KNOB turns up the heat on Bluetooth encryption, hotels leak guest info, city hands $1m to crook, and much, much more
Spec design flaw stiffs security of gizmos
Roundup Let's run through all the bits and bytes of security news beyond what we've already covered. Also, don't forget our articles from this year's Black Hat, DEF CON, and BSides Las Vegas conferences in the American desert.
KNOB opens door to Bluetooth snooping: Microsoft's Patch Tuesday dump included the disclosure of a security flaw in the Bluetooth protocol. The design blunder affects more than just Microsoft products, though: it is at the heart of the Bluetooth specification. The flaw therefore affects any gear using Bluetooth chipsets that implement the standard; more than 14 such vulnerable chips have been identified, including parts from Intel, Broadcom, Apple, and Qualcomm.
The security hole is dubbed Key Negotiation of Bluetooth, or KNOB for short – and even though we've thought long and hard about making jokes about this, sadly, we've come up with nothing. It involves a shortcoming in the process that two devices use to establish a secret key between themselves to encrypt data exchanged over the air. It is possible for a nearby miscreant-in-the-middle to force a pair of gadgets to agree on a key with only 8 bits of entropy, allowing the wireless snooper to decrypt their subsequent communications using brute force.
Boffins Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen described [PDF] their eavesdropping technique in a paper presented at the USENIX Security Symposium in the US this month. CMU CERT explained how the method using the "Alice and Bob" key analogy:
To establish an encrypted connection, two Bluetooth devices must pair with each other and establish a link key that is used to generate the encryption key. For example, assume that there are two controllers attempting to establish a connection: Alice and Bob. After authenticating the link key, Alice proposes that she and Bob use 16 bytes of entropy. This number, N, could be between 1 and 16 bytes. Bob can either accept this, reject this and abort the negotiation, or propose a smaller value.
An attacker, Charlie, could force Alice and Bob to use a smaller N by intercepting Alice's proposal request to Bob and changing N. Charlie could lower N to as low as 1 byte, which Bob would subsequently accept since Bob supports 1 byte of entropy and it is within the range of the compliant values. Charlie could then intercept Bob's acceptance message to Alice and change the entropy proposal to 1 byte, which Alice would likely accept, because she may believe that Bob cannot support a larger N. Thus, both Alice and Bob would accept N and inform the Bluetooth hosts that encryption is active, without acknowledging or realizing that N is lower than either of them initially intended it to be.
And the upshot of all that?
An unauthenticated, adjacent attacker can force two Bluetooth devices to use as low as 1 byte of entropy. This would make it easier for an attacker to brute force as it reduces the total number of possible keys to try, and would give them the ability to decrypt all of the traffic between the devices during that session.
Oops. That's pretty upsetting. It means nearby miscreants can potentially snoop on or tamper with Bluetooth connections to keyboards, speakers, and other gizmos. Thus far, though, the vulnerability has only been exploited in the lab, according to the Bluetooth specification folks. However, it would be wise to install patches for your gadgets as they become available. Microsoft and Apple have both released fixes for their products to thwart KNOB attacks – the official solution being to enforce a "minimum encryption key length of 7 octets [seven bytes] for BR/EDR connections," according to the Bluetooth team. Expect more from other vendors, hopefully.
"The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window," the Bluetooth spec people noted. "If the attacking device was successful in shortening the encryption key length used, it would then need to execute a brute force attack to crack the encryption key."
In brief... Someone at DEF CON has told of how they set their vehicle license plate to NULL – and has been slapped with strangers' traffic tickets whenever police officers leave that field blank in citations... The TP-Link M7350 4G hotspot has various command-injection vulnerabilities, found using the NSA's Ghidra toolkit, and you should update yours now... A Black Hat presentation talked people through the exploitation of Samsung's Arm TrustZone code... Another Black Hat talk revealed the insides of Apple's T2 security chip... Thousands of cars were exposed to hackers thanks to a remote-start app.
An out-of-nowhere hit at DEF CON was the O.MG cable, and its sibling DemonSeed, which appears to be a USB cable yet it can be controlled wirelessly to take control of the connected device or laptop. We've seen these sorts of stealth cables before but none quite so normal looking. They sold out at DEF CON, and more are promised from the Hak5 store.
And Apple strangely broke a security patch it earlier released for iOS 12.3, allowing a jailbreak to now work with iOS 12.4.
Choice chopped by open server: Choice Hotels is the latest organization to be stung by a poorly configured cloud database. It was revealed this month that some 700,000 Choice hotel guest records were left in a MongoDB instance exposed to the public internet.
Open-cloud-bucket hunter Bob Diachenko sniffed out the leak and notified the biz, which said that the exposed archive included records containing names, email addresses, and phone numbers among other things. It is understood hackers accessed the server, scrambled the data, and demanded that Choice pay a ransom of $3,850 or so (depending on the price of Bitcoin) to restore the info. No word on whether that demand will be met.
Dating apps risk hooking up with stalkers: Mobile dating apps are sharing a dangerous amount of personal information with the general public, according to a report from Pentest Partners.
The Brit infosec outfit estimates as many as 10 million users could be prone to having their whereabouts tracked thanks to the locating features offered by dating apps. As the report notes, this is particularly dangerous for members of the LGBT+ community who could find the tools used to target and harass them. The team recommends developers make the apps less precise in their locations, and give lonely-hearts the ability to tag themselves rather than use GPS.
GitLab has pushed out version 12.1.6, 12.0.6, and 11.11.8 of the repository management project, mitigating three critical security flaws, our pals at software-engineering sister site DevClass report.
Credit Karma glitch sends strangers' report data: A website glitch at credit-monitoring service Credit Karma appears to have caused an accidental exposure of some user records. TechCrunch reported that a number of users on Reddit and other public forums complained that when they asked for their own credit reports, they were instead shown those of other users on the site. This is annoying on its own, but since we are talking about personal credit reports, it is also an exposure of sensitive personal data.
Credit Karma has since fixed the issue, which sounds like a classic caching cock-up. No word on just how many people had their records shared with strangers.
Lenovo patches EOP bug: Sorry to bear the bad news, but your patching duties might not be done if you use or administer some Lenovo notebooks. The Chinese computing giant said that it had fixed an information disclosure vulnerability in one of the hardware controllers in Thinkpad notebooks that can potentially lead to firmware tampering and an escalation of privileges. This isn't considered a huge risk, as you would have to already be in control of the notebook with an administrator account to exploit the flaw, but it is still worth taking a minute or two to install the fix.
Warren wants probe of Equifax's sweetheart settlement: US Senator Elizabeth Warren (D-MA) took some time off the presidential campaign trail to ask America's trade watchdog [PDF] why it struck a settlement deal with disgraced credit monitor Equifax that was so bad many of the affected can't even claim a payout.
"The FTC has the authority to investigate and protect the public from unfair or deceptive acts or practices, including deceptive advertising," Warren writes. "Unfortunately it appears as though the agency itself may have mislead the American public about the terms of the Equifax settlement and their ability to obtain the full reimbursement to which they are entitled."
Danabot malware goes under the microscope: Researchers at Webroot's H3 Collective have done a detailed teardown of Danabot, an online-bank-account-draining nasty that has been circulating for a little over two years. The dissection found that the malware has not only become more sophisticated in targeting victims for account theft, but may also be used as the first step for ransomware infections.
"It continues to evolve its geo targets as more affiliates get added, and has branched out to test ransom functionality," H3 writes. "This change in tactics certainly aligns with other shifts we’ve observed in which criminals are performing more recon upfront to profile a victim’s worth before executing ransomware from a domain controller."
Saskatoon loses $1m to fraud scam: The city of Saskatoon in Canada has admitted it was tricked by an online fraudster.
Officials say someone contacted one of its offices claiming to be a contractor working on a project for the city. The person asked that the account for an outgoing payment be changed to one controlled by the fraudster. As a result, the city said, CAN$1.04m ($780,000, £640,000) in construction bills were sent out to the criminal's account rather than the actual contractor.
"Our focus at this time is on recovery of the funds. We have experts engaged from our internal auditor, the banks affected, and the Saskatoon Police Service," said city manager Jeff Jorgenson. "Additionally we have external and internal experts pouring over financial transactions and processes to do everything reasonably possible to protect the City from any further attacks." ®