X10 Community Forum
💬General Category => General Discussion => Topic started by: dhouston on September 13, 2017, 01:21:33 PM
-
I'm not really familiar with Bluetooth but the potential size of this is downright scary.
https://www.slashgear.com/blueborne-bluetooth-vulnerability-puts-8-billion-devices-at-risk-13499615/ (https://www.slashgear.com/blueborne-bluetooth-vulnerability-puts-8-billion-devices-at-risk-13499615/)
-
It looks like patches are already being updated (likely before the vulnerability was even exposed). The security outfits that find these vulnerability sell the fix to the OS makers before they email out their "find".
NOTE: Armis found, named, and created the "news release" LINK... that you shared here. Armis is in the business of finding vulnerabilities and then selling the discovery/solution to the creators of the software OS. No hacker ever used this Bluetooth vulnerability to hack.... anything.
-
The most vulnerable will be Android devices which haven't been updated (likely to be most Android devices). And, given that there are thousands of Linux variants, many of those may also be vulnerable. It's also unlikely that IoT devices using Bluetooth and/or Linux will be updated as most lack update methods.
Armis, which sells anti-virus software to businesses, has released a free App which can check your Android device as well as scan for other vulnerable devices in the vicinity.
https://play.google.com/store/apps/details?id=com.armis.blueborne_detector (https://play.google.com/store/apps/details?id=com.armis.blueborne_detector)
From the description...
This app was specifically designed to scan your device and see if it is vulnerable. It can also scan and locate devices that could be vulnerable to the BlueBorne attack vector. Simply use the screen of your mobile device as a viewfinder to scan your device or locate connected devices in your environment. The viewfinder will alert you if this device could be a carrier to a BlueBorne attack.
Armis also released a PDF whitepaper explaining BlueBorne...
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963 (http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963)
US-Cert (Department of Homeland Security) also has a webpage on BlueBorne...
https://www.kb.cert.org/vuls/id/240311 (https://www.kb.cert.org/vuls/id/240311)
PC Magazine has a brief article...
https://www.pcmag.com/news/356174/blueborne-bluetooth-attack-puts-5-billion-devices-at-risk (https://www.pcmag.com/news/356174/blueborne-bluetooth-attack-puts-5-billion-devices-at-risk)
Here's an excerpt...
Apple mitigated the flaw in iOS 10, but all iPhones, iPads, and iPod touch devices with iOS 9.3.5 or lower, and Apple TV devices with version 7.2.2 or lower are at risk.
-
..... Armis, which sells anti-virus software to businesses, has released a free App which can check your Android device as well as scan for other vulnerable devices in the vicinity.
Yes.... these software businesses regularly create products.... and in this case a reason (for software manufactures) to buy their products. But there is NO risk to any product owner. No one has ever successfully used the vulnerability Armis has exposed in their product/news release.
-
No one has ever successfully used the vulnerability Armis has exposed in their product/news release.
But then if they had it wouldn't have been Armis that exposed the vulnerability. rofl
-
Isn't BT only good for something like 20' or less?
-
Isn't BT only good for something like 20' or less?
It depends on the version. Plus, there are Range Extenders. See...
https://www.techwalla.com/articles/the-effective-range-of-bluetooth (https://www.techwalla.com/articles/the-effective-range-of-bluetooth)
Bluetooth 1.0 can link up to eight devices within a radius of about 33 feet with a capacity, or bandwidth, of 700Kbps. A later revision of the Bluetooth specification, Bluetooth 2.0, can transmit at up 2.1Mbps within a radius of about 100 feet. Bluetooth 3.0, adopted in 2009, increased bandwidth to 24Mbps, while the Bluetooth 4.0 specification, adopted in 2010, has a theoretical range of up to 200 feet. The Bluetooth specification stipulates a minimum range of 33 feet, but the maximum range is determined only by the output power of the device.
Any exploits will likely target businesses but anyone might get their smartphone infected while out and about. Then, the infection might spread to other devices once back at home.
-
Not sure if this is typical, but my devices won't even connect to each other here at home without a manual code entry match. That's not something I would do in public with unknown devices.
-
Read the description of the problem from the link in the initial post to this thread.
Until now, everyone worked on the presumption that you could only attack a Bluetooth device if it’s discoverable or paired, and even then only with user interaction. Those presumptions are apparently flawed, and, thus, BlueBorne, the airborne Bluetooth vulnerability, came to be.
The Armis webpage gives a clear description of the potential scope with 8.2 billion Bluetooth devices extant...
https://www.armis.com/blueborne/ (https://www.armis.com/blueborne/)
The authors imply that the Bluetooth Stack would more appropriately be called the Bluetooth Pile of (fill in the blank). :'
From the PDF (link provided earlier)...
Bluetooth is complicated. Too complicated. Too many specific applications are defined in the stack layer, with endless replication of facilities and features. These over-complications are a direct result of the immense work, and over-engineering that was put into creating the Bluetooth specification. Just to illustrate this point: while the WiFi specification (802.11) is only 450 pages long, the Bluetooth specification reaches 2822 pages.
-
....But then if they had it wouldn't have been Armis that exposed the vulnerability. rofl
It isn't that the vulnerability isn't real.... but that it is impractical. Some of the greatest most creative code writers and hackers in the world expose a "possible" vulnerability... that generates income for themselves. There never was... and is not now... any risk from this.
This is just exactly like the car hacks.... that was going to enable hackers to connect to and then control everyones cars. No real-life car in the wild has EVER been hacked. Never... not even ONE.
......... but anyone might get their smartphone infected while out and about. Then, the infection might spread to other devices once back at home.
Any Internet connected device CAN be hacked.... period.
Most well used Internet devices (phones included) will pick-up some sort of virus... or some sort of malware, or a malware infected app will be downloaded. This is life in the 21 century. Normal precautions, strict adherence to safety protocols, and protective software with regular scans takes care of 99.9% of all these problems.
But if some crazy wants you and me dead, we'll die. If a professional thief wants our stuff... he'll get it. And if a hacker wants into a networked system... he's likely already in.
Attacking modern technology doesn't promote or advocate modern Home Automation. These scare stories actually may FALSELY scare some people away from Home Automation.
-
No real-life car in the wild has EVER been hacked. Never... not even ONE.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)
https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ (https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/)
https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/ (https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/)
-
Yeah, we have a 2015 Jeep Cherokee. Chrysler sent us a little cardboard USB memory stick with instructions to reprogram the ECU, as soon as soon as possible.
We had to park the SUV under clear sky, shut off engine, insert the USB, press brake, turn on the wipers, put headlights on bright, hold the horn, press the start button in S-O-S pattern, start engine, set e-brake, get out, do a little dance, re-enter and fasten seatbelt, wait for 40 to 90 minutes with engine running for download to complete and install. Be ready to apply brake if the vehicle lurched forward or backward.
If a cloud came between us and the "Uconnect" (Chrysler's version of On Star) satellite during this time and engine stopped, Chrysler said the Cherokee could be limped to nearest dealer in the "default" mode.
Supposedly our Cherokee is now hack proof for the time being. Suddenly a street thug with a coat hanger or slim jim does not seem like as big a threat anymore.
P.S. most of this is "tongue-in-cheek" humor. The download was fail-safe, and I did not have to get out of the Cherokee and do a little dance. rofl
-
No real-life car in the wild has EVER been hacked. Never... not even ONE.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)
Oh come on! If you'd take the time to read your own links.... you would know they confirmed what I had posted. That was a published article about a rehearsed and STAGED (AKA fake) hack. It wasn't real.
Didn't we cover this like two years ago?????
These Luddite (socialist, anti-capitalists) groups have been very successful at hurting the bottom lines of business, reducing natural consumerism,..... and scaring the heck out of old people.
Half the people attracted to Home Automation are scared away... or the frighten women in their lives keep them away... from automation because of these phony, hoax, stories. Why are you posting this stuff... I know you know this isn't real.
That hoax (that you linked to above).... cost Chrysler millions in the fix... and in lost income/profit. And regular people that work at Chrysler..... they lost bonus, overtime, and were even laid off because of lost sales and over-inventory.
And the hoax crap story that began this thread? Who will that help? YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability Yet the rumors and half stories will continue.... till scared old women (like my 90 year old mom) will be afraid to turn their mobile phones on.
-
..... Supposedly our Cherokee is now hack proof for the time being. Suddenly a street thug with a coat hanger or slim jim does not seem like as big a threat anymore.
1. No computer is hack proof.
2. The perpetrators that did this to Chrysler.... should have went to prison. And... should still be there.
3. No car has been or likely ever will be hacked. There is no motive. Hacking someone's car is a highly specialized and difficult proposition (pretty much a guaranteed inside job)... with NO monetary reward. It would in fact (I am sure) be considered a terrorist act. A lifetime in prison to scare one driver? Wouldn't the normal terrorist bomb or speeding truck into a crowd be a lot easier and cheaper?
Yet some kid.... could coat hanger your car in the parking lot tomorrow. Or if its on the street... a kid could be rifling your glovebox as I type.
-
No car has been or likely ever will be hacked.
That's impossible to prove.
-
YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability
That's impossible to prove.
-
Re car hacks...
https://www.eurekalert.org/pub_releases/2017-10/drnl-stf100517.php (https://www.eurekalert.org/pub_releases/2017-10/drnl-stf100517.php)
-
YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability
That's impossible to prove.
Let's hope this was not a case of BlueBorne...
http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514 (http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514)
-
This weeks HUGE security issue is much HUGER...
http://www.msn.com/en-us/news/technology/us-warns-of-security-flaw-which-can-compromise-wi-fi-connections/ar-AAtzWNT (http://www.msn.com/en-us/news/technology/us-warns-of-security-flaw-which-can-compromise-wi-fi-connections/ar-AAtzWNT)
https://www.kb.cert.org/vuls/id/228519/ (https://www.kb.cert.org/vuls/id/228519/)
-
And this one is even HUUUUGER...
https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#784b674f47c3 (https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#784b674f47c3)