Nasty Bluetooth flaw hits billions of devices — what to do now
Nasty Bluetooth flaw hits billions of devices — what to do now
A flaw in an older version of the Bluetooth protocol lets hackers pair their devices with yours, potentially leaving billions of devices open to attack. Affected devices may include, but are non limited to, iPhones, Pixels, Samsung Galaxy phones, Lenovo, Apple tree and HP laptops, and Sennheiser, Philips and Plantronics headphones.
The flaw permits what its finders, all European academic researchers, call "Bluetooth Impersonation Attacks," or "BIAS" for short. An attacker'south device can impersonate a device that has already been paired with your device, then connect automatically.
- Best Bluetooth speakers
- The best Android antivirus apps: Continue your phone or tablet make clean
- Plus: Hacked Zoom installers taking over PCS — protect yourself now
Y'all'll want to update the software and/or firmware on your Bluetooth device ASAP, although whether that fixes things depends on your device's manufacturer.
Once connected, the attacker tin can steal information, or even accept control of your telephone, tablet, laptop or headphones — and tin can do the same to a device that has previously been paired with yours.
"After nosotros disclosed our assault to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said in a blog mail service yesterday (May 19).
"So, the short answer is: If your device was not updated after December 2019, it is probable vulnerable. Devices updated afterwards might be fixed."
Hither's a video, rather charmingly narrated past researcher Daniele Antonioli of the École Polytechnique Fédérale de Lausanne in Switzerland, explaining how the attacks work.
Antonioli and his colleagues tested 31 devices directly and institute them to be vulnerable to BIAS attacks. Information technology's not clear whether any devices were tested and found not to be vulnerable, although the researchers hint that they could not find any gadgets that were completely safe.
"Our attacks work fifty-fifty when the victims are using Bluetooth's strongest security modes," their academic research paper said. "Our attacks target the standardized Bluetooth hallmark procedure, and are therefore effective against any standard compliant Bluetooth device."
In other words, the newspaper said, "a single vulnerability in a security mechanism defined in the standard translates into billions of exploitable devices."
The merely device that even partly protected itself was a Lenovo wireless mouse from 2015, which you can get on eBay for about $30.
Which devices are vulnerable to BIAS attacks?
Vulnerable smartphones and tablets included the Apple tree iPhone eight, iPhone vii Plus, iPhone half-dozen, iPhone 5s, and the 2018 and 2010 iPads; the Google Pixel three, Pixel 2 and Nexus 5; the Samsung Milky way S5 mini, Galaxy J5 and the 2017 and 2016 models of the Milky way J3; the Nokia 7, X6 and Lumia 530; the OnePlus 6; the LG K4; and the Motorola G3.
Laptops plant to be vulnerable included the Lenovo ThinkPad L930, tertiary-generation ThinkPad X1, ThinkPad X230 and IdeaPad U430; the 2017 Apple MacBook Pro; and the HP ProBook 430 G3.
Other proven vulnerable devices included the Lenovo ThinkPad 41U5008 wireless mouse; the Sennheiser PXC 550, Plantronics Backbeat 903+ and Philips SHB7250 wireless headphones; and the Raspberry Pi 3B+ mini-board calculator.
The researchers plant the Bluetooth flaw in xxx different devices. Just because the flaws lie not in the devices themselves, but rather in the embedded Bluetooth chips that are used beyond a range of brands and devices, hundreds more models from an unknown number of manufacturers are likely to exist merely as vulnerable.
The 28 Bluetooth chips in the proven vulnerable devices include the widely used Qualcomm Snapdragon 845, 835, 636, 630, 410, 210 and 200 systems-on-a-flake; the Samsung Exynos 7570, 3475 and 3470 SoCs; the Intel 9560, 8260, 7265, 6205 and 1280 wireless network adapters; and several Apple tree, Cypress and Cambridge Silicon Radio wireless fries.
For example, phones using the Qualcomm Snapdragon 845, just not tested for this research, include the Samsung Galaxy S9, S9+ and Note 9; the LG G7, V35 and V40; and the Sony Xperia XZ2 and XZ3. Information technology's too possible that other systems-on-a-fleck that were not tested might exist vulnerable to BIAS attacks.
Too, both the original iPad from 2010 and its descendant from 2018 were vulnerable, indicating that other iPad models might be every bit well.
Some fixes are already available
For its part, the Bluetooth Special Interests Group, which oversees development of the wireless standard, said it was updating the Bluetooth core specifications to correct this flaw.
"The Bluetooth SIG is besides broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to speedily integrate any necessary patches," the grouping's statement said. "As always, Bluetooth users should ensure they accept installed the latest recommended updates from device and operating organization manufacturers."
Antonioli'due south colleagues in this research were Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security in Germany and Kasper Rasmussen of the Department of Information science at the University of Oxford. Their total inquiry paper can be found hither.
Source: https://www.tomsguide.com/news/bluetooth-bias-flaw
Posted by: wilburnherivink.blogspot.com
0 Response to "Nasty Bluetooth flaw hits billions of devices — what to do now"
Post a Comment