Who would not do this?
"make sure their devices are not in discovery mode in public"
Surely nobody leaves their Bluetooth open like that?
Google has posted the February security updates for Android, including for a potentially serious remote code execution flaw in Bluetooth. Designated CVE-2020-0022, the flaw was discovered and reported by researchers with German company ERNW who say a fix has been in the works since November. "On Android 8.0 to 9.0, a remote …
I agree: surely you jest. It is always fun to stand in a public location - public transport especially - and turn on my Bluetooth to witness the sometimes dozens of discovery pings.
I have always wondered if I'm the only person in this city who *does* turn off their Bluetooth when not in use...
:bounces happily: I want to know the hijack and await a fun-filled app to practice it on the move!
You're not alone. But, I'd like to see a decent survey of how many actually selectively turn their blue tooth off. Here's a proposed survey:
Q: How much time do you leave your blue tooth off?
1. Oh, do I need to see a dentist?
2. I just leave everything at the default settings.
3. I put the phone in airplane mode when I'm not expecting calls.
4. I only turn it on when I need to make a call.
5. I refuse to use it all together.
6. I rooted the phone and ripped out the drivers so that some malware can enable it against my will.
My answer is 4.
7. I have automation in place to switch Bluetooth off overnight, but the rest of the time it's on so as to connect with my smartwatch, headphones, car head unit, home receiver etc. without me having to mess about with settings. That's OK, though, because they're already paired and the phone is never in discovery mode.
"Surely nobody leaves their Bluetooth open like that?"
Not for any longer than 60 seconds they don't. ( Unless there is a hidden option to increase the scanning timeout)..
I would also presume that not many people actually spend their time "discovering" bluetooth devices just for fun.... In general you pair up your headphones , speakers, car radio etc, once and then forget about it... What's the chance that the aforementioned hacker would be in your proximity exactly at that moment..
What's the chance that the aforementioned hacker would be in your proximity exactly at that moment..
Along with most of the more recent flaws, the risk of some kind of drive by attack is minimal (in comparison with say cars which often can be attacked while driving by) but useful if you can get hold of the device.
"Surely nobody leaves their Bluetooth open like that?"
I think you have to explicitly enable it to discover something via bluetooth. And don't call me Shirley.
That being said, if you have BT headphones connected, and you pause, and then resume again (oh I'm on the train I want to make a phone call now), it probably re-connects your bluetooth stuff too on power up [which would make you vulnerable for that brief period of time].
I am not sure the requirements in terms of what is actually needed to exploit the bug, but if it only needs to know the device MAC address then this advice could be incorrect. Discoverable mode enabled and able to be discovered are not the same thing... the reference to guessing bluetooth addresses based on wifi address hints that you merely need the address even if it is not in discoverable mode.
When you explicitly wish to pair a new device you need to be in discoverable mode, where it will respond to probes and be "easy to find", however a device not appearing on the GUI does not mean it is hidden.
Do you use bluetooth headphones? What happens when you turn them on...? The same with pairing to cars etc. Do you have to go and tell your phone to be discoverable before anything will connect? If bluetooth is as much as enabled then even if it isn't currently connected you can simply guess addresses until something responds. Your device will also send out its own probes every few minutes, just in case a paired device is around and didn't auto-connect on startup.
"Surely nobody leaves their Bluetooth open like that?"
You might not know this but Android apps that have the BLUETOOTH_ADMIN permission in their manifest will allow an app to pair with other devices using bluetooth and apps with the BLUETOOTH_PRIVILEGED permission in the apps manifest: "Allows applications to pair bluetooth devices without user interaction, and to allow or disallow phonebook access or message access."
I do know that apps that contain Facebook's SDK's use bluetooth to discover a users location to serve targeted ads and that apps that contain the BLUETOOTH_ADMIN permission in their manifest was a very good indication that the app had Facebook's SDK's inside.
Also, correct me if I'm wrong, but I believe the BLUETOOTH_PRIVILEGED permission is a newer more fine-grained permission and that older Android versions allowed an app to pair bluetooth without user interaction with just the BLUETOOTH_ADMIN permission.
Yes, actually, I just used that functionality 30 minutes ago! Samsung Gear 360's app handles pairing from within said app, no need to go into your Bluetooth settings to pair manually.
Mixed blessing, that. Raised my eyebrow I suspicion (and now I read your comment about it), but convenience for most people is all they care about
As much as I dislike Android, the problem of yet to be discovered/created vulnerabilities and bugs has to be accepted in any complex software. It’s not so much that there will be patches required, but more about the response and availability of patches. And ease of application of those.
Except for ancients who remember LADDER LOGIC. Totally unhackle except on those call outs on vacation when the Ethenol was given rule. Oh it was a wonder when FGAs brought a new era almost as slow as I now but alot more flexible. Unhackable equates to non field programable.
the problem of yet to be discovered/created vulnerabilities and bugs has to be accepted in any complex software
True. That said, what we know about a number of high-profile Android vulnerabilities (e.g. Stagefright) suggests that Android development practices are not particularly good. Are they requiring static code analysis for all Android code, for example? Doesn't look like it - at least not historically.
As with all mostly open source software with a Huge user base, the level of bug detection is quite high, so the bug complexity and use cases fall quite rapidly as the project matures.
iOS CVEs 2019 = 156
Android CVEs 2019 = 414
iOS Market Share = 24.6%
Android Market share = 74.3%
so androird is roughly 3 times the install base and roughly 3 times the CVEs, so simillar to CMSes the vulnerability rate looks similar to market share, i.e. bug detection goes where the users go.
Got the update this morning for my S10e so it looks like the work that went into Project Treble in order to be able to push security updates faster has paid off. Yes, this still means millions of phones will be vulnerable but possibly less than the headline might suggest.
> Project Treble
On my side it looks more like a hit and mostly miss affair: I expected I'd be getting more updates that way, but after 3 months I'm still waiting to see any for a new-ish tablet (and yes, I do check manually, both for security and system updates). Clearly "possibility" doesn't mean "certainty", no matter the amount of wishful thinking involved. (BTW, I wasn't the one downvoting you.)
(For those smug people who will rush to tell me they got updates: Yes, I'm very happy for you. Thanks for telling me.)
It's going to be patched, it's just a bug - nothing odd about this - Bluetooth has been acquitted! Yes there's is a vulnerability there but the Bluetooth device was trying to get elected continue discovering its headphone connection so no crime has been committed.
My phone Android gets updates every day - so I'm confident that most of yesterdays bugs have been probably fixed - I expect that they will fix today's bugs tomorrow. I'll get my phone out of my coat pocket and check for today's updates now.
"Your device is up to date. 1st Feb 2019"
a one year old Motorola phone.
Even my (7 month old) Motorola One says 1st January 2020 ... I expect the fix for this new bug will have missed the February update, so I'll get it in the March update in about five weeks. It's an Android One device and so should get monthly updates until about September 2021 (three years after the model was launched).
That's a LOT better than most Android users enjoy, but really not as good as we should be able to expect.
The problem is that neither phone manufacturers nor service providers are pushing patches. You can ask your phone to check, but if you are one of the majority it will be blissfully ignorant of all the patches that have come out since it shipped from the factory.
I came here to say the same thing. We may *want* to get updates, but unless the maker of our phone and our carrier both provide the updates, then it ain't happening. Telling phone users to get an update accomplishes about as much as telling your dog to get a driver's license.
> Telling phone users to get an update
Is taking the piss out of the users. Like they actually can "get an update"...
If they are lucky, and have been good obedient customers by throwing away last year's phone for a new one, they might get some update (although nobody knows what, or even if, that update fixes something).
> (Let's not get started on the remove of 3.5mm jacks from phones!)
No, no, on the contrary! Let's get started on the fact that most design choices stuffed down our throat in the pretty name of "progress" are actually limitations and downgrades.
Removable batteries, headphone jacks, memory card slots, all those things that get removed "to enhance user experience" - and the worst thing is stupid users actually believe their "experience" has been 'improved". Less is more, isn't it.
This is what I find annoying about android phones, is that you have to wait for your phone maker to provide an update. You can't get it direct from Google.
My Xperia E5 is currently on Android 6.0 it would be nice to see if it could run anything higher than that but Sony haven't made any further updates available for my phone.
I suppose I could try rooting the thing...
Vendors should be required to provide security updates for a minimum period from product release (e.g. 5 years). And this end date should be clearly printed on the box when you purchase it.
My moto g5 ceased to receive updates in Feb 2019, which means it got 23 months of updates from release (pathetic).
Of course vendors will never do this voluntarily because it takes away one reason for you to buy their next shiny model with a bunch features you'll never use and a screen the size of a barn door.
I get a chuckle when I hear the same people that are giving the android phone manufacturers and service providers a pass complain about MS ending support for Win7 after 10 years of free security updates.
Say what you will about Apple, but they were still offering patches for my 6S when I sold it earlier this month.
10 years of free security updates
Since when has Windows ever been free?
The current state of affairs is not good, though it has got better but the comparison with Windows is technically invalid due to the contract being the user and Microsoft whereas you just buy a phone from the manufacturer with no contract regarding the OS. It's up to consumers to hold manufacturers acccount.
Apple's approach is indeed exemplary, though it is also easier if you control hardware and software. But it's also clever marketing because replacement cycles are the same if not shorter for Apple's phones, with the promise of timely updates, are part of the value proposition that attracts people to Apple. Of coure, they should also be held to account for their restrictive practices: you can have any browser as long as it's webkit, you can only buy stuff from the Apple store, etc.
I completely agree with you. I have an HP laptop that came originally with Windows Vista, and has been updated to Windows 10, and it still gets security updates. Why can't my Samsung phone get more than 15 month of updates (2 years if I had bought it when it first came out)? This is ridiculous.
Because Android was designed to destroy Microsoft and no care was given by developer on iterate fast and give OEMs something they can butcher and control, lifecycle management was never a consideration, they are trying to rework it all but they are still in Windows 98 era at the moment as far as OS development is concerned. It should be possible to run vanilla versions of android on anything but the issue is getting the drivers, Android has no distribution method and when have you ever seen android drivers on Quallcom or Broadcom web site let alone any of the others.
Handsets are closed device buy and throw every 12-24 months. That is the market.
Apparently no one wanted Windows 10 on their phone, not enough apps apparently and they didn't steal your information as efficiently, so no money in it.
So if any phone bought in the last 12/24 months from a UK/EU retailer that runs an affected version of Android, and does not receive a security update, can the owner rightfully return it for a full refund as "not fit for purpose"?
If a large number of people returned phones within the statutory warranty period because of a lack of security updates, the retailers might have to be more selective about which makes of phone they stock.
Samsung J3(2017) up to date as of November 2019, on version 9, no updates available, so no December or January ones. Will possibly get the update in August if at all. But then that is the Android lottery for you.
Wonder when someone will sue a manufacturer for not supplying updates in a timely manner if they get hacked by a known security bug?
The millions on older version won't get anything, May 2019 data (only one I could find) had 60% of devices on version 7 or earlier, and Lenovo still sell the Tab 3 with Android 7 (https://www.lenovo.com/gb/en/tablets/android-tablets/tablets-a-series/Lenovo-Tab-7-Essential/p/ZA300158GB) and I am sure many no brand devices have older versions yet.
Still you get what the device manufacture pays for.