Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 10 December 2023

Feedback & Followups

Deep Dive 1 — A Raft of Un-Patched Vulnerabilities

The remarkable thing about the last two weeks worth of new is the sheer amount of un-patched vulnerabilities that were published (probably not a coincidence the Black Hat Europe conference was held recently).

What all these vulnerabilities have in common is that we need to be aware that these risks now exist, and there is no patch yet, so we need to made pro-active choices to accept the risks or alter our behaviour. Thankfully, for all these vulnerabilities I think it is perfectly reasonable for regular home users to choose to accept these risks and carry on as they were, but those who work with sensitive data, in sensitive industries, or who are likely to be targeted by powerful attackers need to think much more carefully.

Two Bluetooth Problems

The first Bluetooth related problem to make the news is a collection of vulnerabilities that have been collectively named BLUFFS. These vulnerabilities can be used to break the security of Bluetooth connections by allowing an attacker to inject their device into the middle of a Bluetooth connection, i.e. classic Adversary in the Middle (AiTM) attacks (formerly poorly named Man in the Middle as if there were human males instead of devices doing the eves dropping!).

The problems are with the Bluetooth spec itself, not with any particular implementation, so the problem affects all Bluetooth devices that support versions 4.2 to 5.4 (the latest) of the spec.

The solution is for vendors to update their firmware/drivers so as to stop supporting the problematic parts of the spec. That’s going to take time, and lots of devices will never get fixed.

The saving grace here is that attackers need to be within Bluetooth range to use these attacks, so the average person’s exposure is very low.

If you’re in any way at risk, you need to avoid sending any sensitive data across Bluetooth. Bluetooth headsets are an obvious exposure to this risk, so consider switching to a wired headset until BLUFFS has been dealt with. Another approach would be to turn off bluetooth when you’re in public.

You can read more about BLUFFS here: New BLUFFS attack lets attackers hijack Bluetooth connections —… & New Bluetooth flaws could let an attacker steal wireless communications —…

Just a few days ago an entirely separate Bluetooth bug emerged, but it has no cool name, so it’s just known as CVE-2023-45866. This bug is a more traditional implementation problem rather than a problem with the spec itself, so vendors will be able to fix it, but it seems they’re not in any hurry to do so. For now, the problem exists in Android, iOS, Linux & macOS.

The bug lets an attacker bypass authentication to silently pair a malicious device with the target device and have that device be seen by the victim OS as a keyboard, allowing the attackers to literally inject code!

ATM this even works against iPhones with Lockdown mode enabled!

As with the other Bluetooth bug, the attacker needs to be within Bluetooth range, so the only defence for at-risk people until patches are released is to turn off Bluetooth while out and about in public places.

Note that the keystrokes are not invisible, so just watching out for mystery characters appearing is probably enough of a defence for most!

Read more: New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices —… & If you’re using a Magic Keyboard, you’ve opened up an attack vector —…

LogoFAIL — A flaw in Many UEFI Firmwares

Security researchers found that many motherboard vendors ship UEFI firmware that bundles out of date versions of image processing libraries, and that persistent malware can be loaded into these computers this a malicious logo file.

Unfortunately the problem is wide-spread:

“The flaws affect all major IBVs (Independent BIOS Vendors) like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread.”

(I’ve not see Apple listed as affected anywhere.)

What makes these attacks extra dangerous is that cryptographic protections like Secure Boot & Intel Boot Guard don’t include logo files in their integrity checks, so this malware won’t trigger any boot errors, and because the malware is in the firmware, it will survive even a nuke-and-pave reinstall of the OS.

While vendors will patch these problems and issue driver and firmware updates, older boards are unlikely to get fixed, and very few users actually apply updates for their motherboards, so there are likely to be many vulnerable PCs for a long time.

To trigger this bug an attacker needs to get malware to run on the targeted PC to write the malicious logo into UEFI’s storage area, so the best defence is definitely prevention — good old AV and common sense to stop any malware from running, and to stop you from being tricked into installing a Trojan are the best we can do to protect ourselves, at least for now.

More information: LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks —…

SLAM Another Speculative Execution Bug, This One Affecting Future CPUs!

At this stage another speculative execution bug hardly seems like news, but this one is a little special in that it exploits a very new technology that’s only just begun to be rolled out on a few AMD CPUs, and has yet to be released on Intel CPUs.

The fix seems to be for app developers to avoid the vulnerable feature in the parts of their code that handle secure content. A lot of speculative execution fixes rely on developers/compilers to avoid certain optimisations in sensitive parts of their code, while allowing other parts of their code to benefit from the speedups offered by speculative execution.

For now, it’s developers and OS vendors that need to worry about this, not regular users, but it is noteworthy that there is still no end insight to this problem.

Read more: New SLAM attack steals sensitive data from AMD, future Intel CPUs —…

5Ghoul 5G Bugs in Qualcomm & MediaTek Chips

A collection of bugs have been found in popular 5G chips that could allow an attacker to disconnect victims from 5G. Some of the bugs cause the 5G chips to lock up until the device is rebooted, others cause the chips to downgrade the user to 4G, which has lots of known weaknesses.

At least for now, none of the attacks can trigger any kind of remote code execution, so this is just denial of service. As we know, attacks only get better over time, so remote code execution could become possible in future, but for now, this is most likely to be nothing more than an inconvenience.

Read more: New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips —…

AutoSpill Password Manager Bug in Android

All password managers that use the built-in Android APIs for password manager can be tricked into leaking passwords by malicious apps. This includes big-name password managers like 1Password and LastPass, Keepass & Keeper.

The vendors are all working on workarounds, and there is sure to be a fix in Android itself soon too, but for now, there is no fix.

The key point is that this flaw can only be attacked by malware running on the device, so the best protection from having malware steal your password is not to install the malware on your device in the first place!

Read more: AutoSpill attack steals credentials from Android password managers —…

Deep Dive 2 — A Whole New Spying Vector

Thanks to a public letter from Oregon Senator Ron Wyden, we now know that the US government has been forcing Apple & Google to hand over push notification data to US law enforcement, and to do so under a gag order because the program was secret.

The metadata around push notifications can be very revealing, with one of its biggest features being its ability to link supposedly anonymous IDs on other services to an Apple ID, and hence, to a specific person.

Apart from us now knowing this is happening, the second biggest outcome is that Apple and Google are now freed from the gag order because there is no secret to keep anymore, and both have promised to include details of these kinds of requests in future transparency reports.

One interesting detail is that Apple and Google had differing policies around these requests — Apple just required a subpoena, which does not always need approval from a judge, but Google required a court order, which does.


❗ Action Alerts

Worthy Warnings

  • WordPress security specialists WordFence are warning of a new spear-phishing tactic being directed at WordPress site owners – fake emails pretending to be from ‘The WordPress Security Team’ warning you of a supposed vulnerability in a plugin, and offering a download link to a malicious plugin which installs a backdoor to allow the hackers completely take over the site —…

Notable News

Palate Cleansers

  • From Bart: An episode of the Computer podcast from RedHat that seems very relevant to the NosillaCast audience – advice on how to keep learning: Compiler: Continuing Education —…
  • From Allison: 1984 Radio Shack commercial – a “fully portable cell phone for only $2500!” In 2023 dollars that would be $7400.…


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 10 December 2023

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top