought it, deal with the problem.

        • (Score: 0) by Anonymous Coward on Wednesday September 13, @03:25AM (1 child)

          by Anonymous Coward on Wednesday September 13, @03:25AM (#567062)

          It's only called a "phone" because that's the most similar device that people were carrying around at the time these mobile computers were introduced.

          The phone *app* is probably the least used app on the entire device. Nobody gives a fuck about phones, grandpa! FUCK.

          • (Score: 2) by c0lo on Wednesday September 13, @03:41AM

            by c0lo (156) Subscriber Badge on Wednesday September 13, @03:41AM (#567065)

            The phone *app* is probably the least used app on the entire device. Nobody gives a fuck about phones, grandpa! FUCK.

            Suits you well, then.

    • (Score: 2) by SanityCheck on Wednesday September 13, @04:19AM

      by SanityCheck (5190) on Wednesday September 13, @04:19AM (#567075)

      I been using Bluetooth for convenience. But it only works if it is on ALL THE TIME, because if I have to turn it on and off, it is no longer convenient.

  • (Score: 2, Informative) by Anonymous Coward on Wednesday September 13, @02:12AM (4 children)

    by Anonymous Coward on Wednesday September 13, @02:12AM (#567052)

    According to this article [techcrunch.com] iOS and Windows phones are protected from this attack.

    • (Score: 3, Informative) by JNCF on Wednesday September 13, @04:17AM (3 children)

      by JNCF (4317) Subscriber Badge on Wednesday September 13, @04:17AM (#567074) Journal

      TFA contradicts it:

      Apple has already addressed the vulnerabilities with the release of iOS 10 (one year ago) and Apple TV 7.2.2. Earlier versions of the Apple operating systems are still vulnerable to attacks.

      I'm going with the more specific source being correct. Android phones that still get security updates have also been patched (albeit more recently).

      • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 13, @06:41AM (1 child)

        by Anonymous Coward on Wednesday September 13, @06:41AM (#567103)

        Android phones that still get security updates

        Which, sadly, is probably only around 60% of Android devices, if that. So we have two options: throw away still useful devices, contributing to the world's e-waste problem, or continue to use insecure devices and contribute to the "internet is a nasty place" problem.

        <sarcasm>What a wonderful world unchecked corporatism has given us.</sarcasm>

        • (Score: 2, Interesting) by Anonymous Coward on Wednesday September 13, @07:45AM

          by Anonymous Coward on Wednesday September 13, @07:45AM (#567122)

          There might be a 3rd option: root it and install something secure on it.

          The insecure throwaway culture of today makes me sick.

      • (Score: 0) by Anonymous Coward on Wednesday September 13, @09:42AM

        by Anonymous Coward on Wednesday September 13, @09:42AM (#567148)

        I'm going with the more specific source being correct.

        Original AC here. I agree with you. TechCrunch should have been much more specific and stated something like "up-to-date iOS devices".

(1)