Big bad Bluetooth blunder bug battered – check for security fixes With a bunch of security fixes released and more on the way, details have been made public of a Bluetooth bug that potentially allows miscreants to commandeer nearby devices. This Carnegie-Mellon CERT vulnerability advisory on Monday laid out the cryptographic flaw: firmware or operating system drivers skip a vital check …
Okay, I don't like the idea that the protocol is stuffed, but frankly I don't see how someone could take advantage of it for long. When I start my car and my phone pairs with it, I'm not staying there, so the miscreant would have to follow me and stay in range.
I'm putting this in the forget it folder.
That's going to depend how badly designed your car pairing system is, tbh.
Some of them scan and try to pair anything when you turn on the ignition, "for convenience".
Of course, the real danger is that someone could just pair with your vehicle/device!
Still, this sounds about as easy as a MITM attack, except you have a different weird parameter - you have to be there at pairing time, rather than somehow closer than the pairing devices.
Layman here, and not clear to me; I understood 'pairing' to be the initial intro of two devices to each other for the first time. Is that the only window of vulnerability, or is it every time two devices re-connect when they already know about each other ?
The vulnerability only exists during initial pairing. The attacker needs to be present AND able to prevent the host and device from receiving from each other during the key exchange while it acts as a man-in-the-middle. There is no known implementation of the attack that has been shown to work in real life.
However the devices I have don't seem to have any mechanism for firmware updates.
One device was shipped with a bug in the firmware and the fix was to ship a replacement.
Which raises the next question. I assume that if one side of the pairing has the bug then it can be exploited?
However the risk of someone snooping on the audio streams going to my speakers doesn't initially fill me with major anxiety.
Assuming again, if I used BT headphones for phone calls then there is potential to snoop. My BT headphones currently in the drawer don't as far as I know have any firmware update mechanism.
So is this a bug that can be exploited by a laptop sitting on a table in a cafe?
BOTH the host and the device must not validate the elliptic curve parameters during pairing in order for the vulnerability to be present. If either one of them does the validation, then the attack is not possible. If you, for example, update your phone but not your car, or update your PC but not your mouse, the attack won't be possible.
As for headphones, for an attack to be successful, both your headphones and your phone would need to have the vulnerability, the attacker would have to be present during the initial pairing of the phone and the headphones, and the attacker would have to someone block the phone and headphones from receiving from each other during the pairing process. No known real-world implementation of the attack exists -- it is only described in an academic paper. And after the initial pairing (like when you first get your headphones and introduce them to your phone), the attack is no longer possible because the phone and headphones will have already set up the secret key between them.
As for setting up a laptop in a cafe, the key question is: how often do you take a brand new Bluetooth device out of the box and pair it with your phone or laptop in a public place? Not very often -- but that's the only time the vulnerability could be exploited, on initial pairing.
Many years ago now, I went to a conference.
The CISO of a very large regulated company was there giving a presentation.
One of the things that stuck in my mind was the part of his presentation that dealt with Bluetooth.
Effectively anyone senior with access to business-sensitive information at his organisation was "strongly cautioned" against using Bluetooth accessories on business communications.
The CISO made a good case for the decision and cited a number of published vulnerabilities as well as some of their own internal research.
And at the end of his presentation, he summed it up neatly in one phrase:
"If you think about it, you are paying hardly anything for these cheap mass-produced accessories. That should start ringing alarm bells for a start in terms of what you can expect from security. Then you start considering the small package size, limited components, battery life etc. and I will let you come to your own conclusions".
That really only relates to the update cycle though. If everyone is using the same formally correct secure implementation, then the risk is lower.
However, when a bug is found, obviously the thing that cost 45p is less likely to have support. Sadly, that includes the Bluetooth chip in your car!
Fortunately I don't use Bluetooth for anything involving money transfer, etc. If someone wants to hop into my cellphone-headset connection, all they're going to get is a grocery shopping list from the spouse, or a chance to listen to some J-Pop. Maybe I could be using a BT keyboard tablet with a tablet, but I'm not doing banking there either (all the relevant info would be on my desktop machine at home, a web browser on a tablet sucks for those things, and I don't put "store apps" & the like on my tablet/phone).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
