While Purism-devices don’t provide bluetooth out of the box due to non-free firmware blobs necessary, the information might be of interest for one or another.
CVE-2020-12351 - high
CVE-2020-12352 - moderate
CVE-2020-24490
The sec-issues above allow attackers to connect to linux-devices with activated bluetooth including priviledge escalation.
For the general freedom- & security-conscious Purism-customers their microswitches once more show that they’re there for a reason. No bluetooth active, no attack-surface.
Switching the mobile’s bluetooth off when not necessary also once more proves to be a good idea.
But even though disabling a security whole in a way that needs physical access to the target to circumvent the measure taken is better.
Could be that the combination of two issues make an attack successful: One issue that allows to activate bluetooth without privileges or because most users did not protect the feature sufficiently and a second issue like above to gain control over the target.
Exactly. No matter how borked the software is, whether due to a non-security-related software issue (i.e. “off” doesn’t work correctly or fully) or whether due to a security-related software issue (another exploit allows the attacker to re-enable Bluetooth from software) … if you have a hardware kill switch that cuts power and/or communication to the Bluetooth hardware then you can rest easy that a Bluetooth attack is not possible.
The only annoyance there is the proliferation of combined WiFi+BT devices i.e. you can’t hardware kill the BT without also hardware killing the WiFi, whereas if you software kill, you may be able to software kill selectively.
The first link above says that the third vulnerability requires Bluetooth 5, which may limit the damage in older devices that are otherwise less likely to be receiving security updates.
“For the stable distribution (buster), these problems have been fixed in version 4.19.152-1. The vulnerabilities are fixed by rebasing to the new stable upstream version 4.19.152 which includes additional bugfixes.”