BleedingTooth - sec issues in Linux BlueTooth-stack

While Purism-devices don’t provide bluetooth out of the box due to non-free firmware blobs necessary, the information might be of interest for one or another.

CVE-2020-12351 - high

CVE-2020-12352 - moderate
CVE-2020-24490

The sec-issues above allow attackers to connect to linux-devices with activated bluetooth including priviledge escalation.

For the general freedom- & security-conscious Purism-customers their microswitches once more show that they’re there for a reason. No bluetooth active, no attack-surface.

Switching the mobile’s bluetooth off when not necessary also once more proves to be a good idea.

3 Likes

If the bluetooth radio is turned off via software is that already not enough to make this attack null?

Reckon that should be sufficient. No bluetooth listening, no attack possible. That easy :wink:

Nevertheless - good to know.

Let’s say that’s true.

But even though disabling a security whole in a way that needs physical access to the target to circumvent the measure taken is better.

Could be that the combination of two issues make an attack successful: One issue that allows to activate bluetooth without privileges or because most users did not protect the feature sufficiently and a second issue like above to gain control over the target.

So, yes, good to have the kill switch.

3 Likes

Exactly. No matter how borked the software is, whether due to a non-security-related software issue (i.e. “off” doesn’t work correctly or fully) or whether due to a security-related software issue (another exploit allows the attacker to re-enable Bluetooth from software) … if you have a hardware kill switch that cuts power and/or communication to the Bluetooth hardware then you can rest easy that a Bluetooth attack is not possible.

The only annoyance there is the proliferation of combined WiFi+BT devices i.e. you can’t hardware kill the BT without also hardware killing the WiFi, whereas if you software kill, you may be able to software kill selectively.

For those that want details, various discussions: https://www.securityweek.com/bleedingtooth-vulnerabilities-linux-bluetooth-allow-zero-click-attacks OR https://www.zdnet.com/article/google-warns-of-severe-bleedingtooth-bluetooth-flaw-in-linux-kernel/ OR https://arstechnica.com/information-technology/2020/10/google-and-intel-warn-of-high-severity-bluetooth-security-bug-in-linux/

The first link above says that the third vulnerability requires Bluetooth 5, which may limit the damage in older devices that are otherwise less likely to be receiving security updates.

1 Like
  1. NSO Pegasus on your families’ phone (or the phone of anyone in the vicinity by making facial recognition then looking up their data) .
  2. Pegasus can modify Bluetooth stack to inject attack.
  3. Attacks your Librem.

“For the stable distribution (buster), these problems have been fixed in version 4.19.152-1. The vulnerabilities are fixed by rebasing to the new stable upstream version 4.19.152 which includes additional bugfixes.”

https://www.debian.org/security/2020/dsa-4774

1 Like