A large scale patching exercise to resolve a serious vulnerability in the Bluetooth specification that allows attackers to intercept and tamper with data exchanged wirelessly is underway. The disclosure in a research paper is serious because it allows people to perform a man-in-the-middle attack on the connection between vulnerable devices, reports Arstechnica.
From there, attackers can view any exchanged data, which might include contacts stored on a device, passwords typed on a keyboard, or sensitive information used by medical, point-of-sale, or automotive equipment. Attackers could also forge keystrokes on a Bluetooth keyboard to open up a command window or malicious website in an outright compromise of the connected phone or computer.
“This attack lets an attacker who can read and modify Bluetooth traffic during pairing force the key to be something they know,” JP Smith, a security engineer and Bluetooth security expert at security firm Trail of Bits, told Ars. “It’s not mathematically/theoretically novel at all, and it’s in fact about the simplest attack you can do on elliptic curve cryptosystems. Notably, this is a protocol-level fault, so if you implemented the Bluetooth spec out of the book (without some optional validation), you have this bug.”
BA, Marriott Face Massive Fines For Data Loss
If proof was needed that poor data protection is bad for the corporate wallet, two examples have demonstrated that substantial fines face those organisations that have lax data security.read more
Cumbria First Police Force To Utilise NMC Tools
Cumbria Constabulary has become the first police force to use the National Management Centre (NMC) for cybersecurity set up under the National Police Chiefs’ Council (NPCC).read more
Phishing Attacks Bypassing 2-Factor Authentication
Penetration testers and attackers have a new tool in their arsenal that can be used to automate phishing attacks in a way that defeats two-factor authentication (2FA) and is not easy to detect and block, reports CSO Magazine.read more
Third of Breaches Caused By Unpatched Vulnerabilities
IT security professionals have admitted that a third of cybersecurity breaches are the result of vulnerabilities that they should have patched.read more