Security News

Vulnerabilities in the Zephyr real-time operating system's Bluetooth stack have been identified, leaving a wide variety of Internet of Things devices open to attack - unless upgraded to a patched version of the OS. A security advisory released by Synopsys this afternoon highlights eight key vulnerabilities in Zephyr's Bluetooth Low Energy software stack. The vulnerabilities, discovered through use of Synopsys's Defensics fuzzing software, are exploitable when the devices are in advertising mode and accepting connections from remote devices - putting a wide range of gadgets at risk.

Intel has unleashed 29 security advisories to plug up some serious bugs in the BIOS firmware for Intel processors, as well as in its Bluetooth products, Active Management Technology tools, the NUC Mini PC line, and, ironically, in its own security library. "Forty of those, or 55 percent, were found internally through our own proactive security research. Of the remaining 33 CVEs being addressed, 29, or 40 percent, were reported through our bug-bounty program. Overall, 95 percent of the issues being addressed today are the result of our ongoing investments in security assurance, which is consistent with our 2020 Product Security Report."

Intel has pushed out a raft of security advisories for June, bringing its total discovered "Potential vulnerabilities" for the year to date to 132, only a quarter of which were reported by external contributors and the company's bug bounty programme. "Today we released 29 security advisories addressing 73 vulnerabilities," Intel's Jerry Bryant said of the company's latest updates.

Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle attacks. "Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing," the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.

Researchers working for a French government agency have identified seven new Bluetooth vulnerabilities that could expose many devices to impersonation and other types of attacks. The flaws, discovered by researchers at France's national cybersecurity agency ANSSI, affect devices that support the Bluetooth Core and Mesh specifications, which define technical and policy requirements for devices operating over Bluetooth connections.

Attackers could abuse vulnerabilities discovered in the Bluetooth Core and Mesh Profile specifications to impersonate legitimate devices during the pairing process and launch man-in-the-middle attacks. The Bluetooth Core and Mesh Profile specifications define requirements needed by Bluetooth devices to communicate with each other and for Bluetooth devices using low energy wireless technology to enable interoperable mesh networking solutions.

Singapore has made its Bluetooth-powered "TraceTogether" contact-tracing app its preferred means of recording movements in public spaces across the island. The nation's effort, "TraceTogether" used Bluetooth to detect the proximity of other users, recorded such interactions and allowed contact with users in the event they had come into contact with a COVID-carrier.

Apple's "Find My device" function for helping people track their iOS and macOS devices can be exploited to transfer data to and from random passing devices without using the internet, a security researcher has demonstrated. Security researcher Fabian Bräunlein with Positive Security developed a proof of concept, using a microcontroller and a custom MacOS app, that can broadcast data from one device to another via Bluetooth Low Energy.

Microsoft has added AAC support for Bluetooth audio devices to the latest Windows 10 build released for Insiders in the Dev Channel. AAC is a lossy audio codec used by Apple devices and audio streaming platforms to provide high-quality audio streaming at low bitrates.

Today, researchers have exposed common weaknesses lurking in the latest smart sex toys that can be exploited by attackers. In examples provided by the researchers, technologies like Bluetooth and inadequately secured remote APIs make these IoT personal devices vulnerable to attacks that go beyond just compromising user privacy.