Widespread Bluetooth Vulnerabilities Uncovered in Major Operating Systems

By

-

December 11, 2023

Marc Newlin, a software engineer at Skysafe, has identified critical vulnerabilities in the Bluetooth functionalities of widely-used operating systems including macOS, iOS, Android, and Linux. This discovery highlights a potential risk for millions of users globally, who rely on these platforms for both personal and professional use.

The vulnerabilities discovered by Newlin allow attackers to bypass the Bluetooth authentication process on target devices. This means that an unauthorized user could potentially connect to a device without the owner’s knowledge or consent. The simplicity of the attack method is particularly alarming — it only requires a standard Linux computer equipped with a conventional Bluetooth adapter.

The scope of this security flaw is extensive, affecting various versions of macOS, iOS, Linux, and Android. This includes Android versions that have been in use for the past eleven years. The attack, registered under CVE-2023-45866, has different prerequisites across operating systems. For instance, on Android, the Bluetooth interface merely needs to be active. In contrast, on iOS and macOS, the attack reportedly only works if a Magic Keyboard is paired. Linux systems are vulnerable when the Bluetooth interface is active and visible to other devices.

While patches for these vulnerabilities have been developed, their implementation presents a challenge. For Linux systems, an effective patch has been available since 2020 but is often not enabled by default. Google has released a patch for Android versions 11 to 14, but the update’s reach to all end-users is a gradual process. Apple has confirmed the vulnerabilities but has not yet announced a specific timeline for releasing patches for iOS and macOS.

Adding to the gravity of the situation is the recent introduction of BLUFFS (Bluetooth Low Energy security Flaws and Fixes), a set of Bluetooth attack techniques. These techniques can compromise encrypted Bluetooth traffic, allowing attackers to manipulate data in real-time.

Apple Allegedly Blocks Beeper: Android Users Lose iMessage Access

By

Ankit Pahuja

-

December 10, 2023

Apple may have just thrown a wrench in the works for Beeper, the new app that promised Android users access to Apple’s exclusive iMessage service.

Beeper Mini users began reporting malfunctions last Friday, a mere seven days following the app’s debut. This sudden setback has led to speculation about Apple’s potential involvement in the issue. Beeper’s unique selling point was its ability to bring Apple’s exclusive messaging service to Android devices, a feature that was short-lived.

Eric Migicovsky, the chief of Beeper, in an interview with The Verge, did not dismiss the possibility that Apple might be behind the service disruption. While Beeper has officially attributed the problem to an internal failure, the timing and nature of the issue have raised questions about Apple’s role.

In response to this situation, Beeper’s developers are working on a solution. However, it’s still in development. As an interim measure, they have deregistered users’ phone numbers from iMessage. This action is intended to ensure that messages continue to be delivered via SMS. The transition from iMessage to SMS could take between 6 to 24 hours, during which time users might miss messages.

Beeper’s initial promise was to integrate iMessage into its universal messenger service by reverse engineering Apple’s protocol. The technical details of this process were shared on their blog, explaining the app’s structure and functionality.

Despite these challenges, Beeper is extending its 7-day free trial period by an additional week. After this extended trial, the service will cost $2 per month. However, the app’s reception has been lukewarm, with an average rating of 2.1 stars from approximately 2100 reviews on Google’s Play Store.

In a statement, Beeper expressed gratitude and regret: “We thank you for your patience during this unexpected issue. We apologize for any inconvenience caused by the interruption of our iMessage connection and are committed to resolving this as quickly as possible.”

Over 700 Smartphone Models at Risk: Researchers Uncover 5G Network Vulnerabilities

By

Bhasker Das

-

December 9, 2023

A team of researchers from the Singapore University of Technology and Design (SUTD) has identified multiple vulnerabilities in 5G modems used in over 710 smartphone models. This discovery, which affects devices from major manufacturers, has exposed a critical weakness in the infrastructure of the latest telecommunications technology.

The vulnerabilities, collectively termed “5Ghoul” by the researchers, were found in the 5G modems of two leading chipmakers, Qualcomm and Mediatek. Of the 14 vulnerabilities identified, ten are linked to these companies’ products, with three classified as high severity. The researchers have opted to withhold details of two vulnerabilities for security reasons.

These security gaps primarily enable attackers to execute denial-of-service (DoS) attacks. By exploiting these vulnerabilities, an attacker can disrupt the network connectivity of the targeted devices, causing the modems to crash and necessitating a complete device restart to regain 5G connectivity. The attack can be launched using a malicious 5G base station within the radio range of the target device, and it does not require any information about the victim’s SIM card. This is because the attack can be carried out before the completion of the NAS authentication process.

The scope of this issue is extensive, impacting 714 smartphone models from renowned brands such as Samsung, Oneplus, Oppo, Vivo, Xiaomi, Motorola, Sony, Asus, Huawei, Nokia, and LG. Notably, Qualcomm chips are found in 670 of these models, accounting for 94 percent of the affected devices.

According to a report by Bleeping Computer, Qualcomm and Mediatek had provided security updates to smartphone manufacturers two months prior to address these vulnerabilities. Both chipmakers have issued security bulletins naming the 5Ghoul vulnerabilities. However, the distribution of these updates poses a challenge, particularly within the Android ecosystem. Many users, especially those with older or less expensive smartphone models, may face delays in receiving the updates or might not receive them at all.

AMD Unveils Ryzen 8040 Series with 40% AI Performance Boost, Eyeing Intel’s Market Share

By

Adwaith

-

December 8, 2023

AMD has announced its latest Ryzen 8000 series, codenamed “Hawk Point.” This new lineup, revealed just a week before Intel’s anticipated Meteor Lake Core Ultra launch, is poised to deliver a staggering 40% increase in AI performance, signaling a direct challenge to Intel’s market dominance.

Following the mixed reception of the Phoenix APU generation in 2023, AMD has refocused its efforts on the AI segment. Unlike previous years where CES was the chosen platform for new releases, AMD expedited the Hawk Point announcement, a clear indication of its commitment to taking on Intel’s Meteor Lake.

The Ryzen 8000 series, particularly the Ryzen 8040, is AMD’s response to the growing demand for AI-enhanced computing. At first glance, Hawk Point bears a strong resemblance to its predecessor, the Phoenix generation, maintaining the Zen 4 CPU architecture and RDNA 3 graphics. However, the real game-changer is the enhanced AI-Engine, the XDNA NPU, which is based on Xilinx technology. This improvement enables Hawk Point to achieve a 40% increase in AI performance, boasting 16 NPU TOPS and a total of 39 TOPS, a significant leap from the previous 10 and 33 TOPS.

Understanding that robust hardware needs equally capable software, AMD is intensifying its focus on the AI software ecosystem. The company is expanding collaborations and developing tools to enhance support and performance for AI applications. This includes support for ONNX Runtime, PyTorch, and TensorFlow through the Ryzen AI Software, ensuring that their processors are not just powerful but also versatile and developer-friendly.

Learning from the Phoenix generation’s rollout, AMD is ensuring a faster availability for Hawk Point. The new CPUs are already being shipped, with expectations to feature in notebooks by the first quarter. Key partners like Acer, Asus, Dell, HP, Lenovo, and Razer are among the first to integrate these new processors, signaling strong industry support for AMD’s latest offering.

Looking ahead, AMD has already set its sights on the next generation of AI processors. The upcoming XDNA 2, slated for release in 2024, is expected to be part of the “Strix Point” Ryzen processors. These chips are projected to offer three times the performance for generative AI tasks compared to the current Hawk Point series, potentially revolutionizing the field of generative AI in mobile computing.

Google Gemini: The AI Powerhouse Set to Eclipse GPT-4

By

Amaya Simon

-

December 8, 2023

Google has introduced Gemini, its latest and most formidable artificial intelligence model, signaling a new era in the AI landscape. This move positions Google at the forefront of AI innovation, directly challenging the current leaders, GPT-4 and ChatGPT, developed by OpenAI.

Gemini is not a singular entity but a comprehensive suite of three distinct AI models, each designed for specific functionalities:

Gemini Nano: This version is tailored for efficiency, particularly in processing and executing tasks on devices. It is set to enhance the new functions of the Pixel 8 Pro, Google’s flagship smartphone.
Gemini Pro: Serving as an intermediate option, Gemini Pro is engineered for scalability across a broad spectrum of tasks. It has been integrated into Bard, Google’s rival to ChatGPT, marking the most significant update the chatbot has received to date. Initially, this AI will be available in English in 170 countries.
Gemini Ultra: The most advanced of the trio, Gemini Ultra, is designed to perform complex tasks, competing head-to-head with OpenAI’s GPT-4. Google claims that in performance tests, Gemini Ultra has outperformed GPT-4.

A standout feature of Gemini Ultra is its achievement in the Massive Multitasking Language Understanding (MMLU) test, where it scored 90.0%, surpassing human experts. This test evaluates general knowledge and problem-solving abilities across 57 subjects, including mathematics, physics, history, law, medicine, and ethics.

Gemini’s capabilities extend beyond text analysis. As a multimodal AI, it can process various inputs like text, audio, videos, and photos simultaneously, showcasing its adaptability in handling diverse data formats.

Google has significantly upgraded Gemini’s programming skills. It can now understand, explain, and generate high-quality code in popular programming languages such as Python, Java, C++, and Go. This enhancement makes Gemini a leading AI model in the realm of coding.

Developed with an emphasis on scalability and security, Gemini includes advanced filters to prevent misuse and has been designed in collaboration with experts to identify and mitigate potential vulnerabilities.

Google has integrated Gemini into Bard, its ChatGPT alternative, and the Pixel 8 Pro. The smartphone will receive new AI-powered features, including quick responses in Gboard for WhatsApp and audio summary generation in the sound recorder.

Google plans to integrate Gemini into more of its products, including its search engine, Chrome, Duet AI, and Google Ads. This integration reflects Google’s vision of an AI-driven future.

Google is also set to launch Bard Advanced, powered by Gemini Ultra, early next year. This advanced version of the chatbot is expected to offer more sophisticated AI interactions.

Beeper Mini: Beeper Brings iMessage to Android Via Reverse Engineering

By

Ankit Pahuja

-

December 7, 2023

The team behind the universal chat app Beeper has unveiled a new application, Beeper Mini, designed to bring Apple’s iMessage service to Android devices. This innovative app marks the first instance of utilizing the native iMessage protocol directly on Apple servers for sending and receiving messages on Android.

Beeper Mini’s approach is a departure from previous methods of integrating iMessage with Android, which often involved questionable practices using relay servers on Mac servers. These earlier techniques raised security concerns, as they potentially allowed third parties to access user messages. This security issue led to the removal of a similar iMessage implementation from the Play Store by the company Nothing just a few weeks ago.

The new app allows Android users to communicate with Apple users via iMessage, displaying messages in the familiar blue bubbles of iMessage chats instead of the green bubbles typically associated with SMS or MMS. This development is noteworthy, especially considering Apple’s historical stance of not supporting iMessage on Android, a point of contention for companies like Google, network operators, and some users.

Beeper’s team has shared technical details about the app’s development in a blog post, highlighting the reverse engineering of the iMessage protocol. The lead developer, a student, has also shared insights into the findings and implementation process. A proof-of-concept implementation in Python for using iMessage is available under the SSPL.

The app’s functionality hinges on several Apple services, including the Push Notification Service for message transmission and a key server for key exchange. Registration requires authentication via an Apple ID. The app also necessitates validation data, which is generated by emulating a binary file used by Apple. This file, which relies on obfuscation, is re-created in the app. The validation data comprises various components like the device’s serial number, MAC address, model name, and the UUID of the root disk, which are hardcoded for use in the iMessage reimplementation.

After registering on the key server, Beeper Mini can exchange and receive public keys, facilitating the sending and receiving of iMessage texts. The ease of this process underscores the deep understanding of the iMessage format by Beeper’s developers.

However, the future of Beeper Mini is uncertain, as it remains to be seen how Apple will respond to this use of its servers for purposes other than intended. While the app currently operates without issues, it could potentially violate Apple’s terms of use, leading to exclusion. Apple’s ability to recognize and analyze the validation data poses a risk to the continued functionality of Beeper Mini.

Grand Theft Auto VI Trailer Sets New YouTube Record, Revives Vice City in Spectacular Fashion

By

Jenna Jose

-

December 6, 2023

Rockstar Games released the first trailer for GTA 6, following a premature leak on social media. The trailer has since set a new record on YouTube, amassing an unprecedented number of views in a short period.

Originally scheduled for a later reveal, the trailer’s leak prompted Rockstar Games to release it officially ahead of time. The trailer confirms the game’s title as “Grand Theft Auto VI,” continuing the numerical naming tradition. Sam Houser, the founder of Rockstar Games, expressed excitement about sharing this new vision, which aims to push the boundaries of open-world, story-based experiences.

GTA 6 returns to the iconic Vice City, a locale inspired by Miami, first seen in the 2002 release. However, this rendition of Vice City is vastly different, with an expanded map rumored to be almost double the size of GTA 5‘s. The game introduces natural regions alongside urban areas, showcasing Miami’s rich flora and fauna.

The narrative centers around Jason, an American, and Lucía, of Latin descent, drawing inspiration from the infamous 1930s criminals Bonnie Parker and Clyde Barrow. The trailer teases heists, police chases, and a significant focus on social media, reflecting current real-world trends.

Within 12 hours of its release, the GTA 6 trailer amassed an astonishing 60 million views, a number that continued to climb rapidly. At the time of writing, it had reached nearly 103 million views with 9.2 million likes, making it the number one trending video on YouTube. This achievement surpasses the previous non-musical record held by MrBeast and positions the trailer close to the all-time record set by BTS’s “Dynamite.”

GTA 6 is slated for release in 2025 on PlayStation 5 and Xbox Series X|S, with no mention of a PC version yet. The game is expected to be the most immersive and significant evolution in the Grand Theft Auto series, featuring a female protagonist for the first time.

New Security Flaw ‘BLUFFS’ Threatens Encrypted Bluetooth Connections Worldwide

By

Bhasker Das

-

November 30, 2023

A new set of vulnerabilities known as BLUFFS (Bluetooth Forward and Future Secrecy) has been identified, posing a serious threat to the security of encrypted Bluetooth connections. The vulnerability has affecteda wide range of popular devices including smartphones, laptops, and audio accessories globally.

The existence of BLUFFS was brought to light by Daniele Antonioli, a security researcher from the French research institute Eurecom. Antonioli’s investigation uncovered six different techniques under the umbrella of BLUFFS, each capable of impersonating device identities and executing Man-in-the-Middle (MitM) attacks on encrypted Bluetooth connections. This discovery is alarming as it directly impacts the confidentiality of these connections.

Technical Insights: How BLUFFS Operates

BLUFFS exploits four distinct vulnerabilities, two of which were previously unknown and stem from fundamental flaws in the Bluetooth standard’s architecture. These vulnerabilities, registered as CVE-2023-24023, allow an attacker to force the generation of a short and predictable session key (SKC). With this vulnerability, an attacker can gain access to data traffic through brute-force attacks, decrypt previously intercepted data packets, and manipulate ongoing data traffic in real-time. The only requirement for the attacker is to be within Bluetooth range of the targeted devices.

Widespread Impact: Vulnerable Devices

The research conducted by Antonioli involved testing 18 different devices for their susceptibility to BLUFFS. And find out each device was vulnerable to at least three of the six BLUFFS attack techniques. This list includes popular smartphones, laptops, Bluetooth speakers, and headphones from major manufacturers like Apple, Google, Microsoft, Dell, Xiaomi, Logitech, and Bose. Notably, one specific technique, a MitM attack, proved effective on all tested devices. A toolkit for testing device vulnerability to BLUFFS is available on GitHub for those concerned about their devices’ security.

Mitigation Measures:

In response to the BLUFFS threat, the Bluetooth Special Interest Group (SIG) has issued recommendations to mitigate the risk. Developers are advised to reject connections with key strengths of less than seven octets, as brute-forcing a 7-octet key is unlikely to be feasible in real-time. For systems using Security Mode 4 Level 4, a minimum key strength of 16 octets is recommended. Devices operating in “Secure Connections Only” mode are expected to maintain adequate key strength, ensuring better protection.