Tag Archives: Bluetooth

Bluetooth Spec Says it is not Secure – They Are Right

There have been many issues over the years with passive (keyless) entry systems, including but not limited to vehicles.

In this case, researchers at the NCC Group used a “relay attack” to not only unlock a Tesla Model 3, but also start it and drive away.

A relay attack works like this. You take one phone and put it near the key fob and another phone and put it near the car. These two phones talk to each other and with $50 worth of bluetooth hardware, they are able to relay the signal from the fob to phone 1 to phone 2 to the car.

Some of these relay attacks don’t work because there is a time delay introduced in this type of attack, but these researchers figured out how to work within the timeout window.

While they only tested a model 3, they think the attack will also work on a model Y.

Tesla has a history of problems like this. In 2014 researchers were able to unlock a Tesla. In 2016 another group was able to create a similar attack. Also in 2016, the Tesla app was compromised to track, locate and start vehicles. In 2018 Belgian researchers were able to clone the Tesla keyfob and get full access to the car.

It’s worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated “the Proximity Profile should not be used as the only protection of valuable assets,” and additionally “there is currently no known way to protect against such attacks using Bluetooth technology.”


Credit: The Register

These researchers say that this is not a bug that can be fixed with a software patch, nor is it an error in the specification. Instead, it is a problem with using the protocol for something that it was not designed to do (security).

Tesla says that they are not going to fix it. They do say that you can disable the proximity feature.

The researchers also say that this attack will work on any other Bluetooth proximity device such as other cars, smart locks, building access systems, mobile phones, laptops and many other devices.

This is one of those cases where convenience won out over security. Credit: Helpnet Security

New Bluetooth Bug Affects Billions of Devices

Researchers from the Singapore University of Technology and Design have published details about BrakTooth, a new family of security vulnerabilities in Bluetooth software implementations.

They assessed 13 Bluetooth devices from about a dozen vendors including Intel, Qualcomm, Texas Instruments and Cypress and found 16 vulnerabilities. On the good side, they can cause a denial of service attack (crashing the device and requiring the other to power cycle it); on the bad side it can allow remote code execution.

The researchers discovered 1,400 products affected by the vulnerabilities including phones, car radios (now called infotainment systems), computers, speakers, headphones, home entertainment systems, toys and industrial automation. Likely there are way more products vulnerable.

Estimates are that there are billions of vulnerable devices, many of which will never be fixed and remain vulnerable until they are in a landfill a decade from now.

The risk varies of course. If you home microwave fails, you may have to find a different way to heat your food. However, if factory automation software fails, it could shut down a factory or worse.

More detailed information is available at this Bleeping Computer article.

None of the vulnerabilities require the hacker to pair with the device, just be in range. The Hacker News says that proof of concept code is available online.

While the end user may think he or she is buying a device from a reputable company, that same owner has no clue where that company is buying their Bluetooth software from and whether it has been patched.

Security News for the Week Ending May 28, 2021

The UK Might Beat Us to Regulating MSPs

In the US, anyone can become a managed service provider. Unfortunately, customers may think that comes with security, but usually it does not. The UK is about to create a legally binding cybersecurity framework for managed service providers. This may be the first step at forcing businesses to formally assess the cyber risks of their supply chain. Needless to say, MSPs are not happy about the added cost and responsibility. This comes just as the US begins to force defense contractors to do the same thing. Credit: The Register

Section 230 Preempts FCRA

The law is kind of twisted. Section 230 of the Communications Decency Act shields Interactive Computer Services like Facebook from being sued for content they did not create. In this case, a person tried to sue a company that publishes aggregated data from credit bureaus (basically a version of a credit bureau) for not following the rules of the Fair Credit Reporting Act by correcting faulty data. The company’s defense was that they didn’t create the data, so you can’t sue them. Congress (or the Supremes) need to clean up this mess – and it is and has been a mess forever, but that ruling is just not right to the consumer. They have ZERO recourse, according to this court. Credit: Professor Eric Goldman

NSA Tells Defense Contractors – Don’t Connect IoT/IIoT to the Internet

NSA released a guide to protecting operational technology systems (what we call IoT or Industrial IoT), geared to the National Security System, the Defense Department and the Defense Industrial Base. It is, of course, applicable to anyone. They start with the obvious. An unconnected OT system is more secure than one connected to the Internet. It also provides guidance for protecting OT systems that are connected to the Internet. Whether you are required to follow this or not, if you have IoT systems, this is a good read. Credit: Nextgov

Expect Higher Prices (and Longer Wait Times) for Computers

As the worldwide chip shortage continues (and is expected to continue for at least the rest of this year), PC makers plan to pass on costs to buyers. This likely will continue as buyers have not reduced demand as a result of higher prices. Companies like Dell are reporting strong financial results. Inventory is, however, way down, so expect to take any system that is available or wait for a while. Vendors will likely move available parts to higher margin products, leaving lower end products “out of stock”. Credit: ZDNet

New Bluetooth Attack Affects 28 Chips Tested

A new Bluetooth impersonation attack, called BIAS, allows a malicious actor to establish a secure connection with the victim, without having to authenticate. This attack does NOT require user interaction. The researchers tested the attack against Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung and other chips. There is not a fix yet, but fixes are expected. Credit: The Hacker News

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.



Bluetooth Vulnerability Does Not Require Any User Interaction

Similar to the WiFi bug we reported about in July (see post), this Bluetooth bug does not require the user to interact with the hacker, does not require the user to connect to an infected Bluetooth device or anything like that.  All it requires is that Bluetooth is turned on in the device.

The good news, if there is any, is that this is not a hardware problem and it is not a protocol problem, it is a software implementation error.  A plain old bug.  Which means that it can be patched.

Of course, every COOL bug has to have a name;  this one is called BlueBorne.

ASSUMING that the manufacturer of your phone is still releasing patches for the model of phone that you have.  For example, most Android 4 and earlier users are not getting any patches and many Android 5 users are not getting patches.  iPhone 4 users are not going to get patched and this newest version of iOS will be the last patches for the iPhone 5 and 5c.

And, this is not limited to phones.

While Apple has patched this bug in iOS 10 (so most recently purchased iPhone users are good), Microsoft just released a Windows patch in July.  This means that Windows users are safe IF they are running on a supported version of Windows and have installed the July patch release.  Google says that the September patch release fixes the bug, but that has to wind its way through the manufacturer’s release process and then your carrier’s release process UNLESS you are using a Google Pixel phone, in which case, you should already have the patch.  Linux teams are working on a patch, but that has not been released yet.

The bigger issue is all of those Internet of Things appliances from light bulbs to TVs that will likely NEVER be patched and will, therefore, always be an opportunity for a hacker.

Of course, as with all Bluetooth connections, the attacker has to be within 30-100 feet or so, depending on the equipment that the hacker is using.  That makes Starbucks a perfect place to launch an attack on unsuspecting users.

For those of you who do not have the patch yet, such as users using obsolete Android phones, and Linux based IoT devices, the only possible defense is to disable Bluetooth.  That may not be what you want to hear, but that will protect your device.

Information for this post came from Wired.