Forgot your password?
typodupeerror
Bug Microsoft Networking Security Wireless Networking IT

Patched MS Bluetooth Flaw Exposes Even Disconnected PCs 147

Posted by Soulskill
from the you-are-the-one-neo dept.
An anonymous reader writes "Among the 22 security holes Microsoft issued updates to fix yesterday is a critical kernel-level Bluetooth flaw that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network. An attacker could use the bug to gain access to any unpatched, Bluetooth-enabled Windows Vista or Win7 computer within 100 meters (or much further with specialized tools), all before the target system even gets an alert that another computer is requesting a Bluetooth connection."
This discussion has been archived. No new comments can be posted.

Patched MS Bluetooth Flaw Exposes Even Disconnected PCs

Comments Filter:
  • Confusing (Score:5, Insightful)

    by Haedrian (1676506) on Wednesday July 13, 2011 @04:28AM (#36746136)

    "even when the targeted computer is not connected to a network."
    "target would merely need to have Bluetooth turned on."

    Meh, not as scary as I thought. You shouldn't be running around with bluetooth on anyway. Also, if you're using a 'hidden' connection there's no real way for an attacker to find you is there?

    So basically computers at risk are those who always leave bluetooth on and shown to everyone. Which unless you're trying to connect to a new device should be NEVER.

    • Re:Confusing (Score:4, Informative)

      by ledow (319597) on Wednesday July 13, 2011 @04:38AM (#36746176) Homepage

      But considering that leads to a complete OS compromise, that's pretty poor coding.

      You literally only have to turn it on for a second and someone can root you without you knowing. You only have to witness someone pair with a device, or do a single Bluetooth transfer and you can root them. And what are the implications for embedded versions of Windows in, say, phones.

      A lot of people use Bluetooth, it's expected to be quite secure in terms of not rooting your computer (people being able to monitor and sniff your Bluetooth data is a different class of problem entirely, and puny in comparison). And like the article says - you probably have the faulty software installed already and only an single tap of that Bluetooth switch will make you vulnerable to automatic rooting, like a virus.

      A virus that exploits this will potentially go quickly global and be hard to cleanse because you literally may not even notice that you've been infected and switching on Bluetooth for a split second to send a file to your phone, answer your parent's Skype on a headset, etc. isn't generally considered an infection route.

      I agree in that I have BT turned off on everything I own and set to hidden by default but it would be scary if I were using one of the vulnerable systems. That's the sort of thing that will still be catching people out five years from now and it's probably only the first of many such problems. Now before you can put a PC on the net, you need to make sure you've never enabled Bluetooth while Windows was executing until you've got it to the latest patch level.

      • Re:Confusing (Score:4, Informative)

        by mogness (1697042) on Wednesday July 13, 2011 @04:59AM (#36746230) Homepage
        No need to worry. Reports around the web are contradictory to this article, all say it's extremely unlikely that an attacker could gain access to your machine using this vulnerability. You're more likely to get blue-screened.

        http://blogs.technet.com/b/srd/archive/2011/07/12/ms11-053-vulnerability-in-the-bluetooth-stack-could-allow-remote-code-execution.aspx [technet.com]
        https://threatpost.com/en_us/blogs/microsoft-fixes-critical-windows-bluetooth-bug-july-patch-tuesday-071211 [threatpost.com]

        What's more, you'd have to be sharing your bluetooth id AND the attacker would have to be within range of your signal.
        • What's more, you'd have to be sharing your bluetooth id AND the attacker would have to be within range of your signal.

          Many laptops for example share their bluetooth ID by default, and Joe User won't be aware of it or even know why it matters.

          Secondly, Internet cafes, libraries, trains, etc... all are places where people often whip out their laptops. And if you happen to be living in flats you most likely ARE within range of atleast a few of your neighbours' devices. Atleast I often see 4-8 bluetooth devices that aren't mine, they're usually from the apartments above and below.

      • by mcgrew (92797) *

        A virus that exploits this will potentially go quickly global

        That's the opposite of what TFA said. In order to gain access the target computer needs some sort of (unspecified by TFA) memory corruption. My guess is you would need another flaw in conjunction with this (paired flaws?) to make it work.

        I agree in that I have BT turned off on everything I own and set to hidden by default

        I bought a tiny bluetooth dongle for the computer so I can bluetooth pictures and such from my phone to my computer. I keep blue

    • by KiloByte (825081)

      This brand new Lenovo laptop my mother bought on Friday (guess why I had it in my hands...) had Bluetooth on, out of the box.

      The plural of "anecdote" is not "data", thus to be accurate let's keep it to this single sample :p (Honestly, I basically never deal with laptops.)

    • Re: (Score:2, Informative)

      by Anonymous Coward

      So basically computers at risk are those who always leave bluetooth on and shown to everyone. Which unless you're trying to connect to a new device should be NEVER.

      Or you have a bluetooth mouse/keyboard.
      None of the advisories say anything about being in "discoverable" mode.

      • by Haedrian (1676506)

        Right, you pair the devices, then you set it to hidden.

        That wasn't so hard was it?

        I assumed that to start a bluetooth connection there needs to be something to connect TO.

        • Right, you pair the devices, then you set it to hidden.

          Unfortunately, you can get infected already during that moment.

        • Right, you pair the devices, then you set it to hidden.

          But as soon as you actually use the keyboard or mouse, packets fly around, which have this "hidden" number in their headers, from where it can be snarfed by the bluetooth equivalent of tcpdump...

          • by Plunky (929104)

            No, you will need more than a standard Bluetooth dongle to sniff packets from the air.. the BlueZ hcidump program only dumps packets passing through the host OS stack (to or from the host), and the controller cannot be set to 'promiscuous' mode like a wifi radio can..

      • by Haedrian (1676506)

        Just read one of the links someone posted:

        ". If your system were “discoverable,” it would respond to attacker SDP queries with its Bluetooth address. But in the default state, an attacker must obtain your Bluetooth address another way – either via bruteforcing it or extracting it from Bluetooth traffic captured over-the-air."

        "you have paired a Bluetooth peripheral and are actively communicating, it is hard but not impossible to extract the Bluetooth address from the traffic sent over-the-a

    • by c0lo (1497653) on Wednesday July 13, 2011 @04:46AM (#36746210)

      You shouldn't be running around with bluetooth on anyway.

      Meh - trying to get to the root of the problem.

      You shouldn't be running around with bluetooth on.
      You shouldn't be running around with bluetooth
      You shouldn't be running around
      You shouldn't be running
      You shouldn't be
      You shouldn't

      YOU! Ah, it is always you at fault.

    • Re: (Score:3, Insightful)

      by peppepz (1311345)

      You shouldn't be running around with bluetooth on anyway.

      Actually, I should be able to, because it's useful.
      It's my OS that should drop any packet I'm not interested in. Machines are supposed to do the work for me, not the opposite.

      • Re:Confusing (Score:4, Informative)

        by TheRaven64 (641858) on Wednesday July 13, 2011 @06:06AM (#36746494) Journal
        Absolutely! Needing to activate bluetooth every time you want to use it removes a lot of its use. Some of the things that I've done with Bluetooth:
        • Tie the 'device enter range' notification to a script that checks whether the device has been sync'd in the last day, and if not runs the sync program.
        • Configure my laptop to lock its screen when I walk away from it carrying my phone ('phone exits range' notification triggering screen saver).
        • Send vcards from my phone address book to another person's phone, or from their phone to my phone or laptop.
        • Send pictures from my phone to my laptop.
        • Control presentations from my phone.
        • Use wireless keyboards and mice with my laptop.

        Why would I want to have an extra enable step before doing each of these and a disable step after?

        • by pmontra (738736)
          The point is that nobody should tell you or me what we must do. There are some security best practices but if you know what you're doing (and it seems you do), you evaluated the tradeoffs and you can do whatever you want. Actually your setup looks pretty useful even if I don't trust the security of anything wireless, not even at my home. Cables are great things :)
      • by vegiVamp (518171)

        So, basically, something that should be called bttables ?

    • by Blymie (231220)

      For an idea of what it is like to experience this bug, watch this:

      http://www.youtube.com/watch?v=sZqPQPhsuX4 [youtube.com]

  • From MS SB

    The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    Almost remote full admin access. Seriously how much worse can it get, guess your still safe from internet attacks but still.

    Anyone found a page on the exploit, you can do the entire list of immature things to other peoples computers to all your friends with Bluetooth with this one.

    • I'm pretty sure, given that my friends and family all keep their computers updated, I can't do any of that stuff. At least not via this vulnerability. You know, because this was patched already...
      • by nzac (1822298)

        Some will have chosen to delay restarting just for an update but i guess since its a service pack things running better will be expected. I would expect a small window for a few. I guess its not clear but the last sentence was sensationalist. The casual nature of the post should have given some indication of it.

        Apart from is a little difficult for the Russian to access it and least for primary infection this is a pretty bad exploit i cant remember worse for a while. Must have been a window for the FBI to ga

  • losing yet another method of gaining access to a target PC...
  • something that would permanently send out a bluetooth beacon to make all Windows 7 or Vista computers within earshot show goatse.ragingfist.net fullscreen...

    Might be fun walking through a computer shop (or just some offices...) with this on... And coming near to one of those giant display walls at a trade fair would be still better...

  • Like every other OS. Granted, an interesting new attack vector/approach.

  • I noticed newer OSes of Linux/Debian, Windows, Mac OS X, etc. have Bluetooth features. I wished I could yank them out since I don't have any Bluetooth devices or plan to. Why keep the bloats and possible security holes?

    • by dlgeek (1065796)
      Uhhh...you can for linux? You said you're on debian, just sudo apt-get remove libbluetooth2 libbluetooth3.
      • by antdude (79039)

        Can't because of Gnome:

        # apt-get purge libbluetooth3
        Reading package lists... Done
        Building dependency tree
        Reading state information... Done
        The following packages were automatically installed and are no longer required:
        gnome-themes-standard gnome-screensaver gtk2-engines-pixbuf gnome-themes
        libtotem-plparser17 totem-common libgmime-2.4-2 dmz-cursor-theme totem
        file-roller
        Use 'apt-get autoremove' to remove them.
        The following packages will be REMOVED:
        gno

      • by hackerjoe (159094)

        That won't necessarily help much, actually -- libbluetooth is just the userspace component, the kernel drivers will probably still be initializing the hardware. You'd be better off disabling kernel support: blacklist the kernel modules [wikipedia.org] for your hardware. Then you don't need to remove random packages, they just won't have anything to talk to in the kernel and will remain harmless and inert.

  • I fail to see how a PC with an active wireless network standard enabled, can be considered "disconnected".

    Bluetooth has long been a target of undesirable types, its just that a PC is a richer target than most peoples phones full of garbage apps.

  • I remember installing windows without a firewall, where I'd have to sneakernet technet patches to the machine before enabling internet access. Looks like I need a faraday cage now.
  • I guess that rule of thumb no longer rings true. Get it? Rings...

  • Bluetooth has always been a known attack vector. I remember one that affected symbian phones for example. I used to get the odd file transfer request on my phone from other people who were infected. I think this might have been it.. http://www.f-secure.com/v-descs/cabir.shtml [f-secure.com]

Old programmers never die, they just hit account block limit.

Working...