Again, any certification/listing at these specification levels must be completed before the start of 2019 to keep costs at the usual $4,000/$8,000 listing fees. The biggest area for review is the mass deprecation of Bluetooth v2.1 – v4.1 on Januand complete withdrawal by July 1, 2020.However, it is important to note that as the standard is already deprecated, it will mean a $25,000 listing fee as opposed to the usual $4,000/$8,000. Laird’s TRBLU23-00200 or BT730) must be Bluetooth SIG listed before January 1, 2019. Products using a Bluetooth v2.0 radio (e.g. Bluetooth v2.0 has been deprecated for some time now and is finally coming to an end.Additionally, none of this has any impact on Laird’s ability to produce and supply any of our Bluetooth modules. Customers who have already certified/listed their product with the Bluetooth SIG are not affected – once certified, always certified.Bluetooth users are recommended to install the latest recommended updates from device and operating system manufacturers as and when they are available.The Bluetooth Special Interest Group (SIG) recently announced their decision to deprecate and withdraw older versions of Bluetooth Core specifications from v2.0 to v4.1. The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has also issued security notices for each of the six flaws. "As a result, we consider this security vulnerability remediated." We have a production release of our NetCloud OS code available (NCOS version 7.21.40) that fixes the cited issues," the company told The Hacker News over email. "Cradlepoint was notified of the BLE vulnerabilities prior to public disclosure. AOSP, Cisco, and Microchip Technology said they are currently working to mitigate the issues. The Android Open Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are among the identified vendors with products impacted by these security flaws. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device," the researchers said. "Our attacks work even when the victims are using Bluetooth's strongest security modes, e.g., SSP and Secure Connections. CVE-2020-26560 - Impersonation attack in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1).CVE-2020-26559 - Bluetooth Mesh Profile AuthValue leak (Mesh profile 1.0 and 1.0.1).CVE-2020-26557 - Predictable AuthValue in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1).CVE-2020-26556 - Malleable commitment in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1).N/A - Authentication of the Bluetooth LE legacy pairing protocol (Core Specification 4.0 through 5.2).CVE-2020-26558 - Impersonation in the Passkey entry protocol during Bluetooth LE and BR/EDR secure pairing (Core Specification 2.1 through 5.2).CVE-2020-26555 - Impersonation in Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification 1.0B through 5.2).In addition, four separate flaws have been uncovered in Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. "To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR." "The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction." "The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades," the researchers said. The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth's authentication mechanism.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |