Just today we are seeing the “BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device.
It has never been a bad idea to keep Bluetooth turned off by default and to turn it on only when needed—at least on Android phones, the large percentage of which still broadcast privacy-compromising MAC addresses for anyone within radio range to view. The vulnerabilities reported by Armis now reinforce the wisdom of that advice.” (GOODIN, 2017)
Thus two things we can get from this attack, turned off and patch the device.
“NFC is a short-distance radio signal that often requires physical contact. Payment systems such as Apple Pay, Android Pay, and Samsung Pay all use NFC to make fumbling for quarters a thing of the past. Let’s say you have an NFC-enabled phone with an app from your local transit authority installed. The app will want a connection to your bank account or credit card so that you can always board any bus or train or ferry without worrying about a negative balance on your account. That connection to your credit card number, if it is not obscured by a token, or placeholder, number, could reveal to the transit authority who you are. Replacing your credit card number with a token is a new option that Apple, Android, and Samsung offer. That way the merchant—in this case the transit authority—only has a token and not your real credit card number. Using a token will cut down on data breaches affecting credit cards in the near future because the criminal would then need two databases: the token, and the real credit card number behind the token.” (Mitnick, 2017)
There are creating new methods to preventing this, like screen-locking software that uses Bluetooth to verify if you are near your computer. In other words, if you go to the bathroom and your mobile phone goes out of Bluetooth range of the computer, the screen is immediately locked. There are also versions that use a Bluetooth device like a wristband or smartwatch and will do the same thing. (Mitnick, 2017)
References
GOODIN, D. (2017, 09 12). Billions of devices imperiled by new clickless Bluetooth attack. Retrieved from Ars Technica: https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/
Mitnick, K. (2017). The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data. Little, Brown and Company.
No comments:
Post a Comment