New Bluetooth classic protocol vulnerability (BIAS)

tankerkiller125

This vulnerability affects nearly all devices that speak Bluetooth. Manufacturers should be releasing a patch soon.

This vulnerability exploits an issue in the legacy Bluetooth authentication method. It further exploits the fact that many Bluetooth classic implementations allow devices to downgrade the more modern secure authentication method to the legacy version. The patch that manufacturers are releasing will prevent devices from downgrading to the legacy authentication.

CVEs:
CVE-2020-10135 (BIAS)
CVE-2019-9506 (KNOB)

Both CVEs must be patched to be fully secure.

More information on BIAS:
https://www.zdnet.com/article/smartphones-laptops-iot-devices-vulnerable-to-new-bias-bluetooth-attack/

phenomlab

tankerkiller125 ironic really that the COVID-19 contact tracing apps are using Bluetooth over NFC

tankerkiller125

phenomlab I think contract tracing will be great in the future, but using Bluetooth over NFC is just kind of a dumb thing. I almost feel like it would be better to just use GPS, of course then it would be less accurate.

phenomlab

tankerkiller125 Very true - also depends on 4G quality if not using Wifi, and the fact the user can also disable it.