Join us as we delve into the world of unexpected security breaches and legal loopholes, where your robot vacuum cleaner might be spying on you, and ordering a pizza could cost you your right to sue.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Category: Bluetooth
When Sean Kelly bought a top-of-the-line vacuum cleaner, he imagined he was making a safe purchase.
Little did he know that the cleaning machine scuttling about his family's feet contained a security flaw that could let anyone see and hear their every move.
Read more in my article on the Hot for Security blog.
From Slashdot:
Apple and Google have launched a new industry standard called “Detecting Unwanted Location Trackers” to combat the misuse of Bluetooth trackers for stalking. Starting Monday, iPhone and Android users will receive alerts when an unknown Bluetooth device is detected moving with them. The move comes after numerous cases of trackers like Apple’s AirTags being used for malicious purposes.
Several Bluetooth tag companies have committed to making their future products compatible with the new standard. Apple and Google said they will continue collaborating with the Internet Engineering Task Force to further develop this technology and address the issue of unwanted tracking.
This seems like a good idea, but I worry about false alarms. If I am walking with a friend, will it alert if they have a Bluetooth tracking device in their pocket?
New attack breaks forward secrecy in Bluetooth.
BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices.
This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC).
Next, the attacker brute-forces the key, enabling them to decrypt past communication and decrypt or manipulate future communications.
The vulnerability has been around for at least a decade.
The Flipper Zero is an incredibly versatile hacking device. Now it can be used to crash iPhones in its vicinity by sending them a never-ending stream of pop-ups.
These types of hacks have been possible for decades, but they require special equipment and a fair amount of expertise. The capabilities generally required expensive SDRs—short for software-defined radios—that, unlike traditional hardware-defined radios, use firmware and processors to digitally re-create radio signal transmissions and receptions. The $200 Flipper Zero isn’t an SDR in its own right, but as a software-controlled radio, it can do many of the same things at an affordable price and with a form factor that’s much more convenient than the previous generations of SDRs.
In today’s interconnected world, our smartphones have become central to our lives. We rely on them for communication, navigation, entertainment, and even personal security. However, the convenience they offer comes with a price – the constant threat of cyberattacks. One often overlooked, yet significant, vulnerability in our smartphones is Bluetooth. By understanding the risks and taking simple precautions, you can enhance the security of your mobile device.
The Bluetooth Vulnerability
Bluetooth technology allows for wireless communication between devices over short distances. While this feature is incredibly handy for connecting wireless headphones, speakers, and other peripherals, it can also be exploited by malicious actors.
Bluejacking: This is a relatively harmless but intrusive form of cyberattack where someone sends unsolicited messages or files to your device. While not typically harmful, it can be annoying and may lead to your device’s battery drain.
Bluesnarfing: More serious than bluejacking, bluesnarfing is when cybercriminals access your mobile’s data, including contacts, emails, and messages, without your consent. This breach of privacy can have far-reaching consequences.
Blueborne Attack: This is one of the most critical Bluetooth vulnerabilities. It allows hackers to take control of your device completely. They can access data, install malware, and potentially turn your device into a part of a botnet.
How Turning Off Bluetooth Enhances Security
Disabling Bluetooth on your mobile device, when not in use, can significantly reduce the risk of these cyberattacks. Here’s how:
Preventing Unauthorized Access: Turning off Bluetooth eliminates the possibility of unauthorized connections. When your Bluetooth is off, it’s far more challenging for cyber-criminals to establish a connection with your device.
Avoiding Pairing Requests: Without Bluetooth enabled, you won’t receive any pairing requests from unknown devices. This ensures that you only connect with devices and peripherals that you trust.
Mitigating the Risk of Blueborne Attacks: Blueborne attacks are known to exploit vulnerabilities in Bluetooth connections. Disabling Bluetooth when you’re not actively using it eliminates this risk entirely.
Preserving Battery Life: Keeping Bluetooth on, even when not in use, can consume unnecessary battery life. By turning it off, you’ll extend your mobile’s battery life.
Best Practices for Bluetooth Security
While turning off Bluetooth is a straightforward and effective security measure, you can still enjoy the convenience of Bluetooth connectivity while keeping your device safe:
Use Bluetooth Wisely: Enable Bluetooth only when you need it, and turn it off when you’re finished.
Keep Your Device Updated: Ensure your mobile device’s operating system and apps are up-to-date. Manufacturers frequently release security patches that address known vulnerabilities.
Password Protection: Always secure your device with a strong, unique password or PIN. This provides an extra layer of protection if Bluetooth is inadvertently turned on or accessed by an attacker.
Be Cautious with Pairing: Only pair your device with trusted devices. Avoid connecting with unknown or unverified devices.
In conclusion, Bluetooth, while incredibly useful, can also be a gateway for cyberattacks on your mobile device. Turning off Bluetooth when you’re not actively using it is a simple and effective way to enhance your mobile device’s security. By following best practices and staying informed about potential risks, you can enjoy the convenience of Bluetooth without compromising your privacy and data security.
The post How Turning Off Bluetooth Can Safeguard Your Mobile from Cyber Attacks appeared first on Cybersecurity Insiders.
Turns out pumps at gas stations are controlled via Bluetooth, and that the connections are insecure. No details in the article, but it seems that it’s easy to take control of the pump and have it dispense gas without requiring payment.
It’s a complicated crime to monetize, though. You need to sell access to the gas pump to others.
We’ve always known that phones—and the people carrying them—can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that that’s not enough.
Computer scientists at the University of California San Diego proved in a study published May 24 that minute imperfections in phones caused during manufacturing create a unique Bluetooth beacon, one that establishes a digital signature or fingerprint distinct from any other device. Though phones’ Bluetooth uses cryptographic technology that limits trackability, using a radio receiver, these distortions in the Bluetooth signal can be discerned to track individual devices.
[…]
The study’s scientists conducted tests to show whether multiple phones being in one place could disrupt their ability to track individual signals. Results in an initial experiment showed they managed to discern individual signals for 40% of 162 devices in public. Another, scaled-up experiment showed they could discern 47% of 647 devices in a public hallway across two days.
The tracking range depends on device and the environment, and it could be several hundred feet, but in a crowded location it might only be 10 or so feet. Scientists were able to follow a volunteer’s signal as they went to and from their house. Certain environmental factors can disrupt a Bluetooth signal, including changes in environment temperature, and some devices send signals with more power and range than others.
One might say “well, I’ll just keep Bluetooth turned off when not in use,” but the researchers said they found that some devices, especially iPhones, don’t actually turn off Bluetooth unless a user goes directly into settings to turn off the signal. Most people might not even realize their Bluetooth is being constantly emitted by many smart devices.
O! What a tangled web we weave, when first we practise to deceive.
Boffins at the University of California San Diego have found a way to track individuals via Bluetooth.
Researchers discovered that the Bluetooth signals emitted by mobile phones carry a unique fingerprint, caused by small imperfections accidentally created during the manufacturing process.