[ PRIVACY Forum ] Script of my national radio report yesterday on new Bluetooth flaw and broader issues of personal communications security

[Lauren Weinstein]

This is the script of my national radio report yesterday on a newly
announced Bluetooth security flaw and broader issues of personal
communications security. As always there may have been minor wording
variations from this script as I presented this report live on air.

- - -

Yeah, it seems to be deja vu all over again, yet again, when it comes
to Bluetooth security issues. But beyond this particular exploit it's
another reminder about communications security in general and I'll get
more into that shortly.

Bluetooth of course is the short range wireless system widely used to
connect computers, phones, TVs, cars and more with each other and with
devices like headphones, headsets, earbuds, speakers, keyboards, mice,
all kinds of stuff. It was originally developed in the 1990s. The
latest version of Bluetooth is version 6 announced within the last
couple of years. Over those last 30 years or so there have been a
variety of problems that have come up in various Bluetooth versions
and sub-versions of Bluetooth, usually involving their data encryption
systems and/or the pairing protocols used to establish initial
communications between devices.

And sure enough this new problematic issue does involve pairing.
Specifically, it turns out that researchers have determined that a
feature Google introduced in 2017 called "Fast Pair" for their
Bluetooth technology has caused a vulnerability in various devices
using that feature, not just in some Google-branded devices but also
some other manufacturers' devices using the Google specifications. The
researchers reported this issue calling it "Whisperpair" privately to
Google and Google says they've rolled out fixes and they suggested
that part of the problem was related to other manufacturers not
properly following Google's specifications.

The exploit itself reportedly can permit hijacking of the audio
devices and leakage of location data. Apparently this can occur
within almost 50 feet of devices, so while that may not seem a big
risk for most users in general, if someone was being specifically
targeted that could become a significant issue. Of course Google's
fixes for this problem require that users of these devices know about
these updates and actually install them, and frankly how many people
ever think to update the firmware in their earbuds for example. So it
can be expected that the exploit may persist for quite some time.

Unfortunately, communications security problems in the tech we use
every day have been all too routine for years, not just affecting
Bluetooth, and various versions of Wi-Fi, but largely across the board
one way or another. And it goes further of course. Who is (or who
could be) reading your email when it's stored on one of the Big Tech
mail servers? When it's not end-to-end encrypted, you have to put
your faith in the firms because you really don't have any way to know
for sure.

You may feel that there's nothing you ever talk about that would
interest anyone enough to penetrate your communications security, but
the world is changing and from year to year you never really know when
what you consider to be an innocent conversation may be of interest to
someone or some organization somewhere.

That's one of the reasons why applications like Signal have gained so
much attention, because Signal does provide strong end-to-end
encryption. To be clear, especially given fairly recent news stories,
Signal is not a military grade encrypted communications system, and
it's not appropriate for discussing, for example, upcoming military
operations. And while of course one can't expect any application to be
perfect, for most people Signal seems to provide sufficient
communications security in a reasonably competent manner.

Of course it's up to each individual to decide what level of personal
communications security they desire. But increasingly more and more
busy people who really understandably never thought too much about
these issues in the past are giving serious consideration to these
concerns now, and today these issues do seem like something that
pretty much everyone should at the very least be thinking about.

- - -

L

- - -
--Lauren--
Lauren Weinstein
lau...@vortex.com (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Mastodon: https://mastodon.laurenweinstein.org/@lauren
Signal: By request on need to know basis
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
_______________________________________________
privacy mailing list
https://lists.vortex.com/mailman/listinfo/privacy