Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicBlueBourne - CGA Claim advice
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1882751 13-Oct-2017 07:44
Send private message

vyfster:

 

So what is the expected life of a premium / flagship phone?

 

 

Based upon typical warranty periods which Consumer NZ pushed for to meet average lifespan that figure sits at around 2 years.

 

As for the YouTube comment I made earlier I made that because we're already seen numerous smart TV's lose YouTube support because of the API change. 

 

 

 

 

 
 
 
 

Learn cloud, mobile, security, data and web technologies with Pluralsight (affiliate link).
scuwp
3764 posts

Uber Geek


  #1882755 13-Oct-2017 08:04
Send private message

Wow this has been a blast, and I can't help myself. 

 

As I understand it the OP has a phone that is in perfect working order, including Bluetooth, but somehow this is now 'faulty' because 2 years after the fact someone designed an exploit that allows a person, under a very specific set of circumstances, access to the phone for some assumedly nefarious reason. 

 

Aside from the fact that I have more chance of winning Lotto tomorrow than someone actually doing this, and is borderline tin-foil-hat type stuff, I will add my vote to the 'no' camp.  I don't believe a CGA claim is reasonable or would succeed. Software designers cannot predict the future, and cannot be expected to support software ad infinitum.  Bottom line the phone is NOT faulty nor is the software, and it works exactly as intended.   

 

If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices.  Not starting an Android vs Apple argument, it's simply a fact of how the eco-systems operate and are managed by the respective companies.  

 

It's an interesting argument though.    

 

 

 

 

 

   

 

 




Never attribute to malice that which is adequately explained by stupidity - Robert J Hanlon

geocom
587 posts

Ultimate Geek

Subscriber

  #1882861 13-Oct-2017 10:44
Send private message

For those of you who don't think Blueborn is a very real threat I think you need to go and reread this part ROOT access with no approval or interaction your device just simply needs to have bluetooth turned on and discoverability does not need to be turned on.

 

Root is the scary part, root is overlord. Root is the highest level it can do anything and everything and this can be accessed just by getting into bluetooth range.

 

Nothing is stopping someone from creating a worm that can travel by exploiting this hole taking your data or waiting in hiding untill told to do something with root access they can do anything they like. Nothing is stopping them from seeding this worm from already pwnd systems worldwide meaning that this could travel very fast. Think of how many people you pass on any one day.

 

The closest thing I can think to equate this sort of hack to is the common cold you can carry it without your knowledge affecting many more people you only find out your affected when something has happened. However the common cold does not steal or your data.

 

The tin foil hat should be on your phone/device. Turn bluetooth off until your phone is patched and guess what that is a rather unpalatable suggestion to many people.




Geoff E



vyfster

67 posts

Master Geek


  #1882867 13-Oct-2017 10:50
Send private message

scuwp:

 

Wow this has been a blast, and I can't help myself. 

 

 

Happy to have entertained :)

 

scuwp:

 

 an exploit that allows a person, under a very specific set of circumstances, access to the phone for some assumedly nefarious reason. 

 

 

Unless there is something that I have missed with BlueBourne, there is a hardly a set of specific circumstances needed to gain access to the phone.  All that is required is for bluetooth to be enabled.  Who doesn't have bluetooth enabled while driving?  Stuck in traffic and a worm could easily propagate across the devices.

 

scuwp:

 

Aside from the fact that I have more chance of winning Lotto tomorrow than someone actually doing this, and is borderline tin-foil-hat type stuff

 

 

I am somewhat floored at what appears to be an indifferent attitude towards security.  Maybe I have misunderstood BlueBourne and have blown it out of proportion.  But if all it requires is bluetooth to be enabled and nothing else, then you can bet your bottom dollar that someone is going to create an exploit that takes advantage of this.  I think I need to start betting beers .. although I'm not a big drinker so could end up getting very drunk ;)

 

scuwp:

 

I will add my vote to the 'no' camp.  I don't believe a CGA claim is reasonable or would succeed.   

 

 

Thanks.  The overwhelming response seems to be in agreement with you.  

 

scuwp:

 

Software designers cannot predict the future, and cannot be expected to support software ad infinitum.  Bottom line the phone is NOT faulty nor is the software, and it works exactly as intended. 

 

 

I agree that software cannot be supported ad infinitum and that there will always be bugs in software.  This doesn't excuse not patching the software for devices not older than (X). (UGH! Too many NOTs in there!)  What (X) is seems to vary between all of us.  I would've imagined 3 years for a premium well looked after phone would be a minimum.  

 

Edit: meant to reply to the next bit too: The software is absolutely faulty.  It allows anyone access to the device via bluetooth.  I doubt very much, that this is the intended use for bluetooth.  And since the software that manages bluetooth is part of the OS, to my mind, the device is faulty too.  I don't see how you can say that it is working exactly as intended.

 

scuwp:

 

If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices.  Not starting an Android vs Apple argument, it's simply a fact of how the eco-systems operate and are managed by the respective companies.  

 

 

Yep, Apple are definitely leading the way there.  Who would've thought! :P

 

I'm curious as to when is a security flaw in a device (software, part of the OS) considered a flaw in the device and when is it not?

 

 

vyfster

67 posts

Master Geek


  #1882870 13-Oct-2017 10:52
Send private message

geocom:

 

For those of you who don't think Blueborn is a very real threat I think you need to go and reread this part ROOT access with no approval or interaction your device just simply needs to have bluetooth turned on and discoverability does not need to be turned on.

 

Root is the scary part, root is overlord. Root is the highest level it can do anything and everything and this can be accessed just by getting into bluetooth range.

 

Nothing is stopping someone from creating a worm that can travel by exploiting this hole taking your data or waiting in hiding untill told to do something with root access they can do anything they like. Nothing is stopping them from seeding this worm from already pwnd systems worldwide meaning that this could travel very fast. Think of how many people you pass on any one day.

 

The closest thing I can think to equate this sort of hack to is the common cold you can carry it without your knowledge affecting many more people you only find out your affected when something has happened. However the common cold does not steal or your data.

 

The tin foil hat should be on your phone/device. Turn bluetooth off until your phone is patched and guess what that is a rather unpalatable suggestion to many people.

 

 

Thank you.  I was starting to think that I had overblown this vulnerability in my own head.

ArcticSilver
722 posts

Ultimate Geek


  #1882903 13-Oct-2017 11:38
Send private message

Benjip:

 

 

 

What you're suggesting would have major a negative effect on the features that are shipped with any product. Manufacturers would simply stop innovating if they had to support everything for an indefinite period of time.

 

 

I never suggested it should be for a "indefinite period of time", rather it should be for the reasonable lifetime of the device as per the Consumer Guarantees Act.

 

I don't believe an extra couple of years of support would stop them innovating, but if it did I'm sure others would take up their reins.

 

 

 

Benjip:

 

Also, you'll probably find that in the T&C of any product you purchase (whether it be a TV, smartphone or other), there will be a clause about third party services not being guaranteed to work forever, if at all. By using the product (switching on the TV) you're agreeing to those terms.

 

 

I disagree on two fronts. 

 

     

  1. You cant contract out of the consumer guarantees act.
  2. I would challenge that you're automatically agreeing to their terms by using the product, thats dubious at best.

 

At the end of the day its all about how it was advertised. If it was advertised as a Youtube TV then the youtube app should absolutely work for a reasonable lifetime.

 

 

scuwp
3764 posts

Uber Geek


  #1882905 13-Oct-2017 11:42
Send private message

I am somewhat floored at what appears to be an indifferent attitude towards security.  Maybe I have misunderstood BlueBourne and have blown it out of proportion.  But if all it requires is bluetooth to be enabled and nothing else, then you can bet your bottom dollar that someone is going to create an exploit that takes advantage of this.  I think need to start betting beers .. although I'm not a big drinker so could end up getting drunk ;)

 

Not sure about indifferent, perhaps realistic or pragmatic might be better terms, or simply a higher threshold for this type of risk.    

 

As far as I understand it (based on a very quick scan of some posts from alleged experts) for a person to do this they would have to be, and remain within the Bluetooth range of your device (say within 10 meters?), they would then need a very "specific set of tools" (what those are I don't know), and lastly they would actually need choose to target you as individual for some reason. 

 

I am sure this is not the first and it definitely won't be the last security issue identified for just about any electronic device. Any wireless connection between one device and another is always prone to access by a third party...it's a cat and mouse game. 

 

If a person is that adverse to risk and/or has data and access that are that critical I suggest something better than regular software is needed, for example 2FA or encryption. 

 

Each to their own, I just think I have for more relevant and likely concerns in life that someone following me down a street with a laptop trying to hack into my emails. 

 

This issue aside, it is an interesting discussion on software as a product vs as a service,  and lifetime expectations.   Other examples I currently have are TiVo, and the removal of apps on devices such as a smart TV that were advertised as a 'feature' of the device.  An example of the latter in my samsung Smart TV was sold with Skype as a feature, we even got a camera and keyboard specifically for it, but support for Skype has now been removed.  I never thought of that as a CGA issue...but perhaps it is. 

 

  

 

             




Never attribute to malice that which is adequately explained by stupidity - Robert J Hanlon



vyfster

67 posts

Master Geek


  #1882939 13-Oct-2017 12:20
Send private message

scuwp:

 

Not sure about indifferent, perhaps realistic or pragmatic might be better terms, or simply a higher threshold for this type of risk.    

 

As far as I understand it (based on a very quick scan of some posts from alleged experts) for a person to do this they would have to be, and remain within the Bluetooth range of your device (say within 10 meters?), they would then need a very "specific set of tools" (what those are I don't know), and lastly they would actually need choose to target you as individual for some reason. 

 

I am sure this is not the first and it definitely won't be the last security issue identified for just about any electronic device. Any wireless connection between one device and another is always prone to access by a third party...it's a cat and mouse game. 

 

If a person is that adverse to risk and/or has data and access that are that critical I suggest something better than regular software is needed, for example 2FA or encryption. 

 

Each to their own, I just think I have for more relevant and likely concerns in life that someone following me down a street with a laptop trying to hack into my emails. 

 

 

 

 

I've read different articles.  One says that you get the permission of the user and another says you get the permissions of the Bluetooth stack, which needs to run as superuser (root).  If you gain root then the device is 100% compromised.  If you get the user permissions then permission escalation vulnerabilities will give the attacker root.  Encryption can no longer be trusted on that device.  That banking app that you use - not safe to use.  Use Authy for 2FA?  No longer safe to use and consider all related accounts compromised too.  Use Android Pay which stores your credit card information?  That is stolen too.  People wouldn't use this vulnerability to steal your emails or specifically your private data (unless you're someone of high value). That is boring and who wants to read 1000's upon 1000's of emails from strangers?  They could lock up the users data instead.  The recent WannaCry ransomware already forgotten by all?

 

This doesn't necessarily have to be a targeted attack on you.  If a worm is created then consider people at airports.  The worm could easily spread among everyone without anyone knowing.  What about at a shopping mall?  Another place where the worm could spread.  And if you are vigilant and turn off bluetooth when not using it, then surely you would use it when driving?  You do use handsfree right?  If not you, then most people should be.  Stuck in rush hour traffic?  All the cars are pretty close to one another at a standstill.  I'd say they are less than 10 meters apart from one another, i.e. in range for the worm to propagate.  I'm starting to feel a bit like a doomsayer.  I'm happy for someone to point out that I have misunderstood the threat that BlueBourne presents if that is the case.

 

scuwp:

 

This issue aside, it is an interesting discussion on software as a product vs as a service,  and lifetime expectations.   Other examples I currently have are TiVo, and the removal of apps on devices such as a smart TV that were advertised as a 'feature' of the device.  An example of the latter in my samsung Smart TV was sold with Skype as a feature, we even got a camera and keyboard specifically for it, but support for Skype has now been removed.  I never thought of that as a CGA issue...but perhaps it is.

 

 

Sony were spanked for removing Linux from the original PS3 (not sure if that was the case though here in NZ).  And rightly so.  It was an advertised feature that they then decided to remove.  So I'd argue that if the TV was advertised with a feature and the feature no longer works then the manufacturer has to provide a remedy.  But I image that third party services would be a tough one.  Manufacturers don't have control over the business practice of any external service providers.

 

But back to vulnerabilities in devices - when is an OS vulnerability as severe as BlueBourne (at least appears to be to me) a defect in the device and when is it not?

 

 

vyfster

67 posts

Master Geek


  #1882943 13-Oct-2017 12:31
Send private message

scuwp:

 

they would then need a very "specific set of tools" (what those are I don't know)

 

 

The only tools you would need are:

 

  • attack code.
  • a compiler (Android SDK).
  • a device that has bluetooth to transmit the worm to infect "Patient 0".
  • vulnerable devices 
  • obligatory ??? 
  • profit.

vyfster

67 posts

Master Geek


  #1882959 13-Oct-2017 12:50
Send private message

Since it appears that there is not much concern about BlueBourne here, I went back to read the article because I started doubting myself.  I'm of the opinion that those who think this is tin-foil hat stuff need to reevaluate.

 

BlueBorne Explained: How The Attack Vector Works

 

The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.

 

Source: https://www.armis.com/blueborne/.  Armis is the team who discovered the vulnerability.

mattwnz
19389 posts

Uber Geek


  #1883098 13-Oct-2017 17:10
Send private message

scuwp:

 

teresting discussion on software as a product vs as a service,  and lifetime expectations.   Other examples I currently have are TiVo, and the removal of apps on devices such as a smart TV that were advertised as a 'feature' of the device.  An example of the latter in my samsung Smart TV was sold with Skype as a feature, we even got a camera and keyboard specifically for it, but support for Skype has now been removed.  I never thought of that as a CGA issue...but perhaps it is. 

 

  

 

             

 

 

 

 

I think it is a pretty good discussion to have, as this sort of problem is only going to become more and more common. I am surprise Consumer NZ haven't done any articles on this. I purchased a sony TV which had a lot of smart features But gradually they have been reduced over time as they didn't bother to updated them . eg Twitter APIs, Youtube,  etc all no longer work, even though they were all one reason I purchased it. But in that case the actual TV still works, and I can just plug in a smart box and get similar functionality back, but that involves a cost, but not a major issue. With a phone there isn't that option, and the manufacturer essentially dictates the safe working life of a a product, and often that manufacturer may exist overseas and doesn't know about NZs consumer laws.

Dratsab
3934 posts

Uber Geek

Trusted
Lifetime subscriber

  #1883114 13-Oct-2017 18:54
Send private message

scuwp: If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices. 

 

Google also do this with their Nexus phones and I have no doubt they will also do it with their Pixel phones.

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1883250 14-Oct-2017 09:05
Send private message

Dratsab:

 

scuwp: If software and security updates are critical to someone then due diligence would lead them to an Apple product as the only manufacturer who consistently rolls out updates across all it's devices. 

 

Google also do this with their Nexus phones and I have no doubt they will also do it with their Pixel phones.

 

 

Sony release security updates monthly for their devices as well - like Google however it's for a finite period. The Nexus phones have typically been supported for about 2 years which seems to be the norm for most Android manufacturers.

 

https://support.google.com/nexus/answer/4457705?hl=en#nexus_devices

 

 

 

 

kiwifidget
"Cookie"
2861 posts

Uber Geek

Lifetime subscriber

  #1883265 14-Oct-2017 09:58
Send private message

*looks at my Sony Z2 and wonders if it has already betrayed me*




Delete cookies?! Are you insane?!

Linux
10300 posts

Uber Geek

Trusted
Lifetime subscriber

  #1883298 14-Oct-2017 11:31
Send private message

kiwifidget: *looks at my Sony Z2 and wonders if it has already betrayed me*

 

@kiwifidget North Korea already has control of your handset :p

 

Linux

 

 

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00

Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00

NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27

First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.