1. 41
  1.  

  2. 10

    Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level,

    Note to Android users: To check if your device is risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on Google Play.

    Um… The latest security patch available for my phone is from August 5th of this year. I checked using the app, and my phone is still vulnerable. And this is a Google Pixel I just bought from Verizon. I hope carriers aren’t slowing down the release of security updates for Google’s own devices.

    1. 6

      I don’t think it’s in AOSP either yet:

      https://source.android.com/security/bulletin/2017-09-01 “Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 7 days. We will revise this bulletin with the AOSP links when they are available.”

    2. 10

      From whitepaper…

      http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

      So, what seems to be the problem?

      Bluetooth is complicated. Too complicated. Too many specific applications are defined in the stack layer, with endless replication of facilities and features. These over-complications are a direct result of the immense work, and over-engineering that was put into creating the Bluetooth specification. Just to illustrate this point: while the WiFi specification (802.11) is only 450 pages long, the Bluetooth specification reaches 2822 pages.

      Another contributing factor are two common misconceptions about Bluetooth: One is that connections in Bluetooth have to be of paired devices (which they do not), and the other is that devices MAC address (BDADDR) are safely hidden while they are not in discoverable mode (which they are not).

      I believe this will be (another) one of these long slow motion train wrecks…

      1. 5

        the WiFi specification (802.11) is only 450 pages long

        That’s a lie.

        My 802.11 2012 (11n) PDF has 2793 pages. I haven’t looked at later editions beyond 11n yet.

      2. 7

        The other question is whether disabling Bluetooth in settings actually turns it off.

        1. 6

          It’s why I love physical switches that straight-up cut power. One can’t really trust these software switches.

        2. 7

          In think it’s clear at this point that anyone who takes mobile security seriously has to be using an Apple device. Samsung didn’t even respond to OPs outreach.

          1. 2

            CopperheadOS is pretty good about mobile security. Unfortunately they don’t have an update for this vulnerability quite yet, but it’s because the base AOSP project is being slow for some reason. There’s a thread about it here.

            Fortunately, kernels built with -fstack-protector-strong (as the Copperhead kernel is) will kernel panic instead of allowing the exploit to succeed. So Copperhead is fairly protected even without the update.

            Edit: I have the update now.

            1. 2

              For those who don’t know why @vosper makes this claim:

              All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.

              1. 1

                Well, Android is a surveillance platform, isn’t it? Just one more tool in the toolbox. ;) I wonder what Blackphone’s and Cryptophone’s response is on these kinds of things. If they’re not doing better, then Apple it is for safer mobile.

                1. 2

                  As for the Blackphone 2, we receive every month an OTA update including the fixes from google. Just received the september update so I am patched.

                  1. 1

                    So, that’s up to 30 day wait. Anyone know what Apple’s average is?

              2. 3

                Reminder that Apple AirPods are a bad idea due to their reliance on Bluetooth.

                1. 4

                  Not sure whether you were joking, or if so what the joke was, but…

                  Apple – Contacted on August 9, 2017. Apple had no vulnerability in its current versions.

                  1. 3

                    Oh, wow, thanks, I saw they had listed “iOS” here:

                    Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them

                    And figured that meant Apple was affected. I stand corrected. Unclear to me why they would list iOS then.

                    Still think AirPods are a bad idea, and I won’t ever trust a protocol like Bluetooth which has had such a long history of vulnerabilities. — And before you ask, no I don’t trust SSL/TLS either, but that I’m rather forced to use, unlike Bluetooth.

                    1. 5

                      Unclear to me why they would list iOS then.

                      Apple said “current versions”, meaning they’ve patched it. The technical document mentions CVE-2017-14315, and the CVE says iOS 7 through 9: http://cve.circl.lu/cve/CVE-2017-14315

                2. 3

                  The technical detail is in their white paper PDF, which is really well written:

                  http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

                  It’s good they also try to explain this to a non-Bluetooth-internals-savvy audience. However bundling a bunch of different CVEs on different platforms together and calling it “Blueborne” seems like a new low in the history of giving trendy names to vulnerabilities.

                  1. 6

                    I think I’d prefer one trendy name instead of three trendy names. And it seems fair, given the flaws result from the protocol. 100 years ago, smurf attack was a thing with a cool name that affected more than one platform.