Profile picture
, 11 tweets, 3 min read
My Authors
Read all threads
Because several people were asking about #Bluetooth, I'll make a thread. But I might ignore further questions, especially regarding over-the-air exploits. #DP3T

• BLE advertisements have a longer range than 2m, but are way more accurate than LTE cell towers.
(1/n)
• BLE advertisement distance measurement accuracy depends a lot on the chips, meaning that they will work well within the Apple ecosystem, but probably not so well on some Androids. (2/n)
• The Singapore app solves this by maintaining active BLE/GATT connections, which provides better measurements, but drains battery power.

• On iOS, the BLE/GATT handler has been extensively tested for security issues and is definitely one of the better ones by now. (3/n)
• Using Bluetooth tracking requires users to enable Bluetooth. On some Androids (Xiaomi, OnePlus) this automatically makes your smartphone detectable over Classic BT.

• Being detectable via Classic BT without Software-Defined Radio opens further attack vectors. (4/n)
• CVE-2020-0022 aka #BlueFrag allows RCE on Android 8&9 (maybe also others) via Bluetooth but requires an active connection. BLE advertisements don't require this, but being visible in Classic BT opens this attack vector. The heap spray still takes a few minutes, though. (5/n)
• Broadcom didn't patch a BLE vulnerability in their stack that Jan reported in July 2019 (CVE-2019-13916). Advertisements can not exploit it, active connections could, depending on the host stack. (6/n)
• Note that more or less passive actions can still allow RCE. CVE-2019-11516 on Broadcom chips falls under this category, also found by Jan. It has been patched on Android in August 2019 and silently patched on iOS with or prior to iOS 12.4. (7/n)
• On devices that can be Bluetooth master and slave (smartphones but not IoT gadgets and fitness trackers), Bluetooth RCE is wormable. If even more people enable Bluetooth, this could spread quite fast. 🍎🐛 (8/n)
• Another detail about active BLE and Classic BT connections. LCP & LMP, the connection management protocols on the link layer, exchange version information. At least on Broadcom chips, this includes the firmware version. This allows RCE customization and deanonymization. (9/n)
• On a positive site note, Bluetooth at least has anonymous connection-less advertisements and works decentralized. For the purpose of contract tracing, it's still much better than LTE/Wi-Fi/GPS. (10/n)
• It finally happened. Apple and Google partner for Bluetooth contact tracing. BLE advertisements only, which is nothing we found any vulnerabilities in, despite fuzzing into it. (11/n)

blog.google/inside-google/…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jiska

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Bluetooth #DP3T #BlueFrag

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!