A few days ago reports emerged about a collection of vulnerabilities on the Bluetooth protocol suite. Those allow an attacker to gain complete control over a vulnerable target device without the victim being aware of the attack. What are the consequences for users and how relevant are the examples?
The scenario as it was demonstrated by researchers from Armis is indeed worrying, but not a reason to panic. The susceptibility of Bluetooth to attacks is hardly surprising. There have been other spectacular cases in the past. The technical possibilities are not the main problem, though. The attacks, while undoubtedly worrying, is not very practical. It requires the attacker and the victim to be somewhat close to one another in order for the attack to work. This increases the risk of being detected. This makes the attack both risky and uneconomic and therefore not an interesting attack type for use on a broad scale. In addition to this, there is already an update which addresses the underlying security flaws. It is here where the crux lies: not all devices have the required update installed and relatively few even receive the update. Devices which are directly under the influence of a manufacturer receive updates a lot quicker – unfortunately this is only the case for Apple devices as well as the Google range of devices (“Nexus” and “Pixel”). Devices from other manufacturers either receive no updates at all or they receive them with a substantial delay.
This delay in the deployment of security relevant updates has been giving security experts a headache for quite some time. In the past, those delays were mainly due to the fact that an update for the „Vanilla“ version of Android (i.e. the „pure“ version of Android as provided by Google) requires modification by other manufacturers. The reason for this is that many manufacturers have their own additional software which requires changes to the basic operating system. Meanwhile, authorities have also come to the conclusion that action is required. In 2016, the FCC has directed a public request for information to several device makers as well as ISPs in which they were asked to explain how they intend to deploy and comminucate critical updates in the future as well as to demonstrate what the roadblocks are. Especially in the Android world there is a lot of fragmentation in the market which does little to improve the overall security of all devices.
The Blueborne case is yet another textbook example for what is called "responsible disclosure". The security flaws were reported to all involved companies ahead of time. The companies then were given a sufficient amount of time to fix the issues with an update. Only after the update was released were the findings made public. By taking the high road, the researchers did the opposite of what many others do, which is sell the vulnerabilities on underground platforms to the highest bidder. Criminals and intelligence agencies are some of the usual buyers for such security flaws. They are often stockpiled for use in a later attack.
The current CCleaner affair follows the same pattern of disclosure: the involved companies, Pririform and Avast, were notified in advance so an update could be provided before going public with their findings. Many vendors also offer rewards (also referred to as "bug bounties") to researchers for responsibly disclosing any security flaws. Depending on their severity and complexity, those bug bounties can be as high as several hundred thousand Euros/Dollars.
There are several fact that underline the importance of security for both consumers as well as authorities. In Germany, a major electronics retailer is facing litigation from consumer advocates (Source in German) over the sale of old and outdated Android devices at a very low price. Those devices have several major security flaws, which for all intents and purposes are unfixable. Experts hope for a signaling effect in the direction of device makers to improve support for older products.