Security Week 07: Android Bluetooth Stack Vulnerability

In the February patch set for the Android operating system, the vulnerability in the Bluetooth stack was closed ( news , newsletter with an overview of updates). The vulnerability affects Android versions 8 and 9 (and, possibly, earlier): on unpatched smartphones, you can execute arbitrary code with the rights of a Bluetooth daemon. For operation, it is enough to know the MAC address of the device and be at a close enough distance to the victim. In Android 10, the problem is also present, but there it only leads to the crash of the Bluetooth software, without executing the code.

The vulnerability was found by the German company ERNW. In a blog postexperts note the relative ease of attack, especially if the victim’s phone is in detection mode. Even without it, you can calculate the MAC address of the device by recognizing the identifier of the Wi-Fi module - in some smartphones they differ by one or two digits. Researchers do not disclose the technical details of the vulnerability: they are planned to be released after some time. However, the corrected code is already available , as it relates to the open part of the Android platform.

If the patch has not yet reached your smartphone or the phone is no longer supported by the manufacturer, ERNW recommends that you enable Bluetooth only if necessary. And remind that "most wireless bluetooth headphones can also be connected by cable." Which is actually not quite true: there are headphones without a “wired option”, and many smartphones no longer have a connector. In some cases, such “progress” leads to new vulnerabilities for mobile devices.

A serious vulnerability in Citrix network solutions ( Application Delivery Controller and Citrix Gateway ) is still not closed in 19% of customers ( news ). Vulnerability was discovered Positive Technologies in December, the patch was released in January, but about 20 thousand companies around the world (most in Brazil, China and Russia) did not install the update.

Details of the vulnerability were not disclosed by either the manufacturer or the researchers, but most likely, the problem is present in the processing of user input when trying to connect to a VPN server. The problem is complicated by the fact that a public exploit was released in early January, and judging by the tweet above, the chances of a successful attack on a vulnerable server are non-zero. Exploitation of the vulnerability could result in full control of the application, or at least cause a denial of service.

Another serious vulnerability of the last week was discovered in the Whatsapp messenger ( news) This is the third serious issue in Whatsapp in the last six months, and this time the desktop version has been affected, with one interesting limitation. Since Whatsapp on the PC only works “paired” with the messenger on the smartphone, the vulnerability is relevant if you use the service on the desktop and on the iPhone. This combination allows you to send the user "modified" links to sites that look like quite legitimate. The operation of the bug in the preview link display system allows you to initiate the download of malware or even arbitrary code execution: to start the mechanism, the user still has to click on the preview message in the system notifications. The history of vulnerability detection is described in detail in the blog of the researcher Gal Weizmann.

What else happened :


An interesting research paper on the safety of autopilots came out. Specialists from Israel have found a way to “trick” the Tesla car system by projecting “fake” images onto the roadway or advertising posters located on the highway. Depending on the task, such a trick can cause the car to accelerate, brake sharply or go into the oncoming lane: the autopilot recognizes the projection as a real road marking or sign.

At the end of the year, Google Chrome will start blocking file downloads over the insecure HTTP protocol. First of all, executable files will be blocked, then archives, and then ordinary documents and music files. It is exclusively about mixed-content downloads - that is, unsafe downloads initiated on pages with HTTPS. Read more on the Google blog and in the discussion on Habré.

Drivers for Wacom tablets send data about running applications to the manufacturer’s server.


Experts have found a new way to extract data from computers that are not connected to the network, in addition to the previously investigated “monitor buzzing” and “ultrasonic column feeding”. Data can be encoded as small changes in the brightness of the display, which are then read by another device. The attack is especially effective if you can measure the brightness of the monitor from a distance through a window in a dark room. At a distance of up to 9 meters, it was possible to achieve a speed of 5-10 bits per second: if some secrets turn out to be so stolen, it is extremely compact.

Source: https://habr.com/ru/post/undefined/