Weekly Threat Report - 23rd August 2019
Bluetooth vulnerability spotted and patched
A vulnerability in Bluetooth’s wireless standard has been discovered by researchers which could allow attackers to intercept keystrokes, address books, and other sensitive data.
The vulnerability, named ‘Key Negotiation of Bluetooth’, potentially allows attackers to affect the length of encryption keys, even reducing them down to a single digit, making fraudulent access to connected devices much easier.
The report notes that ‘the attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected’.
Although breaking the BR/EDR protocol is dependent on both devices having the vulnerability, if successfully executed it would allow hackers an opportunity to intercept, access and alter exchanges between devices.
In response to this flaw, Bluetooth have released a statement and security notice suggesting there had been ‘no evidence that the vulnerability has been exploited maliciously’. It also outlined an update to the Bluetooth Core Specification which would promote a minimum encryption key length of 7 octets for BR/EDR connections.
The NCSC would always advise patching with the latest updates, but there are also some useful links from companies that have released updates mitigating against this vulnerability.
Apple: macOS, iOS and watchOS
Cisco: IP phones and Webex
Blackberry powered by Android phones
Using Python 2? It’s time to move on
Developers using Python 2 should begin to plan ahead and switch to Python 3 with the former losing its support from 1st January 2020.
As we step into 2020 Python 2 will be left firmly in the past with no more security updates and bug fixes. Continuing to use it would only heighten the risk of vulnerabilities and the NCSC’s advice is to port your code to Python 3 as soon as possible.
If you want more information, advice and to dive into the detail a little bit more then the NCSC’s Rich M has this week blogged about this very subject.
In general, the NCSC will always stress the importance of updating and, whilst patching alone won’t magically make you secure, failing to do so is the best way to undermine an otherwise secure design.
It is also well worth reading the NCSC’s risk management guidance, and the secure development and deployment guidance.