**bunny more like BOO-ny** @hazel@is.nota.live · 2020-10-14T18:11:57Z

bunny more like BOO-ny @hazel@is.nota.live

bunny more like BOO-ny @hazel@is.nota.live

if you're on linux and use bluetooth, you should upgrade to 5.9 immediately or stop using bluetooth.

zero-click RCE:
https://twitter.com/theflow0/status/1316071793707364353
writeup:
https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq

yikes

Oct 14, 2020, 18:11 · · Web · · ·

**Jake** @jbauer@pleroma.paritybit.ca · Oct 14, 2020, 18:13

**Jake** @jbauer@pleroma.paritybit.ca · Oct 14, 2020, 18:13

Oct 14, 2020, 18:13

Jake @jbauer@pleroma.paritybit.ca

@hazel Bluetooth continues to be a big yikes

**Saphixe, Cool Name Haver** @luna@hellsite.site · Oct 14, 2020, 18:13

**Saphixe, Cool Name Haver** @luna@hellsite.site · Oct 14, 2020, 18:13

Oct 14, 2020, 18:13

Saphixe, Cool Name Haver @luna@hellsite.site

spam

@hazel never use wireless devices never use wireless devices never use wireless devices never use wireless devices never use wireless devices never use wireless devices never use wireless devices never use wireless devices

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:14

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:14

Oct 14, 2020, 18:14

bunny more like BOO-ny @hazel@is.nota.live

spam

@luna i use wireless headphones

**Saphixe, Cool Name Haver** @luna@hellsite.site · Oct 14, 2020, 18:16

**Saphixe, Cool Name Haver** @luna@hellsite.site · Oct 14, 2020, 18:16

Oct 14, 2020, 18:16

Saphixe, Cool Name Haver @luna@hellsite.site

spam

@hazel I'm so paranoid about connecting things to my PC

**Jeder 😺** @jeder@pl.jeder.pl · Oct 14, 2020, 18:15

**Jeder 😺** @jeder@pl.jeder.pl · Oct 14, 2020, 18:15

Oct 14, 2020, 18:15

Jeder 😺 @jeder@pl.jeder.pl

@hazel the fuck

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:15

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:15

Oct 14, 2020, 18:15

bunny more like BOO-ny @hazel@is.nota.live

@jeder it's literally just type confusion is the worst thing

i hate c

**Jeder 😺** @jeder@pl.jeder.pl · Oct 14, 2020, 18:23

**Jeder 😺** @jeder@pl.jeder.pl · Oct 14, 2020, 18:23

Oct 14, 2020, 18:23

Jeder 😺 @jeder@pl.jeder.pl

@hazel lol, just installed 5.9

** Embers 🎨🛡️🏳️‍🌈** @EeveeEuphoria@glaceon.social · Oct 14, 2020, 18:18

** Embers 🎨🛡️🏳️‍🌈** @EeveeEuphoria@glaceon.social · Oct 14, 2020, 18:18

Oct 14, 2020, 18:18

 Embers 🎨🛡️🏳️‍🌈 @EeveeEuphoria@glaceon.social

@hazel well shit, guess i gotta disable it on my pi's since the latest kernel version they have is 5.4, at least for arch linux, rip

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:18

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:18

Oct 14, 2020, 18:18

bunny more like BOO-ny @hazel@is.nota.live

@EeveeEuphoria if you aren't like, physically near someone else, it's probably fine

but do NOT turn bluetooth on in a public space

**Jeder 😺** @jeder@pl.jeder.pl · Oct 14, 2020, 18:25

**Jeder 😺** @jeder@pl.jeder.pl · Oct 14, 2020, 18:25

Oct 14, 2020, 18:25

Jeder 😺 @jeder@pl.jeder.pl

@hazel @EeveeEuphoria that's also counting when not in discovery mode?

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:28

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 14, 2020, 18:28

Oct 14, 2020, 18:28

bunny more like BOO-ny @hazel@is.nota.live

@jeder @EeveeEuphoria no auth, no pairing, nothing

**Tak!** @Tak@glitch.taks.garden · Oct 14, 2020, 19:31

**Tak!** @Tak@glitch.taks.garden · Oct 14, 2020, 19:31

Oct 14, 2020, 19:31

Tak! @Tak@glitch.taks.garden

@hazel I guess this also applies to android?

looking at my phone running kernel 4.4 😢

**tastytea** @tastytea@likeable.space · Oct 14, 2020, 21:23

**tastytea** @tastytea@likeable.space · Oct 14, 2020, 21:23

Oct 14, 2020, 21:23

tastytea @tastytea@likeable.space

@Tak Maybe. It only affects kernel 4.8 and higher, but it could be that your vendor backported stuff from newer kernels.

@hazel

**Tak!** @Tak@glitch.taks.garden · Oct 15, 2020, 04:56

**Tak!** @Tak@glitch.taks.garden · Oct 15, 2020, 04:56

Oct 15, 2020, 04:56

Tak! @Tak@glitch.taks.garden

@tastytea @hazel Oh, ok - the advisory just said < 5.9 for affected versions

**Anirudh Oppiliappan** @x@toot.icyphox.sh · Oct 15, 2020, 12:35

**Anirudh Oppiliappan** @x@toot.icyphox.sh · Oct 15, 2020, 12:35

Oct 15, 2020, 12:35

Anirudh Oppiliappan @x@toot.icyphox.sh

@hazel Based OpenBSD doesn’t have this problem (no Bluetooth support in the kernel, lel).

**Robby** @robby@zoinks.one · Oct 15, 2020, 12:44

**Robby** @robby@zoinks.one · Oct 15, 2020, 12:44

Oct 15, 2020, 12:44

Robby @robby@zoinks.one

@hazel does this vulnerability require the devices to be paired? It doesn't seem to mention that in the writeup nor the video.

**Anirudh Oppiliappan** @x@toot.icyphox.sh · Oct 15, 2020, 13:34

**Anirudh Oppiliappan** @x@toot.icyphox.sh · Oct 15, 2020, 13:34

Oct 15, 2020, 13:34

Anirudh Oppiliappan @x@toot.icyphox.sh

@robby @hazel Doesn’t look like it. Looked at the POC—you just have to specify a Bluetooth address.

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 15, 2020, 15:34

**bunny more like BOO-ny** @hazel@is.nota.live · Oct 15, 2020, 15:34

Oct 15, 2020, 15:34

bunny more like BOO-ny @hazel@is.nota.live

@robby no.

Trending now

Resources

Developers

What is Mastodon?

is.nota.live

More…