Bluetooth security:-Flaw could allow nearby attacker to grab your private data

Here’s a potentially serious vulnerability affecting Bluetooth that could lead to leaks of private data from Apple, Google and Intel-based smartphones and PCs. Patches are being made available, so concerned users should update where they can. Millions, if not hundreds of millions or billions, of devices are likely affected.

A cryptographic bug in many Bluetooth firmware and operating system drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices.

From Intel's explanation:

A vulnerability in Bluetooth(R) pairing potentially allows an attacker with physical proximity (within 30 meters) to gain unauthorized access via an adjacent network, intercept traffic and send forged pairing messages between two vulnerable Bluetooth(R) devices. This may result in information disclosure, elevation of privilege and/or denial of service.

As BleepingComputer explains, Bluetooth-capable devices are not sufficiently validating encryption parameters in "secure" Bluetooth connections, leading to a weak pairing that can be exploited by an attacker to obtain data sent between two devices
According to the Bluetooth Special Interest Group (SIG) it's not likely many users were impacted by the vulnerability.

For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.

Both Bluetooth and Bluetooth LE are affected. Apple has already introduced a fix for the bug on its devices (in macOS High Sierra 10.13.5/10.13.6, iOS 11.4, tvOS 11.4, and watchOS 4.3.1), so iOS and Mac users do not need to worry. Intel, Broadcom, and Qualcomm have also introduced fixes, while Microsoft says its devices are not affected.

Devices containing Bluetooth from a range of vendors—including Apple, Intel, Broadcom and Qualcomm—are all affected. That’s according to a warning from the U.S. Computer Emergency Response Team, run out of the Carnegie Mellon Software Engineering Institute. It described a vulnerability that was the result of a missing check on keys during the process of encrypting data sent over Bluetooth connections. More specifically, it was a missing validation contained in the method of encryption used in Bluetooth, a standard known as the “Diffie-Hellman key exchange.”
Ultimately, the error means that a hacker who is within Bluetooth range of an affected device could get the keys needed to reveal what’s supposed to be encrypted data “with high probability,” the U.S. CERT said. The hacker could then intercept and decrypt all messages sent over Bluetooth. This would include whatever data the app or device is sending via Bluetooth. That could be something as innocuous as notifications, though in the worst case scenario could include security codes such as those used in two-factor authentication, warned Bluetooth security expert Mike Ryan.

There are a lot of affected technologies. As Lior Neumann, one of the two Israeli researchers who found the bug, explained to Forbes in an email: “As far as we know every Android—prior to the patch published in June—and every device with wireless chip of Intel, Qualcomm or Broadcom is vulnerable.”

Where are the fixes?
Apple issued fixes back in May with the release of iOS 11.4 and in supported MacOS versions in June. For those who haven’t updated, Neumann warned: “Every iPhone device with a Broadcom or Qualcomm chip is inherently vulnerable," he added. That would include the latest iPhone 8 and X models.
Google hadn’t returned a request for comment, though the Android Open Source Project (AOSP) has released a patch, according to Neumann. Two Android vendors, Huawei and LG, say they have patched the vulnerability. Forbes couldn’t find evidence of patches from other major Android manufacturers, like Samsung and HTC, however.
Broadcom said: "We have made relevant fixes available to our OEM customers, who may release them in their software updates to end users.​" Intel, meanwhile, said it was "developing and validating Bluetooth software updates that address the issue for affected Intel products. Intel recommends that customers deploy available updates as soon as possible." Qualcomm said it had sent out patches too.
The Bluetooth SIG, an organization that develops the Bluetooth standard, released an update that should help guide manufacturers towards a patch. It ensures checks on those crucial keys are made correctly. Despite the patch, the Bluetooth SIG sought to downplay the severity of the vulnerability, noting that an attacker would have to be within range of two vulnerable devices—one was not enough to snoop on data passed between them.
But Neumann told Forbes the attacks “should be relatively simple to carry out.” Full technical details on the attacks were in a white paper from the Technion Israel Institute of Technology, Neumann added.
It may take some time for the Broadcom, AOSP or Bluetooth SIG patches to make it out to the myriad Android models on the market, warned professor Alan Woodward, a security expert from the University of Surrey.
“It’s about how long it takes to get the updates out there for the vendors,” Woodward said. “It’s a good example of why simply complying with a specification isn’t always proof that something is secure.”

Broken Windows
While Microsoft wasn’t included on the list of affected companies, Neumann said Windows was vulnerable to older Bluetooth attacks. He noted that Windows did not support Bluetooth version 4.2 and is vulnerable to an eavesdropping attack on Bluetooth 4.0.
Ryan said Neumann was right. But Ryan noted that both the old and new attacks could only happen when the devices first pair. “Think of when you get a new Bluetooth headset: You pair it and then your phone remembers the headset forever. If the attacker isn’t there when you first pair, they can’t decrypt any data.”
Microsoft, however, said Windows 10 had been updated to include support for Bluetooth 4.2. But a spokesperson didn't mention other, older versions of Windows.

_____________________________________

       CONTACT US..!!

_____________________________________

https://www.facebook.com/Walkalone3933
https://www.instagram.com/walk._.alone
Instagram :- Coming Soon..!!
                                                                  

---------->Walk._.Alone<-----------

New LTE attacks can reveal accessed websites, direct victims to malicious sites

If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.

A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users' cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.

LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.

However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user's communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.
  

4G LTE Network Vulnerabilities

Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users' identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.

All three attacks, explained by researchers on a dedicated website, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.

The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.

Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target's phone.

However, the third, DNS spoofing attack, dubbed "aLTEr" by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.

 

Three new attacks against the LTE 4G wireless data communications technology have been pinpointed by researchers from Ruhr-University Bochum and New York University Abu Dhabi.
All three target the technology’s data link layer protocols and impair the confidentiality and/or privacy of LTE communication.

 

The attacks

Two of the attacks are passive and one is active.
“We first present a passive identity mapping attack that matches volatile radio identities to longer lasting network identities, enabling us to identify users within a cell and serving as a stepping stone for follow-up attacks,” the researchers explained.
“Second, we demonstrate how a passive attacker can abuse the resource allocation as a side channel to perform website fingerprinting that enables the attacker to learn the websites a user accessed.”
The third attack, dubbed aLTEr, exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, and allows attackers to modify the message payload.
The researchers showed how this attack could be used to perform a DNS spoofing attack to redirect targeted users to a malicious (e.g., phishing) website:

They say that the attacks might require too much effort to be aimed at the general public, but highly resourceful attackers (e.g., attackers backed by nation-states) might deploy them to target people of special interest such as politicians or journalists.
The success of the attacks depend on many things: specialized hardware, a customized implementation of the LTE protocol stack, the attacker being in close proximity to the victim.
“In addition, a controlled environment helps to be successful within an acceptable amount of time,” they noted. “In particular, the use of a shielding box helps to maintain a stable and noise-free connection to the attack setup. Especially the latter cannot be maintained in a real-world situation and more engineering effort is required for real-world attacks.”
More technical details about the attack can be found in the published paper .

What now?

The researchers have notified the GSM Association (GSMA) of their findings earlier this year, and they in turn informed network providers and the 3rd Generation Partnership Project (3GPP), which is the specification body responsible for the development and maintenance of LTE, related 4G standards, and 5G standards.
The researchers have put forward countermeasures for the attacks, but one of them (specification update) is unlikely to be practical, as the implementation of all devices would have to be changed.
Another one involves using correct parameters for HTTPS to prevent the redirection to a malicious website.
Even 5G is not immune to the aLTEr attacks, the researchers pointed out.
“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets. However, the current 5G specification does not require this security feature as mandatory, but leaves it as optional configuration parameter.”
5G technology is just beginning to be introduced by cellular network providers and it will take the rest of the world many years to catch up. In the meantime, we’re stuck with the insecure LTE 4G standard.

How Can You Protect Against LTE Network Attacks?

The simplest way to protect yourself from such LTE network attacks is to always look out for the secure HTTPS domain on your address bar.

The team suggests two exemplary countermeasures for all carriers:

1.) Update the specification: All carriers should band together to fix this issue by updating the specification to use an encryption protocol with authentication like AES-GCM or ChaCha20-Poly1305.

However, the researchers believe this is likely not feasible in practice, as the implementation of all devices must be changed to do this, which will lead to a high financial and organizational effort, and most carriers will not bother to do that.

2.) Correct HTTPS configuration: Another solution would be for all websites to adopt the HTTP Strict Transport Security (HSTS) policy, which would act as an additional layer of protection, helping prevent the redirection of users to a malicious website.

Besides the dedicated website, the team has also published a research paper [PDF] with all the technical details about the aLTEr attack. Full technical details of the attacks are due to be presented during the 2019 IEEE Symposium on Security and Privacy next May.

_______________________________________

       CONTACT US..!!

_______________________________________

 

https://www.facebook.com/Walkalone3933
https://www.instagram.com/walk._.alone
Instagram :- Coming Soon..!!
                                                                  

---------->Walk._.Alone<-----------