I have a Pixel C that will never have an official patch to this exploit. I wonder if this is a user space exploit too, and if so, that would mean there's no technical reason for why they can't update it.
In the UK I always wonder if it's possible to bring a claim under Part 1 Chapter 2 of the Consumer Rights Act 2015. The goods must be 'satisfactory'. Remove code execution over bluetooth is not satisfactory, even if it only became apparent 3 years later.
The solution is rather simple; buy devices with better documented and open internals rather than what's cheapest, shiniest, and most convenient. There are alternatives, and we all vote with our wallets.
At least there is the mitigation that it isn't exploitable unless the device is scanning for new devices to pair with, at least by my reading of the reports I've seen.
Phones are not usually in that state unless the BT settings screen is open. Otherwise it would drain excess battery in normal use.
Consider this: if I remember correctly somebody on HN was saying that in these days the average time from releasing a patch and exploit found in the wild is 4 days.
Consider that the patches hit the open source code a lot before they are deployed.
Consider that beside Google, any other Android phone manufacturer take around a month before releasing the patches even on current models.
> The industry forces us to throw away perfectly fine hardware after just 3 years or so.
Possibly because of things like this; when a vulnerability isn't going to get patched, churn (with new hardware running newest OS) protects the ecosystem against mass-compromise.
We can bemoan the lack of patches, but who's paying for the patches?
I agree with you that it is a shame that perfectly working hardware is left highly insecure after just 3 years (that is actually worse for some other manufacturers).
The worst part is that people keep using the phones because are not tech savvy or grossly underway the risk and they do not feel that they need to spend money on a new phone.
You can shorten 3 years to 1.5 for typical Android vendors (i.e., Samsung) and maybe extend it to 4 or 5 years for Apple. There is a marked difference in the two ecosystems' approach to support for older hardware.
My OnePlus 3 phone just got its last security patch and is now out of support from the manufacturer.
I use bluetooth constantly for my smartwatch and headphones.
I think it's time for custom firmware just because of this.
Goodby banking apps and Google Pay, because apparently a newer but unofficial OS is more insecure [1].
I bet it's not particularly true that most bluetooth headphones support wired analog audio. It may have been a few years ago, not now that the most prominent use case is phones.
I quickly realized the value of the headphone jack the last time I had to turn my device to Airplane mode and realized I couldn't listen to any music on the plane using my wireless earbuds.
Fortunately, my aging GS8+ still has a headphone jack, and I had a pair of analog headphones in my travel bag.
I think phones are also relatively hardened so the attack surfaces are not super convenient.
Bluetooth: get in reach of an attacker (and from another comment: have your device searching for bluetooth devices)
Web-stuff: if a patched browser doesn't help you are still relatively safe browsing all the non-infecting websites in the world.
file-stuff: you have to be stupid enough to open files, on your phone, from phishy mails (unless you are targeted they are always suspiciously generic, even when spreading from a hacked acquaintance )
I guess if there was a vulnerability where you could remotely gain full control over a phone without any action on the phone side you'd indeed have phone botnets. Looks like there are no such vulnerabilities.
Take what I write with a grain of salt, I'm actually just a noob trying to make sense of this, too.
Gotta say, having worked with the Android Bluetooth stack, I'd be surprised if there weren't lots of serious issues like this. The handling of pointers in there is often both clever and not helpful.
Which priviliges is that? Can it access user data? Snoop on input/output?
> For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address
So if wifi is off, I'm safe?
I have bluetooth on all the time, because it automatically pairs with my car for cellular and audio, and turning it on and off would be a hassle. I rarely, however, use wifi unless I have to download a very big amount of data, which is almost never.
> As soon as we are confident that patches have reached the end users, we will publish a technical report on this vulnerability including a description of the exploit as well as Proof of Concept code.
It is likely to be a long time to never for most Android phones to receive patches for this :-(
It's exactly this type of reason that I'm excited for the Librem 5 and PinePhone. I don't use many apps, and I value security updates, so using a community supported phone based on standard Linux sounds a lot more appealing to me than getting another Android phone. My current phone is an Android One device and so should still be getting updates, so hopefully I can stay reasonably secure until those phones are usable as replacements.
I hate to say it, but it seems like only a large-scale worm outbreak that gets media coverage would be enough to fix the utterly broken Android patching landscape. From the description, this appears wormable (especially in crowds and possibly in vehicles). And unlike other wormable vulnerabilities that go through a service (like Google or even the phone company), this is just two phones with no intermediary to protect devices.
> only the Bluetooth MAC address of the target devices has to be known
Android has a feature of "Bluetooth scanning" to improve device location (similar to Wifi scanning). I'm not sure, but even if Bluetooth is disabled in the menu, this might still activate Bluetooth occasionally and perhaps reveal the Bluetooth MAC to the (nearby) world?
> Keep your device non-discoverable. Most are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently.
Does this mean your MAC address isn't visible while on, non-discoverable and connected to a BT device?
[+] [-] TekMol|6 years ago|reply
The situation on the phone market is so miserable.
The industry forces us to throw away perfectly fine hardware after just 3 years or so.
[+] [-] kop316|6 years ago|reply
https://developers.google.com/android/images
I have a Pixel C that will never have an official patch to this exploit. I wonder if this is a user space exploit too, and if so, that would mean there's no technical reason for why they can't update it.
[+] [-] rjmunro|6 years ago|reply
https://www.moneysavingexpert.com/shopping/consumer-rights-r...
[+] [-] madez|6 years ago|reply
[+] [-] dspillett|6 years ago|reply
Phones are not usually in that state unless the BT settings screen is open. Otherwise it would drain excess battery in normal use.
[+] [-] ChrisCinelli|6 years ago|reply
Almost every month there are security patches for "critical" problems. Just skim throught the blog pages. This is Jan 2020 for example: https://source.android.com/security/bulletin/2020-01-01
Consider this: if I remember correctly somebody on HN was saying that in these days the average time from releasing a patch and exploit found in the wild is 4 days.
Consider that the patches hit the open source code a lot before they are deployed.
Consider that beside Google, any other Android phone manufacturer take around a month before releasing the patches even on current models.
The situation has no easy solutions.
[+] [-] DangerousPie|6 years ago|reply
[+] [-] shadowgovt|6 years ago|reply
Possibly because of things like this; when a vulnerability isn't going to get patched, churn (with new hardware running newest OS) protects the ecosystem against mass-compromise.
We can bemoan the lack of patches, but who's paying for the patches?
[+] [-] neilsimp1|6 years ago|reply
[+] [-] ChrisCinelli|6 years ago|reply
The worst part is that people keep using the phones because are not tech savvy or grossly underway the risk and they do not feel that they need to spend money on a new phone.
[+] [-] loeg|6 years ago|reply
[+] [-] 32gbsd|6 years ago|reply
[+] [-] xtat|6 years ago|reply
[+] [-] mtgx|6 years ago|reply
[deleted]
[+] [-] silenussays|6 years ago|reply
[deleted]
[+] [-] m1r3k|6 years ago|reply
I use bluetooth constantly for my smartwatch and headphones.
I think it's time for custom firmware just because of this. Goodby banking apps and Google Pay, because apparently a newer but unofficial OS is more insecure [1].
[1] https://developer.android.com/training/safetynet
[+] [-] guimoz|6 years ago|reply
[+] [-] tjoff|6 years ago|reply
Reason #4373 that ditching the headphone jack is pure insanity.
Sigh.
[+] [-] maxerickson|6 years ago|reply
[+] [-] rorykoehler|6 years ago|reply
[+] [-] gchokov|6 years ago|reply
[+] [-] AdmiralAsshat|6 years ago|reply
Fortunately, my aging GS8+ still has a headphone jack, and I had a pair of analog headphones in my travel bag.
[+] [-] mavhc|6 years ago|reply
[+] [-] anotheryou|6 years ago|reply
Bluetooth: get in reach of an attacker (and from another comment: have your device searching for bluetooth devices)
Web-stuff: if a patched browser doesn't help you are still relatively safe browsing all the non-infecting websites in the world.
file-stuff: you have to be stupid enough to open files, on your phone, from phishy mails (unless you are targeted they are always suspiciously generic, even when spreading from a hacked acquaintance )
I guess if there was a vulnerability where you could remotely gain full control over a phone without any action on the phone side you'd indeed have phone botnets. Looks like there are no such vulnerabilities.
Take what I write with a grain of salt, I'm actually just a noob trying to make sense of this, too.
[+] [-] wmeredith|6 years ago|reply
[+] [-] microcolonel|6 years ago|reply
[+] [-] billpg|6 years ago|reply
Stagefright again.
[+] [-] aedron|6 years ago|reply
> with the privileges of the Bluetooth daemon
Which priviliges is that? Can it access user data? Snoop on input/output?
> For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address
So if wifi is off, I'm safe?
I have bluetooth on all the time, because it automatically pairs with my car for cellular and audio, and turning it on and off would be a hassle. I rarely, however, use wifi unless I have to download a very big amount of data, which is almost never.
[+] [-] joelthelion|6 years ago|reply
[+] [-] nickcw|6 years ago|reply
It is likely to be a long time to never for most Android phones to receive patches for this :-(
[+] [-] 2T1Qka0rEiPr|6 years ago|reply
Is this true?
[+] [-] lima|6 years ago|reply
But I haven't ever seen a bluetooth headset that support analog audio.
[+] [-] lathiat|6 years ago|reply
[+] [-] tushar-r|6 years ago|reply
[+] [-] FraKtus|6 years ago|reply
If yes, then most phones are safe even if they have this vulnerability, it's only when you go in the Bluetooth menu that you are at risk...
[+] [-] beatgammit|6 years ago|reply
[+] [-] dmatech|6 years ago|reply
[+] [-] photon-torpedo|6 years ago|reply
Android has a feature of "Bluetooth scanning" to improve device location (similar to Wifi scanning). I'm not sure, but even if Bluetooth is disabled in the menu, this might still activate Bluetooth occasionally and perhaps reveal the Bluetooth MAC to the (nearby) world?
[+] [-] dspillett|6 years ago|reply
[+] [-] zepto|6 years ago|reply
[+] [-] magicalhippo|6 years ago|reply
Which ones would that be? Anyone know?
[+] [-] butz|6 years ago|reply
[+] [-] gaius_baltar|6 years ago|reply
[+] [-] Brave-Steak|6 years ago|reply
Does this mean your MAC address isn't visible while on, non-discoverable and connected to a BT device?
[+] [-] baybal2|6 years ago|reply
[+] [-] cpncrunch|6 years ago|reply
Or is it just discoverable when you click "pair new device"?
[+] [-] SwaraLink|6 years ago|reply
[deleted]
[+] [-] markhenrry|6 years ago|reply
[deleted]