"M. L." <m...@privacy.invalid> wrote
| Sounds like the vulnerability is mostly academic.
|
Not at all. That's what people always think until it happns.
Who imagined that your ATM could give away your bank account
savings by someone inserting a thin skimmer card into the
bank card slot?
This attack may be academic for the average home or
small office user, where bluetooth is not common. But on
phones this could be a big problem. For instance, in Starbucks,
where the wireless service could be used to capture your
phone talking to their cash register. And this :
https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html
That article explains how retail stores are now tracking
location of customers in great detail, so they can study what
products you look at. The location data is collected using small
bluetooth beacons distributed throughout the store. All you
need is a spyware app on your phone (which most of them
seem to be) and you end up with repeated bluetooth connections.
These particular beacons may not need to actually negotiate a
connection. The article describes them as broadcasters.
But that's just one possible scenario, which most of us never
would have imagined possible. It's likely that bluetooth tracking
will be ubiquitous soon, done by commercial but also gov't
entities. So why enable bluetooth on your phone? So it can
talk to your watch or your earplugs? So you can wave your
phone at cash registers to pay? If you want to be able to
do such silly things then you *will* be taking a risk. If not
with security then with privacy. If not with this bug then
with the next.
I half expect that one of these days I'll be picked up on
a surveillance camera and cops will stop me for walking without
a cellphone, because I showed up on the camera but the
corresponding bluetooth beacons never sent my ID, movement
history, sexual preferences, favorite color, and last purchase
details to the authorities.
That makes phones the next security problem. Computers
are mostly only being attacked these days by ransomware
aimed at commercial entities. Increasingly, people are shopping
and banking by waving their cellphone. Bluetooth. Spyware apps.
Malware. All happening on a profoundly insecure little device
that holds everything that used to be in your desk... plus a lot
more.
That creates an extensive threat potential. And as usual, no
one will take it seriously because everyone wants convenience.