TR Forums

So there's been a pretty serious set of flaws found in the Bluez Bluetooth stack that is used by Linux and, probably more importantly, Android.

You can read about the issues here.

In brief, the vulnerabilities appear to involve a kernel-level buffer overflow that can be triggered remotely by sending malicious messages via Bluetooth to a target device. The devices do not have to be paired already for the attack to work, which makes this even more serious. Turning Bluetooth off in your mobile devices so that there's not even anybody listening for the malicious packets appears to be the best workaround right now until Android vendors get fixes out into the wild.

Forewarned is Forearmed Gerbils!

Android vendors get fixes out into the wild?

The title of your post is lacking key information.

Apply updates and turn off Bluetooth.

End User wrote:

The title of your post is lacking key information.

That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?

just brew it! wrote:

End User wrote:

The title of your post is lacking key information.

That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?

lol

End User wrote:

The title of your post is lacking key information.

No, I mentioned Jack Bauer.

I should just go buy a cabin in the woods.

Waco wrote:

I should just go buy a cabin in the woods.

...it's the only way to be sure.[/Ellen Ripley]

Waco wrote:

I should just go buy a cabin in the woods.

Cabin with electricity and running water? Then you are still not completely off grid.

Flying Fox wrote:

Waco wrote:

I should just go buy a cabin in the woods.

Cabin with electricity and running water? Then you are still not completely off grid.

Solar/wind and your own well?

just brew it! wrote:

Flying Fox wrote:

Waco wrote:

I should just go buy a cabin in the woods.

Cabin with electricity and running water? Then you are still not completely off grid.

Solar/wind and your own well?

Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.

Flying Fox wrote:

just brew it! wrote:

Flying Fox wrote:

Cabin with electricity and running water? Then you are still not completely off grid.

Solar/wind and your own well?

Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.

Depends what you're worried about. This Bluetooth vulnerability isn't about being tracked (since Bluetooth has a very short range anyway). It is about nearby "bad actors" compromising your devices over Bluetooth and stealing sensitive personal info.

Seems like a cabin in the woods, solar/wind power, a well, and a shotgun (if you're worried about physical attacks) would provide a reasonable degree of protection.

just brew it! wrote:

End User wrote:

The title of your post is lacking key information.

That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?

It does apply to ever end user.

End User wrote:

just brew it! wrote:

End User wrote:

The title of your post is lacking key information.

That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?

It does apply to ever end user.

There's more than one of you?

DrCR wrote:

End User wrote:

just brew it! wrote:

That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?

It does apply to ever end user.

There's more than one of you?

We are everywhere!

Interesting. I skimmed the article but didn't see anything about how the attack works beyond the overflow. I'm far from an android expert but I would hope that the only thing an open BT connection is looking for is specific connection requests and *anything* else is discarded if it's not paired. So then, if that was true, then I'd expect the exploit to target something here. I was admittedly pretty ignorant to the BT tech as a whole; very surprised to learn the range is close to that of what an average wifi signal is - though I'm not sure of the wavelength and how good it is at penetrating structures.

For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.

steelcity_ballin wrote:

For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.

You mean like Equifax did to protect the credit data of everyone in the frikkin' country? Oh, wait...

Pick pretty much any OS or large application/service, and it has probably had serious vulnerabilities that went undiscovered for months or years. Security is often an afterthought (if it gets any thought at all). The quality of a lot of production software is shockingly, horrifyingly bad.

That line about how you don't want to see how laws or sausage get made? It applies to software too. In spades. Closed vs. Open source doesn't make much difference either.

JBI wrote:

That line about how you don't want to see how laws or sausage get made? It applies to software too. In spades. Closed vs. Open source doesn't make much difference either.

That's for sure.

There's a big imbroglio right now in bitcoinland because someone disclosed a theoretical implementation vulnerability "without following proper disclosure practices" just three or so days ago.

But, uh, he pre-public notified all of the relevant maintainers months before. And he did the disclosure doing a conference literally entitled "breaking bitcoin".

Despite this, a prominent developer of the foremost implementation was angrily denouncing him during Q&A, because, I don't know, he didn't specifically agree to a timeline of release? The moderator had to call for a break because, as he even said, he didn't want a fight to break out.

The kicker? The prominent developer I mentioned who was attacking the presenter? Yeah, earlier this year he publicized a remote crash bug in a competing implementation over twitter, with no warning whatsoever.

It's ugly even AFTER the sausage gets made.

steelcity_ballin wrote:

For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.

The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.

the wrote:

The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.

They burned about 6 or so zero-days to make Stuxnet.

the wrote:

steelcity_ballin wrote:

For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.

The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.

...and most of the elite talent that isn't working for the NSA has more interesting things to do than vet old code that someone else wrote for bugs.

just brew it! wrote:

the wrote:

steelcity_ballin wrote:

For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.

The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.

...and most of the elite talent that isn't working for the NSA has more interesting things to do than vet old code that someone else wrote for bugs.

I'd argue that this is more of a result of companies not offering fair bounties for smaller bugs, or large enough bounties for potential 0-day vulnerabilities. Bug in a browser that screws up a specific brand of screen reader? Sure, that's going to get a smaller bounty if it's known in the wild and not a real exploit. Known, or Unknown 0-day stuff should be millions of dollars. If you offered 1 million after taxes USD for exploiting some major interface like this, I promise you that **** would get patched so fast (or sold off to a higher bidder, heh)- Then keep the door open for anyone else to do similar and get a similar reward. You probably spend a small fraction of what it's going to cost you when it's exploited in the wild and you have a major class-action lawsuit on your hands. And I'd bet that the NSA doesn't pay their top talent *that* well.

I think that people who are out there today looking to break things in order to sell it off would likely prefer a legal, ethical, and profitable means of reporting/solving this. I think what you have is tight-ass execs who don't want to pay for it, but they will sooner or later. Give good hackers a chance to do good and profit from their work fixing your buggy mess. Lots of people like doing this.

steelcity_ballin wrote:

I'd argue that this is more of a result of companies not offering fair bounties for smaller bugs, or large enough bounties for potential 0-day vulnerabilities. Bug in a browser that screws up a specific brand of screen reader? Sure, that's going to get a smaller bounty if it's known in the wild and not a real exploit. Known, or Unknown 0-day stuff should be millions of dollars. If you offered 1 million after taxes USD for exploiting some major interface like this, I promise you that **** would get patched so fast (or sold off to a higher bidder, heh)- Then keep the door open for anyone else to do similar and get a similar reward. You probably spend a small fraction of what it's going to cost you when it's exploited in the wild and you have a major class-action lawsuit on your hands. And I'd bet that the NSA doesn't pay their top talent *that* well.

I think that people who are out there today looking to break things in order to sell it off would likely prefer a legal, ethical, and profitable means of reporting/solving this. I think what you have is tight-ass execs who don't want to pay for it, but they will sooner or later. Give good hackers a chance to do good and profit from their work fixing your buggy mess. Lots of people like doing this.

I think there's some serious potential for abuse there though. If you do that, you'll have people intentionally putting exploitable bugs in released software, then secretly splitting the bug bounty with a co-conspirator who "finds" the exploit.

Glorious wrote:

http://www.underhanded-c.org/

Heh. That article mentions "NaN poisoning attack" as an interesting potential exploit vector. That one hadn't occured to me.

On a semi-related note, a few months ago the "Service Alerts" section of the Metra (Chicago area commuter rail system) web site was showing the timestamps of the notices they were posting as "NaN".

just brew it! wrote:

I think there's some serious potential for abuse there though. If you do that, you'll have people intentionally putting exploitable bugs in released software, then secretly splitting the bug bounty with a co-conspirator who "finds" the exploit.

Ideally, the enterprise you work for can afford a competent team that enforces source control and code reviews/audits of anything that gets added for merging to production. Even then, there's breadcrumbs to show who did what and when, should that ever happen. We can't do anything where I work without it leaving a laundry list of breadcrumbs as to what was changed. If you can't trust your employees to do their job correctly and with integrity, I'd say you have bigger problems. Then again, I do love me a good fraction-of-a-penny-rounding-scheme.

Glorious wrote:

http://www.underhanded-c.org/

Cool - Not surprised at all that this exists. Code reviews should be mandatory, pair-programming can be a useful tool too early on for jr devs to learn the ropes, but also to switch pairs around to keep the style of code consistent, and the quality high and honest. Any source control software is going to have a way to track everything anyone has ever done. I know TFS isn't loved by many, but it does have options (as do many other solutions) for preventing any code merges to active branches without a trusted reviewed signing off on it. Not a perfect solution but better than nothing. Bad people are going to do bad things. The best we can do is try to catch them; Anti virus will never catch up to the most advanced heuristics (who even uses AV anymore heh). You can't outpace the devious creator, only try to be prepared.

steelcity_ballin wrote:

Ideally, the enterprise you work for can afford a competent team that enforces source control and code reviews/audits of anything that gets added for merging to production.

hahahahahahah

*breathes*

hahahahahahahahhahahahahahahahah

*breathes*

*sighs*

*groans*

*frowns*

I work in industrial automation with stuff that can kill people, and the closer you get to the stuff that directly controls the fatality potential, the less controls seem to exist.

I am not joking, there are ladder-logic programmers who come in on contract from vendors/project management companies, who do god knows what with zero documentation, zero control, zero oversight, and this happens all the time.

I directly worked with someone who, futzing around with a level 1 system, completely violated LOTOTO and could have easily killed someone if all the factors had coincidentally lined up.

He was promoted. This is a Fortune 250 company.

steelcity_ballin wrote:

If you can't trust your employees to do their job correctly and with integrity, I'd say you have bigger problems.

If someone is being offered half-a-million dollars to "make a mistake", a "mistake" that will likely never lead to any actual losses because they're in cahoots with someone who's going to take another half-million dollar payday to privately disclose it before anyone else discovers it, what's the "bigger problem?"

Because that's.... as big as it is realistically going to get for anyone, right? What other kind of ethical concerns about code maintainership have anywhere near that kind of temptation behind them?

steelcity_ballin wrote:

Code reviews should be mandatory, pair-programming can be a useful tool too early on for jr devs to learn the ropes, but also to switch pairs around to keep the style of code consistent, and the quality high and honest.

OK. So your node.js or whatever crap is great. Perfect, fact. Best ever.

Who cares? What about libraries? Layered software? Environment control?

I mean, in this particular case, it's blueZ, right? An open-source bluetooth stack?

What does a company do about that?

steelcity_ballin wrote:

Any source control software is going to have a way to track everything anyone has ever done.

In theory.

In actuality, you tend to find that you can't always build what's in it. Or, when you can, it doesn't exactly match what's currently in production. Who knows? The guy with commits doesn't, or she doesn't even work there anymore. Or it turns out that he didn't write it, someone else did. It was code snippet from stackexchange, cargo code from somewhere else internally. They can't explain what it did when they wrote it the first time, let alone now. Worse case, you fire them. What a great place to work!

This is not a simple problem, and the moral hazard that JBI is talking about is precisely why bug bounties are almost exclusively offered by 1) best-in-class makers of 2) ubiquitous and broad-facing software and 3) virtually only ever claimed by an informal community of well-known participants.

Making the practice universal confounds all three.

Flying Fox wrote:

just brew it! wrote:

Flying Fox wrote:

Cabin with electricity and running water? Then you are still not completely off grid.

Solar/wind and your own well?

Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.

What's do you have against WATER power?
http://www.askaprepper.com/homemade-wat ... generator/

As to satellites, what CAN NOT be seen by them? unless you live in an evergreen forest, then they probably would have a hard time seeing you.

freebird wrote:

Flying Fox wrote:

just brew it! wrote:

Solar/wind and your own well?

Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.

What's do you have against WATER power?
http://www.askaprepper.com/homemade-wat ... generator/

As to satellites, what CAN NOT be seen by them? unless you live in an evergreen forest, then they probably would have a hard time seeing you.

if you live underground, then maybe would have a hard time seeing you. Spy satellites surely use more than visible light.
There's such a thing as a healthy sense of paranoia then it comes to security. But if spy satellite factors transition from paranoia to reality, then your goose is already cooked, something along these lines: https://www.xkcd.com/652/