Munguva pfupi yapfuura ruzivo rwakakosha rwakaburitswa nezve kurwiswa kutsva kunonzi KNOB (Kiyi Nhaurirano YeBluetooth), iyo inobvumira anorwisa kuronga kubata nekuisa ruzivo mune yakavharidzirwa Bluetooth traffic.
Nekuva nekwaniso yekudzivirira kutapurirana kwakananga kwemapaketi mukuita kwekutaurirana kubatana kweBluetooth zvishandiso, anorwisa anogona kuzadzikisa kushandiswa kwemakiyi ane chete 1 byte ye entropy yechikamu, iyo inobvumidza iwe kushandisa iyo yakasarudzika simba nzira kuona iyo encryption kiyi.
Nezve KNOB
Daniele antonioli kubva kuSUTD, Dr. Nils Tippenhauer anobva kuCISPA uye Purofesa Kasper Rasmussen kubva kuYunivhesiti yeOxford vakawana iyi nyowani yeKNOB kushomeka uye inokanganisa michina yeBluetooth BR / EDR, inozivikanwawo seBluetooth Classic, ichishandisa shanduro shanduro 1.0 - 5.1.
Vatsvaguriri vakashuma kushomeka kwenhengo dzeICASI, Microsoft, Apple, Intel, Cisco, uye Amazon, uyo akaburitsa zvakarongeka kushomeka kuburitswa.
Dambudziko (CVE-2019-9506) Izvo zvinokonzerwa nezvikanganiso muBluetooth BR / EDR Core 5.1 kududzirwa uye neshanduro dzekutanga Vanobvumidza kushandiswa kwemakiyi ekuvharira ayo akapfupika uye haatadzise anorwisa kubva kupindira nhanho yekutaurirana yekubatanidza kuti adzokere kune iwo makiyi asina kuvimbika (mapaketi anogona kutsiviwa neanorwisa asingazivikanwe).
Kurwiswa kunogona kuitwa kana uchitaurirana nezvechisungo chechigadzirwa .
Kana kiyi ikasarudzwa zvakabudirira, anorwisa anogona kudhizaina data rakapfuudzwa uye chinyararire aite zvinomiririra ciphertext kutsiva pane traffic kubva kune akabatwa.
Kurwisa kunoshanda sei?
Kuberekesa kusagadzikana murabhu (chiitiko chemurwisi chakatepfenyurwa pane chimwe chishandiso), prototype toolkit yakakurudzirwa kuita kurwisa.
Zvekurwisa chaiko, anorwisa anofanira kunge ari munzvimbo inogamuchira zvigadzirwa zveavo vakaurayiwa uye ave nekwaniso yekuvhara kapfupi chiratidzo kubva kuchinhu chimwe nechimwe, icho chaanoda kuitisa kuburikidza nekumanikidza kwechiratidzo kana kupindira kunoitika.
Kushandisa kunetseka uku harisi basa riri nyore, sezvo inoda mamiriro akasarudzika kuti asimbiswe. Izvi zvinosanganisira:
- Ose majaira anofanira kunge ari Bluetooth BR / EDR.
- Anorwisa angangoda kuve ari mukati mechikamu chemidziyo paanenge achigadzira kubatana.
- "Mudziyo unorwisa ungangoda kubata, kushandisa, uye kutumira mameseji ekutaurirana akakura pakati pemidziyo miviri panguva imwechete ichivhara kutapurirana kubva kune ese ari maviri, mukati menguva yewindow yakamanikana."
- Iyo yekuvharira kiyi yaizoda kupfupikiswa zvinobudirira uye nekumanikidzwa kudonhedza iyo decryption kiyi.
- Iye anorwisa angazoda kudzokorora iyi kurwisa pese panogadzirwa zvigadzirwa.
Paunenge uchigadzira kubatana pakati pevatongi vaviri veBluetooth A uye B, mutungamiriri A, Mushure mekusimbiswa nekiyi kiyi (kusunga kiyi), inogona kupa kushandisa gumi nematanhatu e entropy yekiyi encryption, uye controller B anogona kugamuchira iyi kukosha kana kudoma yakaderera kukosha, pachayo hazvigoneke kugadzira kiyi yehukuru hwakatsanangurwa.
Mukupindura, controller A anogona kugamuchira mhinduro uye kumisikidza yakavharidzirwa yekutaurirana chiteshi.
Sezvo iyo yakabvumidzwa kiyi saizi inotangira kubva pa1 kusvika pa16 mabheti, wechipiri mutyairi anotambira iyi kukosha uye otumira chisungo chake nechiratidzo chehukuru hwakafanana.
Sangano Bluetooth SIG inoona nezvekuvandudzwa kweBluetooth zviyero yakaburitsa gadziriso kune yakatarwa nenhamba 11838, umo vagadziri vakurudzira matanho ekuvharira kusagadzikana (hushoma saizi yekiyi yekunyorera yakawedzerwa kubva pa1 kusvika pa7).
Kune iyo Linux kernel mhinduro yakagadziriswa mune iyo kernel stack iyo inokutendera iwe kuti uchinje hushoma saizi yekiyi yekunyorera.