Bluetooth Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/bluetooth/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:05:18 +0000 en-US hourly 1 https://wordpress.org/?v=85104 200474804 BLUFFS Bluetooth Vulnerability Threatens Billions of Devices https://gridinsoft.com/blogs/bluffs-bluetooth-vulnerability/ https://gridinsoft.com/blogs/bluffs-bluetooth-vulnerability/#respond Thu, 30 Nov 2023 18:28:43 +0000 https://gridinsoft.com/blogs/?p=18044 Eurecom has uncovered a series of exploits named “BLUFFS”, posing a significant threat to the security of Bluetooth sessions. These attacks exploit two previously unknown flaws in the Bluetooth standard, impacting versions 4.2 through 5.4 and potentially putting billions of devices, including smartphones and laptops, at risk. BLUFFS Exploits – How Do They Work? BLUFFS… Continue reading BLUFFS Bluetooth Vulnerability Threatens Billions of Devices

The post BLUFFS Bluetooth Vulnerability Threatens Billions of Devices appeared first on Gridinsoft Blog.

]]>
Eurecom has uncovered a series of exploits named “BLUFFS”, posing a significant threat to the security of Bluetooth sessions. These attacks exploit two previously unknown flaws in the Bluetooth standard, impacting versions 4.2 through 5.4 and potentially putting billions of devices, including smartphones and laptops, at risk.

BLUFFS Exploits – How Do They Work?

BLUFFS (Bluetooth Low User eavesdropping of Frequency-hopping Sessions) is a sophisticated series of attacks designed to compromise the forward and future secrecy of Bluetooth sessions, compromising the confidentiality of communications between devices. The methodology involves exploiting flaws in the session key derivation process, forcing the generation of a weak and predictable session key (SKC). The attacker then brute-forces the key, allowing them to decrypt past communications and manipulate future ones.

To execute BLUFFS, the attacker only needs to be within Bluetooth range of the targeted devices. Impersonating one device, the attacker negotiates a weak session key. Then, the other by proposing the lowest possible key entropy value and using a constant session key diversifier.

Bluetooth vulnerabilities
Bluetooth Forward and Future Secrecy Attacks and Defenses

Impact on Bluetooth Devices

Given the architectural nature of the flaws, BLUFFS impacts all the devices running a whole lineup of Bluetooth protocol versions. The vulnerabilities affect Bluetooth Core Specification 4.2 through 5.4, potentially exposing a vast number of devices to the exploits. The impact has been confirmed through tests on smartphones, earphones, and laptops running Bluetooth versions 4.1 through 5.2.

List of vulnerable chips/devices
Chip Device(s) BTv A1 A2 A3 A4 A5 A6
LSC Victims
Bestechnic BES2300 Pixel Buds A-Series 5.2
Apple H1 AirPods Pro 5.0
Cypress CYW20721 Jaybird Vista 5.0
CSR/Qualcomm BC57H687C-GITM-E4 Bose SoundLink 4.2
Intel Wireless 7265 (rev 59) Thinkpad X1 3rd gen 4.2
CSR n/a Logitech BOOM 3 4.2 𐄂 𐄂
SC Vietims
Infineon CYW20819 CYW920819EVB-02 5.0
Cypress CYW40707 Logitech MEGABLAST 4.2
Qualcomm Snapdragon 865 Mi 10T 5.2 𐄂 𐄂 𐄂
Apple/USI 339S00761 iPhones 12, 13 5.2 𐄂 𐄂 𐄂
Intel AX201 Portege X30-C 5.2 𐄂 𐄂 𐄂
Broadcom BCM4389 Pixel 6 5.2 𐄂 𐄂 𐄂
Intel 9460/9560 Latitude 5400 5.0 𐄂 𐄂 𐄂
Qualcomm Snapdragon 835 Pixel 2 5.0 𐄂 𐄂 𐄂
Murata 339S00199 iPhone 7 4.2 𐄂 𐄂 𐄂
Qualcomm Snapdragon 821 Pixel XL 4.2 𐄂 𐄂 𐄂
Qualcomm Snapdragon 410 Galaxy J5 4.1 𐄂 𐄂 𐄂

Bluetooth SIG, the organization overseeing Bluetooth standard development, has received Eurecom’s report. They recommend implementations to reject connections with low key strengths, utilize “Security Mode 4 Level 4” for higher encryption strength, and operate in “Secure Connections Only” mode during pairing.

Mitigation Measures

Researchers propose backward-compatible modifications to enhance session key derivation and mitigate BLUFFS and similar threats. Recommendations, however, offer only the protocol fixes, i.e. they are not about to be done by users. Sadly, but at the moment, there is not much you can do to secure the BT connection.

BLUFFS Bluetooth Vulnerability Threatens Billions of Devices

The post BLUFFS Bluetooth Vulnerability Threatens Billions of Devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bluffs-bluetooth-vulnerability/feed/ 0 18044
Experts hacked Bluetooth test for COVID-19 https://gridinsoft.com/blogs/experts-hacked-bluetooth-test-for-covid-19/ https://gridinsoft.com/blogs/experts-hacked-bluetooth-test-for-covid-19/#respond Fri, 24 Dec 2021 08:45:21 +0000 https://gridinsoft.com/blogs/?p=6785 Researchers at F-Secure hacked a home Bluetooth COVID-19 test and were able to fake the test result. For testing, the experts took the Ellume COVID-19 Home Test device, which uses an analyzer that connects to a smartphone via Bluetooth and works in tandem with the corresponding companion application. During tests, researchers noticed activity com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity. It… Continue reading Experts hacked Bluetooth test for COVID-19

The post Experts hacked Bluetooth test for COVID-19 appeared first on Gridinsoft Blog.

]]>
Researchers at F-Secure hacked a home Bluetooth COVID-19 test and were able to fake the test result.

For testing, the experts took the Ellume COVID-19 Home Test device, which uses an analyzer that connects to a smartphone via Bluetooth and works in tandem with the corresponding companion application.

hacked Bluetooth test for COVID-19

During tests, researchers noticed activity com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity. It turned out that users with root access can run it to “help interact with the analyser via Bluetooth.”

Further investigation revealed two types of Bluetooth traffic associated with the transmission of test results. The researchers write that they were able to intervene in traffic as follows:

Changing only one byte value in the status of the test [test value] in STATUS and MEASUREMENT_CONTROL_DATA traffic, and then calculating new CRC and checksum values, could change the test result to COVID even before the Ellume application processes the data.

Worse, the fake data provided by Ellume has been successfully accepted by Azova, which certifies COVID test results so that travellers can enter the United States.

hacked Bluetooth test for COVID-19

Also, the F-Secure report details how one of the company’s employees used the Ellume device to check for COVID, the test turned out negative, but the experts applied the aforementioned methods to change the result.

Researchers from F-Secure shared their best practices on GitHub.

Fortunately, the problem has now been fixed. The specialists notified the Ellume developers of their findings, and they made changes to their product. In particular, additional obfuscation and OS checks were introduced in the Android application, and now additional analysis of test results is being carried out, which is designed to identify fake data.

Ellume has updated the system to detect and prevent the transmission of falsified results. In addition, we have reviewed all test results made to date and confirm that the other results were not affected by the error. We will provide a verification portal that will allow authorities (including health departments, employers, schools, event organizers, and so on) to verify the authenticity of Ellume’s COVID-19 home test,” the developers said.

Let me remind you that I also talked about various fraudulent operations speculating on the COVID-19 topic. For example, that Fake COVID-19 contact tracking apps install banking trojans, and that Cybercriminals attacked UCSF, the US leading COVID-19 vaccine developer. For example, Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic.

The post Experts hacked Bluetooth test for COVID-19 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-hacked-bluetooth-test-for-covid-19/feed/ 0 6785
New Bluetooth Attack Allows Simulating Another Device https://gridinsoft.com/blogs/new-bluetooth-attack/ https://gridinsoft.com/blogs/new-bluetooth-attack/#respond Tue, 25 May 2021 23:04:03 +0000 https://blog.gridinsoft.com/?p=5509 Experts from the National Agency for Information Systems Security (ANSSI) have discovered a new attack on Bluetooth that allows them simulating another device. The researchers said that there were problems in the Bluetooth Core and Mesh Profile specifications that allow an attacker to impersonate a legitimate device during pairing, as well as launch man-in-the-middle attacks… Continue reading New Bluetooth Attack Allows Simulating Another Device

The post New Bluetooth Attack Allows Simulating Another Device appeared first on Gridinsoft Blog.

]]>
Experts from the National Agency for Information Systems Security (ANSSI) have discovered a new attack on Bluetooth that allows them simulating another device.

The researchers said that there were problems in the Bluetooth Core and Mesh Profile specifications that allow an attacker to impersonate a legitimate device during pairing, as well as launch man-in-the-middle attacks (of course, while in range of a wireless network).

Specialists from the Bluetooth Special Interest Group (Bluetooth SIG) have already published detailed description of all seven discovered bugs, as well as recommendations for their elimination.

According to CERT/CC, Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology and Cradlepoint products are vulnerable to at least some of these problems. About a dozen more manufacturers confirmed that their products were not affected, and the solutions of about 200 other suppliers may be vulnerable, but their exact status is still unknown.

It is reported that the AOSP developers are already working on fixes for the vulnerabilities CVE-2020-26555 and CVE-2020-26558 affecting Android devices. The patches should be included in the next Android security bulletin.

Cisco is also working to resolve issues CVE-2020-26555 and CVE-2020-26558 affecting its products. The company tracks these vulnerabilities as PSIRT-0503777710.

To use CVE-2020-26555, an attacker must be able to identify [the address of the vulnerable Bluetooth device] before he can launch an attack. If successful, the attacker will be able to complete the pairing with a known link key, establish an encrypted connection with the vulnerable device, and gain access to any profiles available through pairing with a remote device that supports Legacy Pairing.Bluetooth SIG experts explain.

As for the CVE-2020-26558 issue, the attacker must be within range of two paired Bluetooth devices and authenticate one of the devices on his own device.

This vulnerability could allow an attacker to authenticate to the response victim device and act as a legitimate encrypted device. The attacker cannot pair with the initiating device using this method of attack, which prevents a fully transparent man-in-the-middle attack between the initiator and responder.the experts say.

The Bluetooth SIG recommends that potentially vulnerable network providers restrict authentication and do not accept the provision of random and acknowledgment numbers from a remote host that match the numbers selected by the local device.

Let me remind you that I reported that Google and Intel experts warn of dangerous Bluetooth bugs in Linux.

The post New Bluetooth Attack Allows Simulating Another Device appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-bluetooth-attack/feed/ 0 5509
Google and Intel experts warn of dangerous Bluetooth bugs in Linux https://gridinsoft.com/blogs/google-and-intel-experts-warn-of-dangerous-bluetooth-bugs-in-linux/ https://gridinsoft.com/blogs/google-and-intel-experts-warn-of-dangerous-bluetooth-bugs-in-linux/#respond Thu, 15 Oct 2020 16:31:19 +0000 https://blog.gridinsoft.com/?p=4428 Google and Intel engineers warn of dangerous Bluetooth bugs that threaten all but the latest Linux kernel versions. The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (with Linux 2.4.6 and higher). “This issue allows… Continue reading Google and Intel experts warn of dangerous Bluetooth bugs in Linux

The post Google and Intel experts warn of dangerous Bluetooth bugs in Linux appeared first on Gridinsoft Blog.

]]>
Google and Intel engineers warn of dangerous Bluetooth bugs that threaten all but the latest Linux kernel versions.

The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (with Linux 2.4.6 and higher).

“This issue allows attackers to freely execute arbitrary code within Bluetooth range, while Intel attributed this flaw to privilege escalation and information disclosure”, – say Google experts.

Google engineer Andy Nguyen discovered this collection of BleedingTooth vulnerabilities. The vulnerabilities were identified as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490, and appeared in the code back in 2012, 2016 and 2018.

The most serious bug in this suite is CVE-2020-12351, which is a type confusion vulnerability that affects Linux 4.8 and above kernels.

The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within Bluetooth range and knows the bd address of the target device.

To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.

The proof-of-concept exploit for CVE-2020-12351 has already been published on GitHub, and a demonstration of the attack in action can be seen in the video below.

The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).

“Knowing the bd-address of the victim, a remote attacker at a short distance can obtain information about the kernel stack containing various pointers that can be used to predict the memory structure and bypass KASLR. The leak may contain other valuable data, including encryption keys”, – explain the researchers at Google.

The third vulnerability, CVE-2020-24490 (5.3 score of CVSS), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of a vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.

Google researchers note that only devices equipped with Bluetooth 5 chips and which are in scan mode are affected, but attackers can use malicious chips for attacks.

In turn, specialists from Intel, which is one of the main participants in the BlueZ project, write that the BlueZ developers have already announced patches for all three discovered problems. Experts now recommend asap upgrading Linux kernel to version 5.9, which was released over the weekend.

Let me remind you that recently I talked about the IPStorm botnet, which, among other things, actively attacks Linux devices.

The post Google and Intel experts warn of dangerous Bluetooth bugs in Linux appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-and-intel-experts-warn-of-dangerous-bluetooth-bugs-in-linux/feed/ 0 4428
Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic https://gridinsoft.com/blogs/qatar-obliged-citizens-to-install-spyware-for-containing-covid-19-pandemic/ https://gridinsoft.com/blogs/qatar-obliged-citizens-to-install-spyware-for-containing-covid-19-pandemic/#respond Mon, 25 May 2020 16:25:38 +0000 https://blog.gridinsoft.com/?p=3829 As part of the fight against the spread of coronavirus infection, the Qatar government has obliged citizens and residents to install special software on their mobile devices to contain the COVID-19 pandemic. This spyware tracks contacts with infected people. This would sound fine, but for some reason the application requires permission for a number of… Continue reading Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic

The post Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic appeared first on Gridinsoft Blog.

]]>
As part of the fight against the spread of coronavirus infection, the Qatar government has obliged citizens and residents to install special software on their mobile devices to contain the COVID-19 pandemic. This spyware tracks contacts with infected people.

This would sound fine, but for some reason the application requires permission for a number of actions that have nothing to do with containing a pandemic.

Using Bluetooth, the Ehteraz application pings nearby devices so that they can be contacted later, if users with whom they were nearby will have COVID-19 symptoms.

“However, application also requires access to geolocation data, which may indicate the intention of the authorities to monitor the movements of citizens”, – for example, reports Al-Jazeera channel.

Moreover, the application asks users for permission to access photo and video materials on the device, make calls, turn off the screen lock, start services in the background, as well as read, delete and modify data in the device’s shared memory.

Qatar spyware containing COVID-19

Do you remember the infamous Arab ToTok messenger, with which the UAE government monitored its (and not only) citizens?

Ehteraz was released last month and is obligatory for installation, according to The Times of Israel. Failure to install the application leads a penalty or imprisonment for up to three years (the same penalty is provided for appearing in a public place without a protective mask). On Sunday, May 24, throughout the Qatar were established checkpoints for verification of compliance with the mask regime and presence of applications on citizens’ devices.

According to the Minister of Health of Qatar, Mohamed Al-Thani, all data collected is “strictly confidential. ”We confirm that all user data on Ehteraz app is completely confidential and is only accessible to relevant teams upon necessity,” said Qatar’s Director of the Public Health Department Dr Mohamed bin Hamad Al Thani.

The new version of Ehteraz was released on May 24. According to the developers, in it were fixed only minor bugs.

There is no information if they resolved an issue with access of the application to data and services on the device. MIT Technology Review’s Tate Ryan-Mosley, who has created a database of government-backed COVID-19 apps, told Al Jazeera the idea of contact tracing is old, but that digital tracing, which started to gain traction during the Ebola outbreak, has not proven to be effective yet.

“What we’re seeing now is a type of tech solutionism, meaning that these new technologies are seen as a panacea to all issues. There’s research done that if a government makes something compulsory, like an app, for instance, the likelihood of people putting their trust in it is less. If people don’t trust them, they are going to be looking for workarounds, not using these apps in good faith”, — Ryan-Mosley told Al Jazeera.

Another reason, why privacy experts question such applications is that the technology may be simply ineffective.

Let me remind you that US authorities can hack iPhone, but may have difficulties with Android

The post Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qatar-obliged-citizens-to-install-spyware-for-containing-covid-19-pandemic/feed/ 0 3829