Announcement

Collapse
No announcement yet.

Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by TheBlackCat View Post
    How come Linux developers weren't contacted until four months after Google and Microsoft if Linux IoT devices are listed as one of the primary targets of the vulnerability?
    Security companies work by "extortion". They come and threaten to reveal the vulnerability unless the company pays them for "consultant" work to help them fix the bug.

    On Linux none will really pay them as much, and "making the vulnerability public" is actually the only thing they need to go and fix it themselves.

    The fact that it happened a few months after Google/MS is somewhat irrelevant, you'll still find vulnerable IoT to this thing for a decade because you can bet your ass that the hardware manufacturer will NEVER update their SDK with anything remotely new, and most companies blindly make their firmwares with that (those using upstream support are a tiny minority).
    Last edited by starshipeleven; 09-13-2017, 05:02 AM.

    Comment


    • #22
      Originally posted by L_A_G View Post
      You and the other guy are assuming that the person/people who set up the airgapped system and the ones using it all know what they're doing. In the real world you really can't make that assumption. There's a reason why with super secure systems they actually physically break stuff by doing things like pouring glue into USB ports.
      In real life you must assume everyone is a moron, and even then you might still not be prepared to the level of morons your device will encounter.
      Last edited by starshipeleven; 09-13-2017, 05:15 AM.

      Comment


      • #23
        Originally posted by R41N3R View Post
        Seems like a nightmare if you watch the videos.
        ^ This basically describes the entire IoT ecosystem. Most vendors of IoT devices are selling a short lived consumer product. They'll provide updates for a year or two, then drop it when the new model is released. Meanwhile, new security flaws and holes are found regularly, and none of the "legacy" IoT products will ever get patched. Now think of the implications when you're talking about home security, like smart door locks and such. Pretty scary.

        Comment


        • #24
          Originally posted by torsionbar28 View Post
          ^ This basically describes the entire IoT ecosystem. Most vendors of IoT devices are selling a short lived consumer product. They'll provide updates for a year or two, then drop it when the new model is released. Meanwhile, new security flaws and holes are found regularly, and none of the "legacy" IoT products will ever get patched. Now think of the implications when you're talking about home security, like smart door locks and such. Pretty scary.
          I've been stockpiling popcorn for the inevitable IoT-calipse, I urge everyone to do so too.

          Comment


          • #25
            Originally posted by L_A_G View Post
            it can be fixed with a relatively simple software patch and not like Broadpwn (where it's the hardcoded hardware internal firmware that's being exploited and a simple software patch fix isn't possible).
            Updated firmware that fixes "Broadpwn" is available (and has been for some time) for Broadcom chips, eg. BCM43430 as used by the Raspberry Pi 3/Pi0W (link). Not sure if firmware is available for _all_ affected chips, but since most of these types of devices are capable of loading firmware at run-time I'd expect that to be the case.

            Comment


            • #26
              Looks like the patch has been backported to 4.12.13 and 4.13.2

              Comment


              • #27
                And this is why I refuse to use Bluetooth keyboards. :P

                Well, that and my concerns about transmitting typed passwords wirelessly, regardless of the short range and "security" features.

                /smug

                Comment


                • #28
                  The name is spelled "BlueBorne", not "Bluebourne". I only know because googling based on the article's variant spelling didn't work well.

                  Comment

                  Working...
                  X