X10 Community Forum

💬General Category => General Discussion => Topic started by: dhouston on September 13, 2017, 01:21:33 PM

Title: Yet another HUGE security issue
Post by: dhouston on September 13, 2017, 01:21:33 PM
I'm not really familiar with Bluetooth but the potential size of this is downright scary.
https://www.slashgear.com/blueborne-bluetooth-vulnerability-puts-8-billion-devices-at-risk-13499615/ (https://www.slashgear.com/blueborne-bluetooth-vulnerability-puts-8-billion-devices-at-risk-13499615/)
Title: Re: Yet another HUGE security issue
Post by: HA Dave on September 13, 2017, 07:50:57 PM
It looks like patches are already being updated (likely before the vulnerability was even exposed). The security outfits that find these vulnerability sell the fix to the OS makers before they email out their "find".

NOTE: Armis found, named, and created the "news release" LINK... that you shared here. Armis is in the business of finding vulnerabilities and then selling the discovery/solution to the creators of the software OS. No hacker ever used this Bluetooth vulnerability to hack.... anything.
Title: Re: Yet another HUGE security issue
Post by: dhouston on September 14, 2017, 07:15:10 AM
The most vulnerable will be Android devices which haven't been updated (likely to be most Android devices). And, given that there are thousands of Linux variants, many of those may also be vulnerable. It's also unlikely that IoT devices using Bluetooth and/or Linux will be updated as most lack update methods.

Armis, which sells anti-virus software to businesses, has released a free App which can check your Android device as well as scan for other vulnerable devices in the vicinity.
https://play.google.com/store/apps/details?id=com.armis.blueborne_detector (https://play.google.com/store/apps/details?id=com.armis.blueborne_detector)
From the description...
Quote
This app was specifically designed to scan your device and see if it is vulnerable. It can also scan and locate devices that could be vulnerable to the BlueBorne attack vector. Simply use the screen of your mobile device as a viewfinder to scan your device or locate connected devices in your environment. The viewfinder will alert you if this device could be a carrier to a BlueBorne attack.

Armis also released a PDF whitepaper explaining BlueBorne...
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963 (http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963)

US-Cert (Department of Homeland Security) also has a webpage on BlueBorne...
https://www.kb.cert.org/vuls/id/240311 (https://www.kb.cert.org/vuls/id/240311)

PC Magazine has a brief article...
https://www.pcmag.com/news/356174/blueborne-bluetooth-attack-puts-5-billion-devices-at-risk (https://www.pcmag.com/news/356174/blueborne-bluetooth-attack-puts-5-billion-devices-at-risk)
Here's an excerpt...
Quote
Apple mitigated the flaw in iOS 10, but all iPhones, iPads, and iPod touch devices with iOS 9.3.5 or lower, and Apple TV devices with version 7.2.2 or lower are at risk.
Title: Re: Yet another HUGE security issue
Post by: HA Dave on September 14, 2017, 12:34:41 PM
..... Armis, which sells anti-virus software to businesses, has released a free App which can check your Android device as well as scan for other vulnerable devices in the vicinity.

Yes.... these software businesses regularly create products.... and in this case a reason (for software manufactures) to buy their products. But there is NO risk to any product owner. No one has ever successfully used the vulnerability Armis has exposed in their product/news release. 
Title: Re: Yet another HUGE security issue
Post by: Tuicemen on September 14, 2017, 02:28:45 PM
No one has ever successfully used the vulnerability Armis has exposed in their product/news release.
But then if they had it wouldn't have been Armis that exposed the vulnerability. rofl
Title: Re: Yet another HUGE security issue
Post by: BackAgain on September 14, 2017, 04:34:19 PM
Isn't BT only good for something like 20' or less?

Title: Re: Yet another HUGE security issue
Post by: dhouston on September 14, 2017, 04:46:50 PM
Isn't BT only good for something like 20' or less?
It depends on the version. Plus, there are Range Extenders. See...
https://www.techwalla.com/articles/the-effective-range-of-bluetooth (https://www.techwalla.com/articles/the-effective-range-of-bluetooth)
Quote
Bluetooth 1.0 can link up to eight devices within a radius of about 33 feet with a capacity, or bandwidth, of 700Kbps. A later revision of the Bluetooth specification, Bluetooth 2.0, can transmit at up 2.1Mbps within a radius of about 100 feet. Bluetooth 3.0, adopted in 2009, increased bandwidth to 24Mbps, while the Bluetooth 4.0 specification, adopted in 2010, has a theoretical range of up to 200 feet. The Bluetooth specification stipulates a minimum range of 33 feet, but the maximum range is determined only by the output power of the device.

Any exploits will likely target businesses but anyone might get their smartphone infected while out and about. Then, the infection might spread to other devices once back at home.
Title: Re: Yet another HUGE security issue
Post by: BackAgain on September 14, 2017, 05:35:14 PM
Not sure if this is typical, but my devices won't even connect to each other here at home without a manual code entry match.  That's not something I would do in public with unknown devices.

Title: Re: Yet another HUGE security issue
Post by: dhouston on September 14, 2017, 06:58:03 PM
Read the description of the problem from the link in the initial post to this thread.
Quote
Until now, everyone worked on the presumption that you could only attack a Bluetooth device if itís discoverable or paired, and even then only with user interaction. Those presumptions are apparently flawed, and, thus, BlueBorne, the airborne Bluetooth vulnerability, came to be.

The Armis webpage gives a clear description of the potential scope with 8.2 billion Bluetooth devices extant...
https://www.armis.com/blueborne/  (https://www.armis.com/blueborne/)

The authors imply that the Bluetooth Stack would more appropriately be called the Bluetooth Pile of (fill in the blank).  :'
From the PDF (link provided earlier)...
Quote
Bluetooth​ ​is​ ​complicated.​ ​Too​ ​complicated.​ ​Too​ ​many​ ​specific​ ​applications​ ​are​ ​defined​ ​in​ ​the  stack​ ​layer,​ ​with​ ​endless​ ​replication​ ​of​ ​facilities​ ​and​ ​features.​ ​These​ ​over-complications​ ​are​ ​a  direct​ ​result​ ​of​ ​the​ ​immense​ ​work,​ ​and​ ​over-engineering​ ​that​ ​was​ ​put​ ​into​ ​creating​ ​the​ ​Bluetooth  specification.​ ​Just​ ​to​ ​illustrate​ ​this​ ​point:​ ​while​ ​the​ ​WiFi​ ​specification​ ​(802.11)​ ​is​ ​only​ ​450​ ​pages  long,​ ​the​ ​Bluetooth​ ​specification​ ​reaches​ ​2822​ ​pages.
Title: Re: Yet another HUGE security issue
Post by: HA Dave on September 14, 2017, 09:29:36 PM
....But then if they had it wouldn't have been Armis that exposed the vulnerability. rofl 

It isn't that the vulnerability isn't real.... but that it is impractical. Some of the greatest most creative code writers and hackers in the world expose a "possible" vulnerability... that generates income for themselves. There never was... and is not now... any risk from this.

This is just exactly like the car hacks.... that was going to enable hackers to connect to and then control everyones cars. No real-life car in the wild has EVER been hacked. Never... not even ONE.

......... but anyone might get their smartphone infected while out and about. Then, the infection might spread to other devices once back at home.


Any Internet connected device CAN be hacked.... period.

Most well used Internet devices (phones included) will pick-up some sort of virus... or some sort of malware, or a malware infected app will be downloaded. This is life in the 21 century. Normal precautions, strict adherence to safety protocols, and protective software with regular scans takes care of 99.9% of all these problems.

But if some crazy wants you and me dead, we'll die. If a professional thief wants our stuff... he'll get it. And if a hacker wants into a networked system... he's likely already in.

Attacking modern technology doesn't promote or advocate modern Home Automation. These scare stories actually may FALSELY scare some people away from Home Automation.
Title: Re: Yet another HUGE security issue
Post by: dhouston on September 15, 2017, 03:02:41 PM
No real-life car in the wild has EVER been hacked. Never... not even ONE.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)
https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ (https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/)
https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/ (https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/)
Title: Re: Yet another HUGE security issue
Post by: dave w on September 15, 2017, 08:46:33 PM
Yeah, we have a 2015 Jeep Cherokee. Chrysler sent us a little cardboard USB memory stick with instructions to reprogram the ECU, as soon as soon as possible.
We had to park the SUV  under clear sky, shut off engine, insert the USB, press brake, turn on the wipers, put headlights on bright, hold the horn, press the start button in S-O-S pattern, start engine, set e-brake, get out, do a little dance, re-enter and fasten seatbelt,  wait for 40 to 90 minutes with engine running for download to complete and install. Be ready to apply brake if the vehicle lurched forward or backward.

If a cloud came between us and the "Uconnect" (Chrysler's version of On Star) satellite during this time and engine stopped, Chrysler said the Cherokee could be limped to nearest dealer in the "default" mode.

Supposedly our Cherokee is now hack proof for the time being. Suddenly a street thug with a coat hanger or slim jim does not seem like as big a threat anymore.   

P.S. most of this is "tongue-in-cheek" humor. The download was fail-safe, and I did not have to get out of the Cherokee and do a little dance.  rofl
Title: Re: Yet another HUGE security issue
Post by: HA Dave on September 15, 2017, 11:16:40 PM
No real-life car in the wild has EVER been hacked. Never... not even ONE.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)

Oh come on! If you'd take the time to read your own links.... you would know they confirmed what I had posted. That was a published article about a rehearsed and STAGED (AKA fake) hack. It wasn't real.

Didn't we cover this like two years ago?????

These Luddite (socialist, anti-capitalists) groups have been very successful at hurting the bottom lines of business, reducing natural consumerism,..... and scaring the heck out of old people.

Half the people attracted to Home Automation are scared away... or the frighten women in their lives keep them away... from automation because of these phony, hoax, stories. Why are you posting this stuff... I know you know this isn't real. 

That hoax (that you linked to above).... cost Chrysler millions in the fix... and in lost income/profit. And regular people that work at Chrysler..... they lost bonus, overtime, and were even laid off because of lost sales and over-inventory.

And the hoax crap story that began this thread? Who will that help? YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability Yet the rumors and half stories will continue.... till scared old women (like my 90 year old mom) will be afraid to turn their mobile phones on.
Title: Re: Yet another HUGE security issue
Post by: HA Dave on September 15, 2017, 11:31:59 PM
..... Supposedly our Cherokee is now hack proof for the time being. Suddenly a street thug with a coat hanger or slim jim does not seem like as big a threat anymore.

1.  No computer is hack proof.
2.  The perpetrators that did this to Chrysler.... should have went to prison. And... should still be there.
3.  No car has been or likely ever will be hacked. There is no motive. Hacking someone's car is a highly specialized and difficult proposition (pretty much a guaranteed inside job)... with NO monetary reward. It would in fact (I am sure) be considered a terrorist act. A lifetime in prison to scare one driver? Wouldn't the normal terrorist bomb or speeding truck into a crowd be a lot easier and cheaper?

Yet some kid.... could coat hanger your car in the parking lot tomorrow. Or if its on the street... a kid could be rifling your glovebox as I type. 
Title: Re: Yet another HUGE security issue
Post by: dhouston on September 16, 2017, 06:52:41 AM
No car has been or likely ever will be hacked.
That's impossible to prove.
Title: Re: Yet another HUGE security issue
Post by: dhouston on September 16, 2017, 06:54:56 AM
YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability
That's impossible to prove.
Title: Re: Yet another HUGE security issue
Post by: dhouston on October 05, 2017, 11:38:14 AM
Re car hacks...
https://www.eurekalert.org/pub_releases/2017-10/drnl-stf100517.php (https://www.eurekalert.org/pub_releases/2017-10/drnl-stf100517.php)
Title: Re: Yet another HUGE security issue
Post by: dhouston on October 06, 2017, 10:40:32 AM
YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability
That's impossible to prove.
Let's hope this was not a case of BlueBorne...
http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514 (http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514)
Title: Re: Yet another HUGE security issue
Post by: dhouston on October 16, 2017, 12:00:07 PM
This weeks HUGE security issue is much HUGER...
http://www.msn.com/en-us/news/technology/us-warns-of-security-flaw-which-can-compromise-wi-fi-connections/ar-AAtzWNT (http://www.msn.com/en-us/news/technology/us-warns-of-security-flaw-which-can-compromise-wi-fi-connections/ar-AAtzWNT)
https://www.kb.cert.org/vuls/id/228519/ (https://www.kb.cert.org/vuls/id/228519/)
Title: Re: Yet another HUGE security issue
Post by: dhouston on October 16, 2017, 01:06:19 PM
And this one is even HUUUUGER...
https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#784b674f47c3 (https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#784b674f47c3)