BLUFFS Exploits – How Do They Work?

BLUFFS (Bluetooth Low User eavesdropping of Frequency-hopping Sessions) is a sophisticated series of attacks designed to compromise the forward and future secrecy of Bluetooth sessions, compromising the confidentiality of communications between devices. The methodology involves exploiting flaws in the session key derivation process, forcing the generation of a weak and predictable session key (SKC). The attacker then brute-forces the key, allowing them to decrypt past communications and manipulate future ones.

To execute BLUFFS, the attacker only needs to be within Bluetooth range of the targeted devices. Impersonating one device, the attacker negotiates a weak session key. Then, the other by proposing the lowest possible key entropy value and using a constant session key diversifier.

Impact on Bluetooth Devices

Given the architectural nature of the flaws, BLUFFS impacts all the devices running a whole lineup of Bluetooth protocol versions. The vulnerabilities affect Bluetooth Core Specification 4.2 through 5.4, potentially exposing a vast number of devices to the exploits. The impact has been confirmed through tests on smartphones, earphones, and laptops running Bluetooth versions 4.1 through 5.2.

Bluetooth SIG, the organization overseeing Bluetooth standard development, has received Eurecom’s report. They recommend implementations to reject connections with low key strengths, utilize “Security Mode 4 Level 4” for higher encryption strength, and operate in “Secure Connections Only” mode during pairing.

Mitigation Measures

Researchers propose backward-compatible modifications to enhance session key derivation and mitigate BLUFFS and similar threats. Recommendations, however, offer only the protocol fixes, i.e. they are not about to be done by users. Sadly, but at the moment, there is not much you can do to secure the BT connection.

The post BLUFFS Bluetooth Vulnerability Threatens Billions of Devices appeared first on Gridinsoft Blog.

For testing, the experts took the Ellume COVID-19 Home Test device, which uses an analyzer that connects to a smartphone via Bluetooth and works in tandem with the corresponding companion application.

During tests, researchers noticed activity com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity. It turned out that users with root access can run it to “help interact with the analyser via Bluetooth.”

Further investigation revealed two types of Bluetooth traffic associated with the transmission of test results. The researchers write that they were able to intervene in traffic as follows:

Worse, the fake data provided by Ellume has been successfully accepted by Azova, which certifies COVID test results so that travellers can enter the United States.

Also, the F-Secure report details how one of the company’s employees used the Ellume device to check for COVID, the test turned out negative, but the experts applied the aforementioned methods to change the result.

Researchers from F-Secure shared their best practices on GitHub.

Fortunately, the problem has now been fixed. The specialists notified the Ellume developers of their findings, and they made changes to their product. In particular, additional obfuscation and OS checks were introduced in the Android application, and now additional analysis of test results is being carried out, which is designed to identify fake data.

Let me remind you that I also talked about various fraudulent operations speculating on the COVID-19 topic. For example, that Fake COVID-19 contact tracking apps install banking trojans, and that Cybercriminals attacked UCSF, the US leading COVID-19 vaccine developer. For example, Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic.

The post Experts hacked Bluetooth test for COVID-19 appeared first on Gridinsoft Blog.

The researchers said that there were problems in the Bluetooth Core and Mesh Profile specifications that allow an attacker to impersonate a legitimate device during pairing, as well as launch man-in-the-middle attacks (of course, while in range of a wireless network).

Specialists from the Bluetooth Special Interest Group (Bluetooth SIG) have already published detailed description of all seven discovered bugs, as well as recommendations for their elimination.

According to CERT/CC, Android Open Source Project (AOSP), Cisco, Intel, Red Hat, Microchip Technology and Cradlepoint products are vulnerable to at least some of these problems. About a dozen more manufacturers confirmed that their products were not affected, and the solutions of about 200 other suppliers may be vulnerable, but their exact status is still unknown.

It is reported that the AOSP developers are already working on fixes for the vulnerabilities CVE-2020-26555 and CVE-2020-26558 affecting Android devices. The patches should be included in the next Android security bulletin.

Cisco is also working to resolve issues CVE-2020-26555 and CVE-2020-26558 affecting its products. The company tracks these vulnerabilities as PSIRT-0503777710.

As for the CVE-2020-26558 issue, the attacker must be within range of two paired Bluetooth devices and authenticate one of the devices on his own device.

The Bluetooth SIG recommends that potentially vulnerable network providers restrict authentication and do not accept the provision of random and acknowledgment numbers from a remote host that match the numbers selected by the local device.

Let me remind you that I reported that Google and Intel experts warn of dangerous Bluetooth bugs in Linux.

The post New Bluetooth Attack Allows Simulating Another Device appeared first on Gridinsoft Blog.

The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (with Linux 2.4.6 and higher).

“This issue allows attackers to freely execute arbitrary code within Bluetooth range, while Intel attributed this flaw to privilege escalation and information disclosure”, – say Google experts.

Google engineer Andy Nguyen discovered this collection of BleedingTooth vulnerabilities. The vulnerabilities were identified as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490, and appeared in the code back in 2012, 2016 and 2018.

The most serious bug in this suite is CVE-2020-12351, which is a type confusion vulnerability that affects Linux 4.8 and above kernels.

The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within Bluetooth range and knows the bd address of the target device.

To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.

The proof-of-concept exploit for CVE-2020-12351 has already been published on GitHub, and a demonstration of the attack in action can be seen in the video below.

The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).

“Knowing the bd-address of the victim, a remote attacker at a short distance can obtain information about the kernel stack containing various pointers that can be used to predict the memory structure and bypass KASLR. The leak may contain other valuable data, including encryption keys”, – explain the researchers at Google.

The third vulnerability, CVE-2020-24490 (5.3 score of CVSS), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of a vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.

Google researchers note that only devices equipped with Bluetooth 5 chips and which are in scan mode are affected, but attackers can use malicious chips for attacks.

In turn, specialists from Intel, which is one of the main participants in the BlueZ project, write that the BlueZ developers have already announced patches for all three discovered problems. Experts now recommend asap upgrading Linux kernel to version 5.9, which was released over the weekend.

Let me remind you that recently I talked about the IPStorm botnet, which, among other things, actively attacks Linux devices.

The post Google and Intel experts warn of dangerous Bluetooth bugs in Linux appeared first on Gridinsoft Blog.

This would sound fine, but for some reason the application requires permission for a number of actions that have nothing to do with containing a pandemic.

Using Bluetooth, the Ehteraz application pings nearby devices so that they can be contacted later, if users with whom they were nearby will have COVID-19 symptoms.

“However, application also requires access to geolocation data, which may indicate the intention of the authorities to monitor the movements of citizens”, – for example, reports Al-Jazeera channel.

Moreover, the application asks users for permission to access photo and video materials on the device, make calls, turn off the screen lock, start services in the background, as well as read, delete and modify data in the device’s shared memory.

Do you remember the infamous Arab ToTok messenger, with which the UAE government monitored its (and not only) citizens?

Ehteraz was released last month and is obligatory for installation, according to The Times of Israel. Failure to install the application leads a penalty or imprisonment for up to three years (the same penalty is provided for appearing in a public place without a protective mask). On Sunday, May 24, throughout the Qatar were established checkpoints for verification of compliance with the mask regime and presence of applications on citizens’ devices.

According to the Minister of Health of Qatar, Mohamed Al-Thani, all data collected is “strictly confidential. ”We confirm that all user data on Ehteraz app is completely confidential and is only accessible to relevant teams upon necessity,” said Qatar’s Director of the Public Health Department Dr Mohamed bin Hamad Al Thani.

The new version of Ehteraz was released on May 24. According to the developers, in it were fixed only minor bugs.

There is no information if they resolved an issue with access of the application to data and services on the device. MIT Technology Review’s Tate Ryan-Mosley, who has created a database of government-backed COVID-19 apps, told Al Jazeera the idea of contact tracing is old, but that digital tracing, which started to gain traction during the Ebola outbreak, has not proven to be effective yet.

“What we’re seeing now is a type of tech solutionism, meaning that these new technologies are seen as a panacea to all issues. There’s research done that if a government makes something compulsory, like an app, for instance, the likelihood of people putting their trust in it is less. If people don’t trust them, they are going to be looking for workarounds, not using these apps in good faith”, — Ryan-Mosley told Al Jazeera.

Another reason, why privacy experts question such applications is that the technology may be simply ineffective.

Let me remind you that US authorities can hack iPhone, but may have difficulties with Android

The post Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic appeared first on Gridinsoft Blog.