Security Bits Logo no alpha channel

Security Bits — 23 February 2020

Feedback & Followups

Deep Dives

Deep Dive 1 — The Sweyntooth Bluetooth Bugs

Security researchers have released details on a whole family of loosely related BlueTooth bugs which they’ve named after Sweyn, the son of the Danish king Harold Bluetooth, after whom the wireless standard is named (and who’s rune is used as the Bluetooth icon).

These bugs exist in the firmware for countless Bluetooth devices, and their effects vary from locking up the devices or forcing them to reboot all the way to full security bypasses allowing unauthorised pairing and full control of the devices and access to all data stored on them. Thankfully all these bugs require attackers to be within Bluetooth range of vulnerable devices.

At the root of the problem are a host of similar bugs in the Software Development Kits (or SDKs) provided by at least seven system-on-a-chip (SOC) vendors to allow Bluetooth device manufacturers build firmwares for their devices.

Imagine you want to build a Bluetooth headset. You would source a Bluetooth SOC, then you would write the firmware for your device, and you would do that using an SDK provided to you by the company that makes the SOC you have chosen to use. If you used a vulnerable SDK you would need to update your copy of the SDK, re-build your firmware, then make it available to all your customers.

The good news is that security researchers have been working with vendors since last summer to responsibly disclose the bug and get patches out, but that can only possibly help protect users of devices that actually get firmware updates, and even then, many devices have no mechanism for alerting users that an update exists, so many potential updates will never get applied. The inevitable end result will be millions of vulnerable Bluetooth devices out there for years to come 🙁

One important silver lining here is that the more high-end and advanced the device, the more likely it is to get patched. This won’t be a problem for things like high-end smartphones under active support, or high-end headphones like Air Pods. Instead, it’s going to be a bigger issue for cheaper less advanced devices, and they are less likely to be involved with very sensitive information.

What can you do to protect yourself? You can’t practically protect yourself fully, but you can limit your exposure by:

  • Only buying Bluetooth devices from reputable firms.
  • Installing all firmware updates available.
  • Being aware that anything you do over a Bluetooth you don’t know has been properly secure could well be insecure.

Link

Deep Dive 2 — More Malware on Macs than Windows? Really?

AV vendor Malware bytes made a big splash when they released a report stating they had blocked more malware per-end-point on Macs than PCs in 2019.

The problem with this approach is that it inherently assumes that all threats are equal — that plugin that injects ads into your browser is the same as ransomware that encrypts all your files and extorts you for millions!

Unsurprisingly, what we find is that the problems affecting Mac users are generally self-inflicted, being trojans rather than viruses or worms and that Apple’s default settings and protections would protect users just as well as an AV product does!

This story isn’t the paradigm-shifting change the headlines might have led you to believe. I’ve not changed my calculus on running AV on Macs — I don’t, and I don’t recommend others do either. AV runs at a very high privilege level and is very complex code — that’s a really dangerous mix for introducing security vulnerabilities. IMO the risks posted by running AV on Macs still out-weight the very small potential benefits. Much more important is to keep the default settings preventing the execution of unsigned apps and enabling automatic updating of XProtect settings from Apple daily.

Links

❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a pay-wall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top