[ad_1]
<div _ngcontent-c16 = "" innerhtml = "
The latest iPhones are considered to be affected by a Bluetooth vulnerability (Photo AP / Charles Rex Arbogast)
There is a potentially serious vulnerability affecting Bluetooth that could In the absence of confidential data from smartphones and Apple PCs, Google and Intel, patches are made available and users must update where they can: millions or even hundreds of millions or billions of dollars. Probably devices concerned.) 19659003] Devices containing Bluetooth from a variety of providers – including Apple, Intel, Broadcom and Qualcomm – are all concerned, according to a warning from the US Computer Emergency Response Team, head of the Carnegie Mellon Software Engineering Institute.Viability that was the result of a missing check on the keys during the process of encrypting data sent via Bluetooth connections Specifically, it was a missing validation contained in the encryption method In the end, the error means that a hacker who is in the Bluetooth range of an affected device could get the keys needed to reveal what is supposed to be encrypted. data "with high probability," said the US CERT. The hacker could then intercept and decrypt all messages sent via Bluetooth. This includes any data that the application or device sends via Bluetooth. This could be something as harmless as the notifications, even if in the worst case could include security codes such as those used in two-factor authentication, warned Mike Ryan, security expert Bluetooth.
There are many technologies affected. As Lior Neumann, one of the two Israeli researchers who found the bug, explained to Forbes in an email: "As far as we know every Android – before the patch released in June – and every wireless device the Intel chip, Qualcomm or Broadcom is vulnerable. "
Where are the fixes?
Apple released patches in May with the release of iOS 11.4 and MacOS versions supported in June. For those who have not updated, Neumann warned: "Every iPhone device with a Broadcom or Qualcomm chip is inherently vulnerable," he added. This would include the latest iPhone 8 and X models.
Google had not returned a comment request, although the Android Open Source Project (AOSP) has released a patch, according to Neumann. Two Android vendors, Huawei and LG, claim to have corrected the vulnerability. Forbes could not find evidence of patches from other major Android manufacturers, such as Samsung and HTC, however.
Bluetooth SIG, an organization that develops the Bluetooth standard, has released an update that should help manufacturers make a patch. This ensures that the checks for these crucial keys are done correctly. Despite the patch, the Bluetooth SIG sought to minimize the severity of the vulnerability, noting that an attacker had to be within range of two vulnerable devices, one not being enough to spy on the data being exchanged between them.
But Neumann said Forbes attacks "should be relatively simple to achieve." Full technical details on the attacks will be published in the coming days in a white paper from the Israel Institute of Technology, Neumann added.
It may take some time for AOSP or Bluetooth SIG patches to get to the myriad Android models on the market, warned Professor Alan Woodward, a security expert from the University of Surrey.
"It's all about knowing how long it takes to put updates for sellers," Woodward said. "This is a good example of why simply complying with a specification is not always proof that something is secure."
Windows Broken
Although Microsoft is not on the list of affected companies, Neumann said that Windows was vulnerable to older Bluetooth attacks. He noted that Windows did not yet support the Bluetooth 4.2 version and was vulnerable to an eavesdropping attack on Bluetooth 4.0.
Ryan stated that Neumann was right. But Ryan noted that old and new attacks can only happen when devices pair for the first time. "Think about when you get a new Bluetooth headset: you pair it up and your phone remembers the headset forever If the attacker is not there, you can not decipher any data."
Microsoft, Intel, Broadcom and Qualcomm did not respond to requests for comments at the time of publication. Forbes will update this article as more information becomes available
">
The latest iPhones are considered to be affected by a Bluetooth vulnerability. (AP Photo / Charles Rex Arbogast)
There is a potentially serious vulnerability affecting Bluetooth that could lead to private data leaks from smartphones and PCs based on Apple, Google and Intel. Patches are made available so users should the day they can.Millions, even hundreds of millions
Bluetooth-containing devices from different vendors – including Apple, Intel, Broadcom and Qualcomm – are all concerned, according to a warning from the US Computer Emergency Response The Carnegie Mellon Software Engineering Institute has described a vulnerability that resulted from a missing audit of key during the process of encrypting data sent over Bluetooth connections. A missing validation contained in the encryption method used in Bluetooth, a standard known as the "Diffie-Hellman Key Exchange".
In the end, the error means that a hacker who is in the Bluetooth range of an affected device can get the keys. need to reveal what is supposed to be encrypted data "with a high probability", said the American CERT. The hacker could then intercept and decrypt all messages sent via Bluetooth. This includes any data that the application or device sends via Bluetooth. This could be something as harmless as the notifications, although in the worst case could include security codes such as those used in two-factor authentication, warned Mike Ryan, security expert Bluetooth.
As Lior Neumann, one of the two Israeli researchers who found the bug, explained to Forbes in an email: "As far as we know every Android – before the patch released in June – and every wireless device the Intel chip, Qualcomm or Broadcom is vulnerable. "
Where are the fixes?
Apple released patches in May with the release of iOS 11.4 and MacOS versions supported in June. For those who have not updated, Neumann warned: "Every iPhone device with a Broadcom or Qualcomm chip is inherently vulnerable," he added. This would include the latest iPhone 8 and X models.
Google had not returned a comment request, although the Android Open Source Project (AOSP) released a patch, according to Neumann. Two Android vendors, Huawei and LG, claim to have corrected the vulnerability. Forbes could not find evidence of patches from other major Android manufacturers, such as Samsung and HTC, however.
Bluetooth SIG, an organization that develops the Bluetooth standard, has released an update that should help manufacturers make a patch. This ensures that the checks for these crucial keys are done correctly. Despite the patch, the Bluetooth SIG sought to minimize the severity of the vulnerability, noting that an attacker had to be within range of two vulnerable devices, one not being enough to spy on the data being exchanged between them.
But Neumann said Forbes attacks "should be relatively simple to achieve." Full technical details on the attacks will be published in the coming days in a white paper from the Israel Institute of Technology, Neumann added.
It may take some time for AOSP or Bluetooth SIG patches to get to the myriad Android models on the market, warned Professor Alan Woodward, a security expert from the University of Surrey.
"It's all about knowing how long it takes to put updates for sellers," Woodward said. "This is a good example of why simply complying with a specification is not always proof that something is secure."
Windows Broken
Although Microsoft is not on the list of affected companies, Neumann said that Windows was vulnerable to older Bluetooth attacks. He noted that Windows did not yet support the Bluetooth 4.2 version and was vulnerable to an eavesdropping attack on Bluetooth 4.0.
Ryan stated that Neumann was right. But Ryan noted that old and new attacks can only happen when devices pair for the first time. "Think about when you get a new Bluetooth headset: you pair it up and your phone remembers the headset forever If the attacker is not there, you can not decipher any data."
Microsoft, Intel, Broadcom and Qualcomm did not respond to requests for comments at the time of publication. Forbes will update this article as more information becomes available.
