ICT Security-Sécurité PC et Internet

Researchers from the University of California San Diego in a new paper have demonstrated how Bluetooth signals can be used to identify and track smartphones.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=BLURtooth

Everyone uses Bluetooth. Perhaps they shouldn't.

The technology that we've come to rely on to connect our phones, smart speakers, cars, vibrators, and toasters is problematic for reasons more serious than pairing issues. Bluetooth has been shown time and time again to be a security and privacy nightmare — albeit one that can be mostly solved with a simple toggling of an off switch.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=BLURtooth

Google has released details of a high-severity flaw affecting the Bluetooth stack in the Linux kernel versions below Linux 5.9 that support BlueZ.

Linux 5.9 was just released two days ago and Intel is recommending in its advisory for the high-severity Bluetooth flaw, CVE-2020-12351, to update the Linux kernel to version 5.9 or later. 

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Linux

The “BLURtooth” flaw allows attackers within wireless range to bypass authentication keys and snoop on devices utilizing implementations of Bluetooth 4.0 through 5.0.

A high-severity Bluetooth vulnerability has been uncovered, which could enable an unauthenticated attacker within wireless range to eavesdrop or alter communications between paired devices.

The flaw (CVE-2020-15802), discovered independently by researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University, is being referred to as “BLURtooth.” The issue exists in the pairing process for Bluetooth 4.0 through 5.0 implementations. This pairing process is called Cross-Transport Key Derivation (CTKD).

“Devices… using [CTKD] for pairing are vulnerable to key overwrite, which enables an attacker to gain additional access to profiles or services that are not restricted, by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key,” according to a security advisory on Wednesday by the Carnegie Mellon CERT Coordination Center.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

Contact tracing : attention aux vulnérabilités du bluetooth
Sécurité : Avec la tendance des applications de contact tracing, les attaques exploitant les vulnérabilités du bluetooth risquent d'augmenter. Il faut donc s'assurer de la sécurité de telles applications. Les chercheurs en sécurité conseillent également à tous les utilisateurs de mettre à jour leurs appareils mobiles pour s'assurer de corriger d'éventuelles failles de sécurité passées.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=SweynTooth

Bluetooth-related vulnerabilities can affect a dizzying array of devices. In the latest instance, a newly discovered round of 12 Bluetooth bugs potentially exposes more than 480 devices to attack, including fitness trackers, smart locks, and dozens of medical tools and implants.

Researchers from Singapore University of Technology and Design began developing techniques for analyzing Wi-Fi security in January 2019, and later realized they could apply those same methods to assess Bluetooth as well. By September they had found their first bug in certain implementations of Bluetooth Low Energy, the version of the protocol designed for devices with limited resources and power. Within weeks, they had found 11 more.

Collectively dubbed "SweynTooth," the flaws exist not in BLE itself, but in the BLE software development kits that come with seven "system on a chip" products—microchips that integrate all of a computer's components in one place. IoT manufacturers often turn to off-the-shelf SoCs to develop new products quickly. That also means, though, that SoC implementation flaws can propagate across a wide variety of devices.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=SweynTooth

Everyone uses Bluetooth. Perhaps they shouldn't.

The technology that we've come to rely on to connect our phones, smart speakers, cars, vibrators, and toasters is problematic for reasons more serious than pairing issues. Bluetooth has been shown time and time again to be a security and privacy nightmare — albeit one that can be mostly solved with a simple toggling of an off switch. 

You just have to decide to flip that switch. 

Bluetooth has long been a dirty word for security professionals. So much so, in fact, that one of the most common pieces of advice given to attendees of the annual DEF CON hacker conference in Las Vegas is to make sure Bluetooth is disabled on their phones.

This is not just paranoia. In fact, at this year's DEF CON researchers showed off the ability to use Bluetooth to identify vulnerable digital speakers. Once identified, hackers could take control of the devices and force them to play "dangerous" sounds that could lead to hearing loss in anyone unfortunate enough to be nearby.  

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

Identifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices — opening an attack vector.

Vulnerabilities in the way Bluetooth Low Energy is implemented on devices by manufacturers can open the door to global device tracking for the Windows 10, iOS and macOS devices that incorporate it, according to research from Boston University.

An academic team at BU uncovered the flaws, which exist in the periodically changing, randomized device addressing mechanism that many new-model Bluetooth Low Energy (BLE) devices incorporate to prevent passive tracking. A paper on the issues (PDF) was presented Wednesday at the 19th Privacy Enhancing Technologies Symposium.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

Les deux enceintes intelligentes de Google et Amazon, le Google Home et l’Amazon Echo, victimes de la faille Bluetooth BlueBorne.

Des chercheurs ont réussi à prouver que la faille Bluetooth BlueBorne impactait aussi les enceintes intelligentes Google Home et l’Amazon Echo. Révélées il y a quelques semaines, huit failles critiques de Bluetooth ont récemment étaient révélées. Elles affectent des milliards d’appareils Android, iOS, Windows et Linux. Voilà que les deux assistants des deux géants du web sont aussi impliqués dans cet énorme « merdier » numérique comme le confirme la société Armis.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=BlueBorne

Armis Labs attire l'attention sur plusieurs failles liées à l'implémentation du Bluetooth dans les principaux systèmes d'exploitation.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=BlueBorne

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas.

The vulnerability has to do with weaknesses in the current implementation of Bluetooth Low Energy (BLE), a wireless technology used for authenticating Bluetooth devices that are physically located within a close range.

"An attacker can falsely indicate the proximity of Bluetooth LE (BLE) devices to one another through the use of a relay attack," U.K.-based cybersecurity company NCC Group said. "This may enable unauthorized access to devices in BLE-based proximity authentication systems.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=BLURtooth

YOU INTUITIVELY KNOW why you should bolt your doors when you leave the house and add some sort of authentication for your smartphone. But there are lots of digital entrances that you leave open all the time, such as Wi-Fi and your cell connection. It's a calculated risk, and the benefits generally make it worthwhile. That calculus changes with Bluetooth. Whenever you don't absolutely need it, you should go ahead and turn it off.

Minimizing your Bluetooth usage minimizes your exposure to very real vulnerabilities. That includes an attack called BlueBorne, announced this week by the security firm Armis, which would allow any affected device with Bluetooth turned on to be attacked through a series of vulnerabilities. The flaws aren't in the Bluetooth standard itself, but in its implementation in all sorts of software. Windows, Android, Linux, and iOS have been vulnerable to BlueBorne in the past. Millions could still be at risk.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=BLURtooth

Tous les appareils utilisant la norme Bluetooth 4.0 à 5.0 sont vulnérables. Les correctifs ne sont pas disponibles pour l'heure.

Les organisations à l'origine de la technologie sans fil Bluetooth viennent de publier des conseils sur la manière dont les vendeurs d'appareils peuvent atténuer une nouvelle attaque contre les appareils compatibles Bluetooth. Nommée BLURtooth, il s'agit d'une vulnérabilité dans un composant de la norme Bluetooth nommé Cross-Transport Key Derivation (CTKD).

Ce composant est utilisé pour configurer les clés d'authentification lors de l'appairage de deux appareils compatibles Bluetooth. Ce composant fonctionne en établissant deux jeux de clés d'authentification différents pour la norme Bluetooth Low Energy (BLE) et la norme Basic Rate/Enhanced Data Rate (BR/EDR). Le rôle du CTKD est de préparer les clés et de laisser les appareils jumelés décider quelle version de la norme Bluetooth ils veulent utiliser. La fonction "bi-mode" de Bluetooth est la principale utilité de ce système.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=BLURtooth

According to Acronis' co-founder and technology president Stas Protassov, Bluetooth has had several vulnerabilities in the past, including as recently as February when BlueFrag, a critical vulnerability that affected multiple Android and Apple iOS devices which then required patching. 

Left unpatched, devices could be breached by hackers within the vicinity and the user's personal data stolen, Protassov warned. He also stressed the need for users to update their devices' firmware to ensure vulnerabilities are promptly fixed. And as with any app, they also should check the permissions that all contact tracing apps requested. 

Most of these apps, including Singapore's TraceTogether, use Bluetooth signals to detect others in close proximity, and security observers say it could leave the smartphone susceptible to threats, especially if there are undiscovered or unfixed vulnerabilities. 

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=SweynTooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Contact+tracing

A recent rise in laptop and gadget thefts from cars, particularly in San Francisco and the larger Bay Area, has left victims and police wondering if burglars are using Bluetooth scanners to choose target cars based on which have gadgets inside emitting wireless signals. Many laptops and gadgets will put out a sort of beacon by default when their Bluetooth is turned on, so that other Bluetooth devices can find them and potentially pair—even when closed or idle.

"A lot of that has to do with power savings; it depends on what sleep mode different laptops go into when the lid is closed," says Jake Williams, founder of the security firm Rendition Infosec, who often uses Wi-Fi and Bluetooth scanners in penetration testing. "But I have little doubt that some thieves are using Bluetooth scanners to target devices. It's trivial to use one, so it's not like technical knowledge is a limiting factor."

"Right now we do know that thieves are utilizing them."

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=SweynTooth

Comme toutes les technologies, le Bluetooth n'échappe pas à son lot de vulnérabilités. Après la découverte par des chercheurs israëliens d'une faille CVE-2018-5383 pour intercepter ou endommager des données échangées entre terminaux, d'autres viennent d'être mises à nu. Trois chercheurs en technologie et design de l'université de Singapour, Matheus E. Garbelini, Sudipta Chattopadhyay et Chundong Wang, ont en effet trouvé une dizaine de failles relatives à la technologie Bluetooth Low Energy.

Regroupées sous le nom de SweynTooth, elles exposent une quinzaine de systèmes sur puce (SoC) de plusieurs fabricants qui y recourent : NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics et Telink Semiconductor. « Les vulnérabilités peuvent être utilisées par un attaquant qui se trouve dans le champ d'émission Bluetooth et peuvent faire planter les appareils concernés, forcer un redémarrage, les bloquer ou contourner le mode de couplage BLE sécurisé et accéder aux fonctions réservées aux utilisateurs autorisés », indique Bleepingcomputer.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

Wie Forscher herausgefunden haben, gibt es ein massives Sicherheitsproblem bei Bluetooth. Geräte sind dadurch von Angreifern leicht zu verfolgen.

Forscher der Boston University haben einen Fehler im Kommunikationsprotokoll von Bluetooth entdeckt, durch den die meisten Geräte von Dritten getrackt werden können und Daten verloren gehen.

In dem Forschungsbericht, der unter dem Namen „Tracking Anonymized Bluetooth Devices“ erschien und von den Forschern Johannes K. Becker und David Starobinski herausgegeben wurde, wird die Sicherheitsanfälligkeit von Bluetooth-Geräten detailliert beschrieben. Betroffen sein können Geräte, die Windows 10, iOS und macOS nutzen, sowie Smartwatches von Apple und Fitbit.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

Eine Nachlässigkeit beim Pairing erlaubt es Angreifer, sich in die Verbindung einzuklinken. Betroffen sind etliche Hersteller, darunter Apple und Qualcomm.

Durch eine Sicherheitslücke in der Bluetooth-Implementierung können sich Angreifer in die Funkverberbindung einklinken, Datenverkehr im Klartext mitlesen und manipulieren. Die Schwachstelle betrifft zahreiche Hersteller, darunter Apple, Broadcommm, Intel und Qualcomm – demnach dürften etliche Millionen Geräte betroffen sein.

Das Problem steckt im kryptografisch abgesicherten Pairing-Mechanismus, bei dem ein Schlüsselaustausch nach Elliptic-Curve Diffie-Hellman (ECDH) stattfindet. Das ist erst mal gut und richtig, allerdings zeigte sich, dass einige Bluetooth-Implementierungen die eingesetzten ECDH-Parameter nicht oder nicht ausreichend überprüfen. Ein Angreifer kann diese Nachlässigkeit nutzen, um die Verschlüsselung der Verbindung zu schwächen und letztlich als Man-in-the-Middle den Datenverkehr zu kontrollieren.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=BlueBorne

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

Sicherheitsforscher haben mehrere kritische Sicherheitslücken in der Bluetooth-Technologie unzähliger Geräte von nahezu allen Herstellern entdeckt. Kriminelle könnten durch das Leck beliebigen Code ausführen oder Man-in-The-Middle-Angriffe starten.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=BlueBorne

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth