Announcement

**garegin** · 13 September 2017, 12:28 AM

What would Rust prevent in this case?

**geearf** · 13 September 2017, 12:45 AM

Originally posted by zamadatix View Post

Because, per their page, they also coordinated with all of the major distributions security contacts. Ubuntu already pushed the security patch out late on the 11th (https://launchpad.net/ubuntu/+source...01-0ubuntu13.3). I assume the rest have as well by now since it was planned.

I see bluez updated by my distro on the 12th, so a bit late I would say, I'd rather have a day earlier... but I don't see the kernel patch in 4.13.1 yet though, is this not a problem? We seem to only have one fix out of the two (but probably the most important one) so far...

The android situation does not look great either, once Google releases their security fixes, how long does it take hardware makers to push these to their customers? I doubt it's quick enough, and it definitely is not on my phone. Which actually is really scary as I use a bluetooth headset so bluetooth is always on, especially in public!

**iVistux** · 13 September 2017, 12:55 AM

Originally posted by garegin View Post

What would Rust prevent in this case?

Rust prevents Stack Overflows.

**Hi-Angel** · 13 September 2017, 01:35 AM

Originally posted by iVistux View Post

Rust prevents Stack Overflows.

I would say Rust fosters Stack Overflows, though prevents stack overflows :Ь

**L_A_G** · 13 September 2017, 02:48 AM

That looks pretty bad, but on the bright side it's a software exploit so it can be fixed with a relatively simple software patch and not like Broadpwn (where it's the hardcoded hardware internal firmware that's being exploited and a simple software patch fix isn't possible).

Slightly annoyed that this exploit got an article here on Phoronix when Broadpwn is a considerably more serious as it can't be fixed anywhere near as easily. Is it that Michael hasn't heard of it or that it's an exploit of proprietary firmware?

**nanonyme** · 13 September 2017, 03:09 AM

Originally posted by Frogging101 View Post

I appreciate the work of Armis Labs in researching this vulnerability, but I have to say that Blueborne page they put up is garbage. It reads like a cross between sensationalist tech "news" and marketing tripe. They barely talk about mitigation. It's just a lot of big numbers and scary words, and then:

These two paragraphs are all we get on the subject of mitigation. Let's break that down.

Indeed, none of these things will make insecure shit on your network magically secure. And nor would anyone expect them to. If used correctly, they are components of what is hopefully a larger coordinated policy to limit the damage a compromised host can do if connected to the network.

Hold on. Air gapping? Ah yes. From earlier in the article:

That's bullshit. An air gapped network will not be accessible via bluetooth or the insecure class of devices equipped with it. That would completely defeat the purpose of air gapping.

I assume the takeaway is supposed to be that the world will be needing their services more and more as we move into this brave new world. Very helpful. Thanks for that.

Maybe they could have mentioned some hardening options, such as buffer overflow protection (-fstack-protector). Or recommended some best practices such as disabling features that one does not need (such as bluetooth) in order to reduce the attack surface. Even some platitude about the importance of keeping your software up to date would have been better than nothing.

Unless of course the airgapping is done by an idiot who doesn't think of bluetooth with due respect. Imo if you don't actively need it, you should disable it. The lower level, the better.

**L_A_G** · 13 September 2017, 03:47 AM

Originally posted by nanonyme View Post

Unless of course the airgapping is done by an idiot who doesn't think of bluetooth with due respect. Imo if you don't actively need it, you should disable it. The lower level, the better.

You and the other guy are assuming that the person/people who set up the airgapped system and the ones using it all know what they're doing. In the real world you really can't make that assumption. There's a reason why with super secure systems they actually physically break stuff by doing things like pouring glue into USB ports.

**Vistaus** · 13 September 2017, 04:31 AM

Originally posted by geearf View Post

It matters to me.

Also the page does not state that Linux has a patch yet, only that the information would be released on the 12th...

If they have no patch yet, then I wonder why I received a Bluez update in Solus this morning to fix this security issue. Was it fake then? lol

**geearf** · 13 September 2017, 04:37 AM

Originally posted by Vistaus View Post

If they have no patch yet, then I wonder why I received a Bluez update in Solus this morning to fix this security issue. Was it fake then? lol

Hmmm, maybe you did not understand what I wrote... Sad.

**starshipeleven** · 13 September 2017, 04:57 AM

Originally posted by TheBlackCat View Post

How come Linux developers weren't contacted until four months after Google and Microsoft if Linux IoT devices are listed as one of the primary targets of the vulnerability?

Security companies work by "extortion". They come and threaten to reveal the vulnerability unless the company pays them for "consultant" work to help them fix the bug.

On Linux none will really pay them as much, and "making the vulnerability public" is actually the only thing they need to go and fix it themselves.

The fact that it happened a few months after Google/MS is somewhat irrelevant, you'll still find vulnerable IoT to this thing for a decade because you can bet your ass that the hardware manufacturer will NEVER update their SDK with anything remotely new, and most companies blindly make their firmwares with that (those using upstream support are a tiny minority).

Announcement

Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment