Bluetooth, FISA & Backups - November 27th to December 3rd - F5 SIRT - This Week in Security
Hello again, Kyle Fox here. This week we start out with some Bluetooth issues, no not those, and recent work in privacy legislation as well as a note on backups.
Bluetooth Discovery Spam
Over the weekend one of the largest furry conventions in the world happened in the very small city of Rosemont, Illinois nestled in between Chicago and ... Chicago. But even as the convention had not even started people were getting hundreds of notifications on their phones of nearby Bluetooth devices, sometimes locking up phones and making them unusable. For me it was a repeat of the same thing at a previous convention a month prior, and something I had heard of happening to people at DEF CON.
So what was going on? Bluetooth LE introduced various Bluetooth beacons to the protocol, one such beacon is a Bluetooth Advertisement that describes a device that is available to pair to, its name and capabilities. Most Apple and Android phones when they see such an advertisement will pop up a dialog offering to pair with that device, what can go wrong?
Well, as we saw at DEF CON, a lot can go wrong, the researcher behind the DEF CON use of this attack described it in detail on their blog, and later created a Flipper Zero implementation of the attack. Since then we have seen the attack ported to Android devices and it seems to show up in the wild more and more. The researcher says that they had described the genesis of this attack in November of 2022 in a YouTube video about spoofing AirTags, which use a similar beacon and has reported it to Apple. Since the attack Apple released iOS 17.1.1 which reduced the issues caused by the attack, but issues still remain.
One question that kept coming up at the above mentioned furry convention is does this violate FCC rules or laws against hacking? As a non-lawyer familiar with the thresholds for prosecuting both, I think it does neither. From the FCC perspective, it does not jam the Bluetooth spectrum or even congest it much at all, on a protocol level it does not even cause a problem, the problem exists on the user interface level on Android and Apple devices, with the attack generating too many notifications for users to effectively use their devices and sometimes so many that the devices crash. On the hacking side we typically see those prosecutions use the Computer Fraud and Abuse Act, which on a simplistic level requires the attacker to access a protected computer without or exceeding their authorization to do so. Since this attack does not actually access anything, it would be hard to argue that it violates the CFAA.
Another issue identified was this attack's interference with medical devices, one Twitter/X user reported that this attack interferes with insulin pumps and blood sugar meters. Although in discussion on the chats for the con it turned out that the issue with that particular insulin pump was the users phone crashed and they could not adjust the settings on the pump until they were able to reboot the phone (which can be hard to figure out when you don't know how and can't search for how to do it because well, your phone is crashed), I have heard of other pumps that had pump-side crashes. I also heard of hearing aids muting randomly and so on. The way the hearing aid thing was described I wondered if it was related to this attack at all, or as a result of the massive number of people in the area.
This drives a point home that I make every time some manufacturer wants to add Bluetooth to some life critical device, and that is that the device should be tested in a way to make sure it continues to work correctly when the Bluetooth portion crashes and that the Bluetooth portion only talks to the rest of the device in a well defined and restricted manner, as to avoid attacks on Bluetooth or simply being in a room with thousands of Bluetooth devices from turning into a big issue for the user. I also thing that users of these devices should report these crashes and unusual behavior to the manufacturers, so that they know about these issues and can work to correct them.
So, how do you turn this stuff off? On Apple devices the control center does not even actually turn off Bluetooth when you toggle it.
Turn off Bluetooth from Settings app -> Bluetooth, not just from the control center.
On your phone or tablet, open the Settings app.
Tap Google and then Devices & sharing and then Devices and then Turn off Scan for nearby devices.
Sen Wyden Puts His Foot Down on NSA use of Third Party Data
Senator Ron Wyden from my home state of Oregon continues to champion digital privacy, this time he is holding up the confirmation of new National Security Agency director Lieutenant General Timothy Haugh until the NSA is able to answer a yes or no on buying up people's online data from online services and brokers. Wyden has long argued that government agencies buying this data constitutes a warrant-less search in violation of the Fourth Amendment of the US Constitution.
This procedural holdup comes as congress is set to debate FISA Section 702, which is used to gather intelligence on non-US persons who are outside the US. But as many have seen from previous disclosures, the FISA provisions are sometimes abused to gather data in a way that scoops up data about US citizens in the United States as well. The various proposed revisions to FISA Section 702 range from a privacy-strong proposal from Senator Wyden to a more intelligence-friendly version introduced by Senators Marco Rubio of Florida and and Lindsey Graham of South Carolina. Since this FISA section is set to expire at the end of the year, the pressure to pass a re-authorization is on.
Google Drive Looses Data?
Due to an issue with Google Drive for Desktop, some people were seeing files being deleted by the sync process. After investigation, Google has a solution for users that experienced this issue.
This incident serves as another warning that sync processes are a double edged sword, while keeping your changes to your files in sync between different places, these processes can stomp on data or delete files unintentionally, especially when a mistake is made in the logic that decides which side of the sync is more current, or the software does not have checks for wildly inaccurate system time. The moral of the story is that online sync of your files does not serve as a backup and you would want to consider offline local and potential cloud backups that are separate from the synced file or document service you are using.
I don't really have any personal solutions that win out, I prefer collecting files that will be deleted in a folder for some time before deleting them, and only deleting files that are excess cruft. My offline backups consist of just plain hard drives in a safe for voluminous data, and I still use IronKeys for backing up critical files, encrypted password archives and keys I need to keep forever. I am omitting discussion of my work computers for opsec reasons.
Lets start out this roundup with the YouTube recommendation for the week, it is J. Kenji López-Alt. Kenji is food writer for a number of outlets and has written a number of books. I liked his NYT writeup on the lesser known Chicago Thin Crust Pizza and its accompanying video. Some people might wonder about this recommendation, but I always say hacking is a mindset, and the technology being hacked can indeed be food.
IKEA has released a line of smart home sensors, as the crawlspace in my house recently flooded, I am happy to see one is a leak detector.
Redhat is shipping both Xorg and Wayland in RHEL 10.
The DMCA is still being used in weird ways, this time against a browser in the Google Play store.
Chipmaker NXP had its internal documents stolen over a period of two years by hackers.
OpenAI has Sam Altman back in charge with a new board.
Also, that other Bluetooth vulnerability: New BLUFFS attack allows an attacker to derive keys to a Bluetooth connection.
Published Dec 07, 2023Version 1.0