Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
25691 posts

Uber Geek
+1 received by user: 5444

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1882751 13-Oct-2017 07:44
Send private message quote this post

vyfster:

 

So what is the expected life of a premium / flagship phone?

 

 

Based upon typical warranty periods which Consumer NZ pushed for to meet average lifespan that figure sits at around 2 years.

 

As for the YouTube comment I made earlier I made that because we're already seen numerous smart TV's lose YouTube support because of the API change. 

 

 

 

 


2766 posts

Uber Geek
+1 received by user: 1169


  Reply # 1882755 13-Oct-2017 08:04
3 people support this post
Send private message quote this post

Wow this has been a blast, and I can't help myself. 

 

As I understand it the OP has a phone that is in perfect working order, including Bluetooth, but somehow this is now 'faulty' because 2 years after the fact someone designed an exploit that allows a person, under a very specific set of circumstances, access to the phone for some assumedly nefarious reason. 

 

Aside from the fact that I have more chance of winning Lotto tomorrow than someone actually doing this, and is borderline tin-foil-hat type stuff, I will add my vote to the 'no' camp.  I don't believe a CGA claim is reasonable or would succeed. Software designers cannot predict the future, and cannot be expected to support software ad infinitum.  Bottom line the phone is NOT faulty nor is the software, and it works exactly as intended.   

 

If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices.  Not starting an Android vs Apple argument, it's simply a fact of how the eco-systems operate and are managed by the respective companies.  

 

It's an interesting argument though.    

 

 

 

 

 

   

 

 





Always be yourself, unless you can be Batman, then always be the Batman



 
 
 
 


460 posts

Ultimate Geek
+1 received by user: 95

Subscriber

  Reply # 1882861 13-Oct-2017 10:44
One person supports this post
Send private message quote this post

For those of you who don't think Blueborn is a very real threat I think you need to go and reread this part ROOT access with no approval or interaction your device just simply needs to have bluetooth turned on and discoverability does not need to be turned on.

 

Root is the scary part, root is overlord. Root is the highest level it can do anything and everything and this can be accessed just by getting into bluetooth range.

 

Nothing is stopping someone from creating a worm that can travel by exploiting this hole taking your data or waiting in hiding untill told to do something with root access they can do anything they like. Nothing is stopping them from seeding this worm from already pwnd systems worldwide meaning that this could travel very fast. Think of how many people you pass on any one day.

 

The closest thing I can think to equate this sort of hack to is the common cold you can carry it without your knowledge affecting many more people you only find out your affected when something has happened. However the common cold does not steal or your data.

 

The tin foil hat should be on your phone/device. Turn bluetooth off until your phone is patched and guess what that is a rather unpalatable suggestion to many people.





Geoff E



67 posts

Master Geek
+1 received by user: 9


  Reply # 1882867 13-Oct-2017 10:50
Send private message quote this post

scuwp:

 

Wow this has been a blast, and I can't help myself. 

 

 

Happy to have entertained :)

 

scuwp:

 

 an exploit that allows a person, under a very specific set of circumstances, access to the phone for some assumedly nefarious reason. 

 

 

Unless there is something that I have missed with BlueBourne, there is a hardly a set of specific circumstances needed to gain access to the phone.  All that is required is for bluetooth to be enabled.  Who doesn't have bluetooth enabled while driving?  Stuck in traffic and a worm could easily propagate across the devices.

 

scuwp:

 

Aside from the fact that I have more chance of winning Lotto tomorrow than someone actually doing this, and is borderline tin-foil-hat type stuff

 

 

I am somewhat floored at what appears to be an indifferent attitude towards security.  Maybe I have misunderstood BlueBourne and have blown it out of proportion.  But if all it requires is bluetooth to be enabled and nothing else, then you can bet your bottom dollar that someone is going to create an exploit that takes advantage of this.  I think I need to start betting beers .. although I'm not a big drinker so could end up getting very drunk ;)

 

scuwp:

 

I will add my vote to the 'no' camp.  I don't believe a CGA claim is reasonable or would succeed.   

 

 

Thanks.  The overwhelming response seems to be in agreement with you.  

 

scuwp:

 

Software designers cannot predict the future, and cannot be expected to support software ad infinitum.  Bottom line the phone is NOT faulty nor is the software, and it works exactly as intended. 

 

 

I agree that software cannot be supported ad infinitum and that there will always be bugs in software.  This doesn't excuse not patching the software for devices not older than (X). (UGH! Too many NOTs in there!)  What (X) is seems to vary between all of us.  I would've imagined 3 years for a premium well looked after phone would be a minimum.  

 

Edit: meant to reply to the next bit too: The software is absolutely faulty.  It allows anyone access to the device via bluetooth.  I doubt very much, that this is the intended use for bluetooth.  And since the software that manages bluetooth is part of the OS, to my mind, the device is faulty too.  I don't see how you can say that it is working exactly as intended.

 

scuwp:

 

If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices.  Not starting an Android vs Apple argument, it's simply a fact of how the eco-systems operate and are managed by the respective companies.  

 

 

Yep, Apple are definitely leading the way there.  Who would've thought! :P

 

I'm curious as to when is a security flaw in a device (software, part of the OS) considered a flaw in the device and when is it not?

 

 




67 posts

Master Geek
+1 received by user: 9


  Reply # 1882870 13-Oct-2017 10:52
Send private message quote this post

geocom:

 

For those of you who don't think Blueborn is a very real threat I think you need to go and reread this part ROOT access with no approval or interaction your device just simply needs to have bluetooth turned on and discoverability does not need to be turned on.

 

Root is the scary part, root is overlord. Root is the highest level it can do anything and everything and this can be accessed just by getting into bluetooth range.

 

Nothing is stopping someone from creating a worm that can travel by exploiting this hole taking your data or waiting in hiding untill told to do something with root access they can do anything they like. Nothing is stopping them from seeding this worm from already pwnd systems worldwide meaning that this could travel very fast. Think of how many people you pass on any one day.

 

The closest thing I can think to equate this sort of hack to is the common cold you can carry it without your knowledge affecting many more people you only find out your affected when something has happened. However the common cold does not steal or your data.

 

The tin foil hat should be on your phone/device. Turn bluetooth off until your phone is patched and guess what that is a rather unpalatable suggestion to many people.

 

 

Thank you.  I was starting to think that I had overblown this vulnerability in my own head.


655 posts

Ultimate Geek
+1 received by user: 105


  Reply # 1882903 13-Oct-2017 11:38
One person supports this post
Send private message quote this post

Benjip:

 

 

 

What you're suggesting would have major a negative effect on the features that are shipped with any product. Manufacturers would simply stop innovating if they had to support everything for an indefinite period of time.

 

 

I never suggested it should be for a "indefinite period of time", rather it should be for the reasonable lifetime of the device as per the Consumer Guarantees Act.

 

I don't believe an extra couple of years of support would stop them innovating, but if it did I'm sure others would take up their reins.

 

 

 

Benjip:

 

Also, you'll probably find that in the T&C of any product you purchase (whether it be a TV, smartphone or other), there will be a clause about third party services not being guaranteed to work forever, if at all. By using the product (switching on the TV) you're agreeing to those terms.

 

 

I disagree on two fronts. 

 

     

  1. You cant contract out of the consumer guarantees act.
  2. I would challenge that you're automatically agreeing to their terms by using the product, thats dubious at best.

 

At the end of the day its all about how it was advertised. If it was advertised as a Youtube TV then the youtube app should absolutely work for a reasonable lifetime.

 

 


2766 posts

Uber Geek
+1 received by user: 1169


  Reply # 1882905 13-Oct-2017 11:42
Send private message quote this post

I am somewhat floored at what appears to be an indifferent attitude towards security.  Maybe I have misunderstood BlueBourne and have blown it out of proportion.  But if all it requires is bluetooth to be enabled and nothing else, then you can bet your bottom dollar that someone is going to create an exploit that takes advantage of this.  I think need to start betting beers .. although I'm not a big drinker so could end up getting drunk ;)

 

Not sure about indifferent, perhaps realistic or pragmatic might be better terms, or simply a higher threshold for this type of risk.    

 

As far as I understand it (based on a very quick scan of some posts from alleged experts) for a person to do this they would have to be, and remain within the Bluetooth range of your device (say within 10 meters?), they would then need a very "specific set of tools" (what those are I don't know), and lastly they would actually need choose to target you as individual for some reason. 

 

I am sure this is not the first and it definitely won't be the last security issue identified for just about any electronic device. Any wireless connection between one device and another is always prone to access by a third party...it's a cat and mouse game. 

 

If a person is that adverse to risk and/or has data and access that are that critical I suggest something better than regular software is needed, for example 2FA or encryption. 

 

Each to their own, I just think I have for more relevant and likely concerns in life that someone following me down a street with a laptop trying to hack into my emails. 

 

This issue aside, it is an interesting discussion on software as a product vs as a service,  and lifetime expectations.   Other examples I currently have are TiVo, and the removal of apps on devices such as a smart TV that were advertised as a 'feature' of the device.  An example of the latter in my samsung Smart TV was sold with Skype as a feature, we even got a camera and keyboard specifically for it, but support for Skype has now been removed.  I never thought of that as a CGA issue...but perhaps it is. 

 

  

 

             





Always be yourself, unless you can be Batman, then always be the Batman





67 posts

Master Geek
+1 received by user: 9


  Reply # 1882939 13-Oct-2017 12:20
Send private message quote this post

scuwp:

 

Not sure about indifferent, perhaps realistic or pragmatic might be better terms, or simply a higher threshold for this type of risk.    

 

As far as I understand it (based on a very quick scan of some posts from alleged experts) for a person to do this they would have to be, and remain within the Bluetooth range of your device (say within 10 meters?), they would then need a very "specific set of tools" (what those are I don't know), and lastly they would actually need choose to target you as individual for some reason. 

 

I am sure this is not the first and it definitely won't be the last security issue identified for just about any electronic device. Any wireless connection between one device and another is always prone to access by a third party...it's a cat and mouse game. 

 

If a person is that adverse to risk and/or has data and access that are that critical I suggest something better than regular software is needed, for example 2FA or encryption. 

 

Each to their own, I just think I have for more relevant and likely concerns in life that someone following me down a street with a laptop trying to hack into my emails. 

 

 

 

 

I've read different articles.  One says that you get the permission of the user and another says you get the permissions of the Bluetooth stack, which needs to run as superuser (root).  If you gain root then the device is 100% compromised.  If you get the user permissions then permission escalation vulnerabilities will give the attacker root.  Encryption can no longer be trusted on that device.  That banking app that you use - not safe to use.  Use Authy for 2FA?  No longer safe to use and consider all related accounts compromised too.  Use Android Pay which stores your credit card information?  That is stolen too.  People wouldn't use this vulnerability to steal your emails or specifically your private data (unless you're someone of high value). That is boring and who wants to read 1000's upon 1000's of emails from strangers?  They could lock up the users data instead.  The recent WannaCry ransomware already forgotten by all?

 

This doesn't necessarily have to be a targeted attack on you.  If a worm is created then consider people at airports.  The worm could easily spread among everyone without anyone knowing.  What about at a shopping mall?  Another place where the worm could spread.  And if you are vigilant and turn off bluetooth when not using it, then surely you would use it when driving?  You do use handsfree right?  If not you, then most people should be.  Stuck in rush hour traffic?  All the cars are pretty close to one another at a standstill.  I'd say they are less than 10 meters apart from one another, i.e. in range for the worm to propagate.  I'm starting to feel a bit like a doomsayer.  I'm happy for someone to point out that I have misunderstood the threat that BlueBourne presents if that is the case.

 

scuwp:

 

This issue aside, it is an interesting discussion on software as a product vs as a service,  and lifetime expectations.   Other examples I currently have are TiVo, and the removal of apps on devices such as a smart TV that were advertised as a 'feature' of the device.  An example of the latter in my samsung Smart TV was sold with Skype as a feature, we even got a camera and keyboard specifically for it, but support for Skype has now been removed.  I never thought of that as a CGA issue...but perhaps it is.

 

 

Sony were spanked for removing Linux from the original PS3 (not sure if that was the case though here in NZ).  And rightly so.  It was an advertised feature that they then decided to remove.  So I'd argue that if the TV was advertised with a feature and the feature no longer works then the manufacturer has to provide a remedy.  But I image that third party services would be a tough one.  Manufacturers don't have control over the business practice of any external service providers.

 

But back to vulnerabilities in devices - when is an OS vulnerability as severe as BlueBourne (at least appears to be to me) a defect in the device and when is it not?

 

 




67 posts

Master Geek
+1 received by user: 9


  Reply # 1882943 13-Oct-2017 12:31
Send private message quote this post

scuwp:

 

they would then need a very "specific set of tools" (what those are I don't know)

 

 

The only tools you would need are:

 

  • attack code.
  • a compiler (Android SDK).
  • a device that has bluetooth to transmit the worm to infect "Patient 0".
  • vulnerable devices 
  • obligatory ??? 
  • profit.



67 posts

Master Geek
+1 received by user: 9


  Reply # 1882959 13-Oct-2017 12:50
One person supports this post
Send private message quote this post

Since it appears that there is not much concern about BlueBourne here, I went back to read the article because I started doubting myself.  I'm of the opinion that those who think this is tin-foil hat stuff need to reevaluate.

 

BlueBorne Explained: How The Attack Vector Works

 

The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.

 

Source: https://www.armis.com/blueborne/.  Armis is the team who discovered the vulnerability.


13371 posts

Uber Geek
+1 received by user: 1601


  Reply # 1883098 13-Oct-2017 17:10
Send private message quote this post

scuwp:

 

teresting discussion on software as a product vs as a service,  and lifetime expectations.   Other examples I currently have are TiVo, and the removal of apps on devices such as a smart TV that were advertised as a 'feature' of the device.  An example of the latter in my samsung Smart TV was sold with Skype as a feature, we even got a camera and keyboard specifically for it, but support for Skype has now been removed.  I never thought of that as a CGA issue...but perhaps it is. 

 

  

 

             

 

 

 

 

I think it is a pretty good discussion to have, as this sort of problem is only going to become more and more common. I am surprise Consumer NZ haven't done any articles on this. I purchased a sony TV which had a lot of smart features But gradually they have been reduced over time as they didn't bother to updated them . eg Twitter APIs, Youtube,  etc all no longer work, even though they were all one reason I purchased it. But in that case the actual TV still works, and I can just plug in a smart box and get similar functionality back, but that involves a cost, but not a major issue. With a phone there isn't that option, and the manufacturer essentially dictates the safe working life of a a product, and often that manufacturer may exist overseas and doesn't know about NZs consumer laws.


2959 posts

Uber Geek
+1 received by user: 840

Trusted
Subscriber

  Reply # 1883114 13-Oct-2017 18:54
Send private message quote this post

scuwp: If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices. 

 

Google also do this with their Nexus phones and I have no doubt they will also do it with their Pixel phones.


25691 posts

Uber Geek
+1 received by user: 5444

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1883250 14-Oct-2017 09:05
Send private message quote this post

Dratsab:

 

scuwp: If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices. 

 

Google also do this with their Nexus phones and I have no doubt they will also do it with their Pixel phones.

 

 

Sony release security updates monthly for their devices as well - like Google however it's for a finite period. The Nexus phones have typically been supported for about 2 years which seems to be the norm for most Android manufacturers.

 

https://support.google.com/nexus/answer/4457705?hl=en#nexus_devices

 

 

 

 


1277 posts

Uber Geek
+1 received by user: 291

Subscriber

  Reply # 1883265 14-Oct-2017 09:58
Send private message quote this post

*looks at my Sony Z2 and wonders if it has already betrayed me*





Life is too short to remove USB safely.


1662 posts

Uber Geek
+1 received by user: 950

Trusted
Subscriber

  Reply # 1883298 14-Oct-2017 11:31
Send private message quote this post

kiwifidget: *looks at my Sony Z2 and wonders if it has already betrayed me*

 

@kiwifidget North Korea already has control of your handset :p

 

Linux

 

 


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.