Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

Motorola Community

Moto G PhonesMoto G5 / Moto G5 Plus
All Forum Topics
Options

285 Posts

12-22-2015

United States of America

608 Signins

6737 Page Views

  • Posts: 285
  • Registered: ‎12-22-2015
  • Location: United States of America
  • Views: 6737
  • Message 61 of 76

Re: Blueborne: Major Vulnerability Needs September Security Update to Fix

2017-11-13, 23:40 PM

wrote:

wrote:

 the Bluebourne vulnerability requires close proximity to the device (>10m, with real effectiveness >5m)


I think you got your < and > backwards, but agree, you have to be close.

 

and I use my Bluetooth normally without any worries. 


Same here. I keep looking for real world confirmation of the exploit but have seen none to date.

 


Lol... indeed I do... Fixed original post. 

Reply
Options

23 Posts

09-30-2017

Netherlands

14 Signins

145 Page Views

  • Posts: 23
  • Registered: ‎09-30-2017
  • Location: Netherlands
  • Views: 145
  • Message 62 of 76

fix for bluetooth hack????

2017-11-21, 9:37 AM

there is a huge gaping security hole in the current bluetooth software for some time now that enables any remote hacker to completely take over the phone and all its data but i still havent received any updates!

https://www.kb.cert.org/vuls/id/CHEU-AR5S24

 

is lenovo/motorola doing anything to fix this or do they think by just ackowledging the vulnerabilty on their website with specification: 'high' is enough??

https://support.lenovo.com/nl/nl/product_security/len-17125

 

the fixes for this security hole are readily available and could have been implemented 2 months ago in a upstream update but still no update!

 

can any of the representatives explain what is being done to fix this thing or if it will even be fixed so i know if i have to buy a new phone or not (from a company that actually takes security serious).

 

what.. is.. going.. on?!

 

 

Reply
Answer
Options

20125 Posts

02-03-2016

United States of America

2600 Signins

65343 Page Views

  • Posts: 20125
  • Registered: ‎02-03-2016
  • Location: United States of America
  • Views: 65343
  • Message 63 of 76

Re: fix for bluetooth hack????

2017-11-22, 17:33 PM

Hey everyone. 

 

Many of you know that it's our policy to provide information about what updates an owner can expect, but no delivery dates. We've learned from experience that missing a date (or actually hitting one exactly, believe it or not) opens us up to far more criticism than if we simply don't provide an update in the first place.

 

In the US, our Software Upgrade News Page will show if a phone is continuing to get security updates, and this phone is certainly still getting them. (Not sure what the schedule is for providing this information on the Software Upgrade News Pages in other regions and countries.)

 

So, at the risk of something showing up during testing, or some other roadblock, I will say that we expect a security update in December. The update includes the Blueborne patches available when we began development. (Just covering here, in case a new batch of patches is issued. It's happened.)

 

I'd also like to reinforce some of the messages posted by other owners; namely that there are no actual known Blueborne attacks. I'd just wish for your own peace of mind that you don't worry too much as it doesn't appear as if a threat is imminent. 

 

Not sure the above information will satisfy but wanted to at least give some guidance. (Hope I don't regret it!)

 

- Matt

 

 

Please do not PM me - if you have issues, search the forums for threads on your topic and post there, or start a new thread. Thanks!

0 person found this solution to be helpful.

This helped me too

Reply
Options

51 Posts

08-24-2017

Finland

233 Signins

2318 Page Views

  • Posts: 51
  • Registered: ‎08-24-2017
  • Location: Finland
  • Views: 2318
  • Message 64 of 76

Re: fix for bluetooth hack????

2017-11-25, 14:57 PM

Thank you clearing things up. This probably means no Oreo this year?

Reply
Options

1 Posts

09-28-2017

United States of America

8 Signins

63 Page Views

  • Posts: 1
  • Registered: ‎09-28-2017
  • Location: United States of America
  • Views: 63
  • Message 65 of 76

Re: Blueborne: Major Vulnerability Needs September Security Update to Fix

2017-11-26, 5:28 AM

The key question is when will Lenovo allow us to use our Bluetooth connections again?!!? I can't feel safe using my Bluetooth connection on my two Lenovo products; my Lenovo Tab 2 A10f and my Moto G5 Plus. 

 

My work PC is a Lenovo T440S so I am fully invested in the Lenovo way but I'm afraid that I may have placed my faith in the wrong vendor if they can't plug this major flaw soon. It has been available since September. 

 

Hello Lenovo make and release the fixes!

Reply
Options

521 Posts

12-29-2013

United States of America

557 Signins

10169 Page Views

  • Posts: 521
  • Registered: ‎12-29-2013
  • Location: United States of America
  • Views: 10169
  • Message 66 of 76

Re: Blueborne: Major Vulnerability Needs September Security Update to Fix

2017-11-26, 6:06 AM

wrote:

The key question is when will Lenovo allow us to use our Bluetooth connections again?!!? I can't feel safe using my Bluetooth connection on my two Lenovo products; my Lenovo Tab 2 A10f and my Moto G5 Plus.


Use it now. There have been zero instances of the exploit used in the wild.

Maybe turn it off in a crowded enviromnment (say a mall or packed resturant), but otherwise this isn't something to be exploited from across the room or just passing by.

And to do anything it has to be tuned for the device you want to attack.

Fear of this exploit reminds me of the fear of nuclear bombs in the 50s.

I continue to use Bluetooth as I did before on unpatched devices (including some devices stuck on 4.4)

 

 

Reply
Options

5 Posts

11-12-2017

United Kingdom of Great Britain and Northern Ireland

11 Signins

121 Page Views

  • Posts: 5
  • Registered: ‎11-12-2017
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 121
  • Message 67 of 76

Re: fix for bluetooth hack????

2017-11-26, 11:36 AM

Thank you for your response Motorola admin. 

 

I'm not sure people need specific dates, just a real commitment to deliver regular security updates. 

 

It's farcical to visit Lenovo's software update pages for any region (say, UK), read that your phone is continuing to receive security updates, and then note that it hasn't received a single security update in a year (retgb channel is still on January 2017 patch).

 

If you don't plan to issue any actual security updates, or do not plan to do it until ultimately releasing Android 8.0 Oreo (retgb is on 7.0), then just put that in writing. Better than specific dates, much better than vague and unfulfilled promises.

Reply
Options

8 Posts

11-29-2017

United States of America

10 Signins

137 Page Views

  • Posts: 8
  • Registered: ‎11-29-2017
  • Location: United States of America
  • Views: 137
  • Message 68 of 76

Re: Blueborne: Major Vulnerability Needs September Security Update to Fix

2017-11-29, 8:08 AM

Just wanted to say the whole "I haven't seen anyone be compromised" is a non-argument. Must every remote-code execution exploit announce that it's owned you? Telling people that it's okay to use bluetooth because "they're probably okay," is based on what? The proof of concept was able to compromise a phone in seconds, all the rest of the stuff in their video was just for effect (showing how they could take pictures and send themselves the picture, etc.)...but the important thing was the initial exploit, which didn't require any special knowlege, or to be able to see the screen, or any of this other nonsense. Don't try to talk yourself out of the very real problem that bluetooth is unusable if you want any semblance of security and don't create a smokescreen for developers to not fix problems. This is the level of support for their NEW phones too (released THIS year), not some outdated old phone they just wanted to stop supporting.

I'm happy to hear there is a patch coming in December. I am a bit disappointed by the response though, saying "someone complains no matter what" is not an excuse to not supply security patches in a timely manner, and then sit on it for months without giving any information about when you do expect to have them. If you continue to act in this manner, you are going to lose many more customers.

Reply
Options

521 Posts

12-29-2013

United States of America

557 Signins

10169 Page Views

  • Posts: 521
  • Registered: ‎12-29-2013
  • Location: United States of America
  • Views: 10169
  • Message 69 of 76

Re: Blueborne: Major Vulnerability Needs September Security Update to Fix

2017-11-29, 15:33 PM

wrote:

Just wanted to say the whole "I haven't seen anyone be compromised" is a non-argument.

...

Don't try to talk yourself out of the very real problem that bluetooth is unusable if you want any semblance of security and don't create a smokescreen for developers to not fix problems.


The point is there are no cases of anyone actually being compromised in the wild. It's all been in controlled environements, basically a lab.

Everything I've found on the exploit says you have to target specific devices and it's not just a few seconds.
It takes a lot of work to develop an attack on any given device with a specific software version.
Then you have to find a matching device and get close enough to it and stay there long enough to do anything.


Beyond that, Bluetooth is inherently insecure. The encryption protocol they used is flawed and easily hackable.

They developed a new one instead of using a well tested one. And they messed up.

I'm not excusing Motonovo for the poor pace of updates/patches/fixes. But I'm not crying the sky is falling either.

Reply
Options

54 Posts

10-15-2016

United States of America

520 Signins

3582 Page Views

  • Posts: 54
  • Registered: ‎10-15-2016
  • Location: United States of America
  • Views: 3582
  • Message 70 of 76

Re: Blueborne: Major Vulnerability Needs September Security Update to Fix

2017-11-29, 17:02 PM

Everyone will need to decide their needed/desired level of security.  I've moved all of my tasks that need either Bluetooth and/or Wi-Fi (Key Reinstallation Attack) from unpatched Android devices to laptops running an OS that has already been patched.  And in one spot (so far), I'm using a wire where I used to use Bluetooth. 

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms