Please login or register.

Login with username, password and session length
Pages: [1] 2

Author Topic: Yet another HUGE security issue  (Read 7405 times)

dhouston

  • Advanced Member
  • Hero Member
  • ******
  • Helpful Post Rating: 37
  • Posts: 2547
    • davehouston.org
Yet another HUGE security issue
« on: September 13, 2017, 01:21:33 PM »

I'm not really familiar with Bluetooth but the potential size of this is downright scary.
https://www.slashgear.com/blueborne-bluetooth-vulnerability-puts-8-billion-devices-at-risk-13499615/
Logged
This message was composed entirely from recycled letters of the alphabet using only renewable, caffeinated energy sources.
No twees, wabbits, chimps or whales died in the process.
https://www.laser.com/dhouston

HA Dave

  • Hero Member
  • *****
  • Helpful Post Rating: 175
  • Posts: 7127
Re: Yet another HUGE security issue
« Reply #1 on: September 13, 2017, 07:50:57 PM »

It looks like patches are already being updated (likely before the vulnerability was even exposed). The security outfits that find these vulnerability sell the fix to the OS makers before they email out their "find".

NOTE: Armis found, named, and created the "news release" LINK... that you shared here. Armis is in the business of finding vulnerabilities and then selling the discovery/solution to the creators of the software OS. No hacker ever used this Bluetooth vulnerability to hack.... anything.
Logged
Home Automation is an always changing technology

dhouston

  • Advanced Member
  • Hero Member
  • ******
  • Helpful Post Rating: 37
  • Posts: 2547
    • davehouston.org
Re: Yet another HUGE security issue
« Reply #2 on: September 14, 2017, 07:15:10 AM »

The most vulnerable will be Android devices which haven't been updated (likely to be most Android devices). And, given that there are thousands of Linux variants, many of those may also be vulnerable. It's also unlikely that IoT devices using Bluetooth and/or Linux will be updated as most lack update methods.

Armis, which sells anti-virus software to businesses, has released a free App which can check your Android device as well as scan for other vulnerable devices in the vicinity.
https://play.google.com/store/apps/details?id=com.armis.blueborne_detector
From the description...
Quote
This app was specifically designed to scan your device and see if it is vulnerable. It can also scan and locate devices that could be vulnerable to the BlueBorne attack vector. Simply use the screen of your mobile device as a viewfinder to scan your device or locate connected devices in your environment. The viewfinder will alert you if this device could be a carrier to a BlueBorne attack.

Armis also released a PDF whitepaper explaining BlueBorne...
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963

US-Cert (Department of Homeland Security) also has a webpage on BlueBorne...
https://www.kb.cert.org/vuls/id/240311

PC Magazine has a brief article...
https://www.pcmag.com/news/356174/blueborne-bluetooth-attack-puts-5-billion-devices-at-risk
Here's an excerpt...
Quote
Apple mitigated the flaw in iOS 10, but all iPhones, iPads, and iPod touch devices with iOS 9.3.5 or lower, and Apple TV devices with version 7.2.2 or lower are at risk.
« Last Edit: September 14, 2017, 07:57:02 AM by dhouston »
Logged
This message was composed entirely from recycled letters of the alphabet using only renewable, caffeinated energy sources.
No twees, wabbits, chimps or whales died in the process.
https://www.laser.com/dhouston

HA Dave

  • Hero Member
  • *****
  • Helpful Post Rating: 175
  • Posts: 7127
Re: Yet another HUGE security issue
« Reply #3 on: September 14, 2017, 12:34:41 PM »

..... Armis, which sells anti-virus software to businesses, has released a free App which can check your Android device as well as scan for other vulnerable devices in the vicinity.

Yes.... these software businesses regularly create products.... and in this case a reason (for software manufactures) to buy their products. But there is NO risk to any product owner. No one has ever successfully used the vulnerability Armis has exposed in their product/news release. 
Logged
Home Automation is an always changing technology

Tuicemen

  • Administrator
  • Hero Member
  • ****
  • Helpful Post Rating: 283
  • Posts: 10509
  • I don't work for X10, I use it successfuly!
Re: Yet another HUGE security issue
« Reply #4 on: September 14, 2017, 02:28:45 PM »

No one has ever successfully used the vulnerability Armis has exposed in their product/news release.
But then if they had it wouldn't have been Armis that exposed the vulnerability. rofl
Logged
Please Read Topic:
General Forum Etiquette
Before you post!

BackAgain

  • Sr. Member
  • ****
  • Helpful Post Rating: 1
  • Posts: 136
Re: Yet another HUGE security issue
« Reply #5 on: September 14, 2017, 04:34:19 PM »

Isn't BT only good for something like 20' or less?

Logged

dhouston

  • Advanced Member
  • Hero Member
  • ******
  • Helpful Post Rating: 37
  • Posts: 2547
    • davehouston.org
Re: Yet another HUGE security issue
« Reply #6 on: September 14, 2017, 04:46:50 PM »

Isn't BT only good for something like 20' or less?
It depends on the version. Plus, there are Range Extenders. See...
https://www.techwalla.com/articles/the-effective-range-of-bluetooth
Quote
Bluetooth 1.0 can link up to eight devices within a radius of about 33 feet with a capacity, or bandwidth, of 700Kbps. A later revision of the Bluetooth specification, Bluetooth 2.0, can transmit at up 2.1Mbps within a radius of about 100 feet. Bluetooth 3.0, adopted in 2009, increased bandwidth to 24Mbps, while the Bluetooth 4.0 specification, adopted in 2010, has a theoretical range of up to 200 feet. The Bluetooth specification stipulates a minimum range of 33 feet, but the maximum range is determined only by the output power of the device.

Any exploits will likely target businesses but anyone might get their smartphone infected while out and about. Then, the infection might spread to other devices once back at home.
« Last Edit: September 14, 2017, 05:29:54 PM by dhouston »
Logged
This message was composed entirely from recycled letters of the alphabet using only renewable, caffeinated energy sources.
No twees, wabbits, chimps or whales died in the process.
https://www.laser.com/dhouston

BackAgain

  • Sr. Member
  • ****
  • Helpful Post Rating: 1
  • Posts: 136
Re: Yet another HUGE security issue
« Reply #7 on: September 14, 2017, 05:35:14 PM »

Not sure if this is typical, but my devices won't even connect to each other here at home without a manual code entry match.  That's not something I would do in public with unknown devices.

Logged

dhouston

  • Advanced Member
  • Hero Member
  • ******
  • Helpful Post Rating: 37
  • Posts: 2547
    • davehouston.org
Re: Yet another HUGE security issue
« Reply #8 on: September 14, 2017, 06:58:03 PM »

Read the description of the problem from the link in the initial post to this thread.
Quote
Until now, everyone worked on the presumption that you could only attack a Bluetooth device if it’s discoverable or paired, and even then only with user interaction. Those presumptions are apparently flawed, and, thus, BlueBorne, the airborne Bluetooth vulnerability, came to be.

The Armis webpage gives a clear description of the potential scope with 8.2 billion Bluetooth devices extant...
https://www.armis.com/blueborne/

The authors imply that the Bluetooth Stack would more appropriately be called the Bluetooth Pile of (fill in the blank).  :'
From the PDF (link provided earlier)...
Quote
Bluetooth​ ​is​ ​complicated.​ ​Too​ ​complicated.​ ​Too​ ​many​ ​specific​ ​applications​ ​are​ ​defined​ ​in​ ​the  stack​ ​layer,​ ​with​ ​endless​ ​replication​ ​of​ ​facilities​ ​and​ ​features.​ ​These​ ​over-complications​ ​are​ ​a  direct​ ​result​ ​of​ ​the​ ​immense​ ​work,​ ​and​ ​over-engineering​ ​that​ ​was​ ​put​ ​into​ ​creating​ ​the​ ​Bluetooth  specification.​ ​Just​ ​to​ ​illustrate​ ​this​ ​point:​ ​while​ ​the​ ​WiFi​ ​specification​ ​(802.11)​ ​is​ ​only​ ​450​ ​pages  long,​ ​the​ ​Bluetooth​ ​specification​ ​reaches​ ​2822​ ​pages.
« Last Edit: September 14, 2017, 09:24:14 PM by dhouston »
Logged
This message was composed entirely from recycled letters of the alphabet using only renewable, caffeinated energy sources.
No twees, wabbits, chimps or whales died in the process.
https://www.laser.com/dhouston

HA Dave

  • Hero Member
  • *****
  • Helpful Post Rating: 175
  • Posts: 7127
Re: Yet another HUGE security issue
« Reply #9 on: September 14, 2017, 09:29:36 PM »

....But then if they had it wouldn't have been Armis that exposed the vulnerability. rofl 

It isn't that the vulnerability isn't real.... but that it is impractical. Some of the greatest most creative code writers and hackers in the world expose a "possible" vulnerability... that generates income for themselves. There never was... and is not now... any risk from this.

This is just exactly like the car hacks.... that was going to enable hackers to connect to and then control everyones cars. No real-life car in the wild has EVER been hacked. Never... not even ONE.

......... but anyone might get their smartphone infected while out and about. Then, the infection might spread to other devices once back at home.


Any Internet connected device CAN be hacked.... period.

Most well used Internet devices (phones included) will pick-up some sort of virus... or some sort of malware, or a malware infected app will be downloaded. This is life in the 21 century. Normal precautions, strict adherence to safety protocols, and protective software with regular scans takes care of 99.9% of all these problems.

But if some crazy wants you and me dead, we'll die. If a professional thief wants our stuff... he'll get it. And if a hacker wants into a networked system... he's likely already in.

Attacking modern technology doesn't promote or advocate modern Home Automation. These scare stories actually may FALSELY scare some people away from Home Automation.
« Last Edit: September 14, 2017, 09:32:45 PM by HA Dave »
Logged
Home Automation is an always changing technology

dhouston

  • Advanced Member
  • Hero Member
  • ******
  • Helpful Post Rating: 37
  • Posts: 2547
    • davehouston.org
« Last Edit: September 15, 2017, 03:59:24 PM by dhouston »
Logged
This message was composed entirely from recycled letters of the alphabet using only renewable, caffeinated energy sources.
No twees, wabbits, chimps or whales died in the process.
https://www.laser.com/dhouston

dave w

  • Community Organizer
  • Hero Member
  • ***
  • Helpful Post Rating: 139
  • Posts: 6116
Re: Yet another HUGE security issue
« Reply #11 on: September 15, 2017, 08:46:33 PM »

Yeah, we have a 2015 Jeep Cherokee. Chrysler sent us a little cardboard USB memory stick with instructions to reprogram the ECU, as soon as soon as possible.
We had to park the SUV  under clear sky, shut off engine, insert the USB, press brake, turn on the wipers, put headlights on bright, hold the horn, press the start button in S-O-S pattern, start engine, set e-brake, get out, do a little dance, re-enter and fasten seatbelt,  wait for 40 to 90 minutes with engine running for download to complete and install. Be ready to apply brake if the vehicle lurched forward or backward.

If a cloud came between us and the "Uconnect" (Chrysler's version of On Star) satellite during this time and engine stopped, Chrysler said the Cherokee could be limped to nearest dealer in the "default" mode.

Supposedly our Cherokee is now hack proof for the time being. Suddenly a street thug with a coat hanger or slim jim does not seem like as big a threat anymore.   

P.S. most of this is "tongue-in-cheek" humor. The download was fail-safe, and I did not have to get out of the Cherokee and do a little dance.  rofl
« Last Edit: September 16, 2017, 10:03:39 AM by dave w »
Logged
"This aftershave makes me look fat"

HA Dave

  • Hero Member
  • *****
  • Helpful Post Rating: 175
  • Posts: 7127
Re: Yet another HUGE security issue
« Reply #12 on: September 15, 2017, 11:16:40 PM »

No real-life car in the wild has EVER been hacked. Never... not even ONE.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Oh come on! If you'd take the time to read your own links.... you would know they confirmed what I had posted. That was a published article about a rehearsed and STAGED (AKA fake) hack. It wasn't real.

Didn't we cover this like two years ago?????

These Luddite (socialist, anti-capitalists) groups have been very successful at hurting the bottom lines of business, reducing natural consumerism,..... and scaring the heck out of old people.

Half the people attracted to Home Automation are scared away... or the frighten women in their lives keep them away... from automation because of these phony, hoax, stories. Why are you posting this stuff... I know you know this isn't real. 

That hoax (that you linked to above).... cost Chrysler millions in the fix... and in lost income/profit. And regular people that work at Chrysler..... they lost bonus, overtime, and were even laid off because of lost sales and over-inventory.

And the hoax crap story that began this thread? Who will that help? YOU know full well (now if not before) that no phones have or will be hacked due to this new found vulnerability Yet the rumors and half stories will continue.... till scared old women (like my 90 year old mom) will be afraid to turn their mobile phones on.
« Last Edit: September 15, 2017, 11:40:33 PM by HA Dave »
Logged
Home Automation is an always changing technology

HA Dave

  • Hero Member
  • *****
  • Helpful Post Rating: 175
  • Posts: 7127
Re: Yet another HUGE security issue
« Reply #13 on: September 15, 2017, 11:31:59 PM »

..... Supposedly our Cherokee is now hack proof for the time being. Suddenly a street thug with a coat hanger or slim jim does not seem like as big a threat anymore.

1.  No computer is hack proof.
2.  The perpetrators that did this to Chrysler.... should have went to prison. And... should still be there.
3.  No car has been or likely ever will be hacked. There is no motive. Hacking someone's car is a highly specialized and difficult proposition (pretty much a guaranteed inside job)... with NO monetary reward. It would in fact (I am sure) be considered a terrorist act. A lifetime in prison to scare one driver? Wouldn't the normal terrorist bomb or speeding truck into a crowd be a lot easier and cheaper?

Yet some kid.... could coat hanger your car in the parking lot tomorrow. Or if its on the street... a kid could be rifling your glovebox as I type. 
« Last Edit: September 15, 2017, 11:38:44 PM by HA Dave »
Logged
Home Automation is an always changing technology

dhouston

  • Advanced Member
  • Hero Member
  • ******
  • Helpful Post Rating: 37
  • Posts: 2547
    • davehouston.org
Re: Yet another HUGE security issue
« Reply #14 on: September 16, 2017, 06:52:41 AM »

No car has been or likely ever will be hacked.
That's impossible to prove.
Logged
This message was composed entirely from recycled letters of the alphabet using only renewable, caffeinated energy sources.
No twees, wabbits, chimps or whales died in the process.
https://www.laser.com/dhouston
Pages: [1] 2
 

X10.com | About X10 | X10 Security Systems | Cameras| Package Deals
© Copyright 2014-2016 X10.com All rights reserved.