Security News

The creators of the Mooltipass hardware password manager have unveiled the Mooltipass Mini BLE, a Bluetooth-enabled version of the device that includes many new and useful features. Back in 2016, SecurityWeek reviewed the second generation of the Mooltipass open source hardware password manager, the Mooltipass Mini.

Laird Connectivity has announced the upcoming Sterling-LWB5+ Wi-Fi 5 and Bluetooth 5.1 module. Laird Connectivity's new Sterling-LWB5+ was intentionally designed for industrial IoT applications where performance, size, cost, and ruggedness are required to deliver reliable wireless connectivity.

The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure.

Academics from École Polytechnique Fédérale de Lausanne disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers. The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concern Bluetooth Classic, which supports Basic Rate and Enhanced Data Rate for wireless data transfer between devices.

Academics from École Polytechnique Fédérale de Lausanne disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers. The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concern Bluetooth Classic, which supports Basic Rate and Enhanced Data Rate for wireless data transfer between devices.

Academic researchers have uncovered security vulnerabilities in Bluetooth Classic that allows attackers to spoof paired devices: They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing, masquerading as a trusted endpoint. The bugs allow Bluetooth Impersonation Attacks on everything from internet of things gadgets to phones to laptops, according to researchers at the École Polytechnique Fédérale de Lausanne in Switzerland.

A vulnerability related to pairing in Bluetooth Basic Rate / Enhanced Data Rate connections could be exploited to impersonate a previously paired device, researchers have discovered. The security flaw allows for an attacker within Bluetooth range of an affected device to spoof the Bluetooth address of a previously bonded remote device, thus successfully authenticating without knowing the link key normally used for establishing an encrypted connection.

In a paper [PDF] entitled "MagicPairing: Apple's Take on Securing Bluetooth Peripherals," Dennis Heinze, Jiska Classen, and Felix Rohrbach observe that Apple's MagicPairing protocol overcomes two shortcomings of Bluetooth device pairing: poor scalability and a security model that collapses if the permanent key - the Link Key or Long-Term Key - gets compromised. The paper says that Apple's MagicPairing implementations in iOS and macOS contain a number of spelling mistakes in logging messages and, for macOS Bluetooth daemon bluetoothd, function names.

In a paper [PDF] entitled "MagicPairing: Apple's Take on Securing Bluetooth Peripherals," Dennis Heinze, Jiska Classen, and Felix Rohrbach observe that Apple's MagicPairing protocol overcomes two shortcomings of Bluetooth device pairing: poor scalability and a security model that collapses if the permanent key - the Link Key or Long-Term Key - gets compromised. The paper says that Apple's MagicPairing implementations in iOS and macOS contain a number of spelling mistakes in logging messages and, for macOS Bluetooth daemon bluetoothd, function names.

This week we discuss why Google abruptly pulled more than 500 Chrome extensions from its Web Store, the case of a man held in custody for refusing to decrypt two hard drives, and research detailing a number of security holes in Bluetooth chipsets. Greg Iddon plays host and producer this week and is joined by fellow Sophos experts Paul Ducklin and Peter Mackenzie.