Google and Intel warn of high-severity Bluetooth security bug in Linux

Likely relevant, but also a great conversation starter about the many unknown risks of wireless protocols like wi-fi and bluetooth in general

No reason to (kernel) panic

The lack of details aside, there’s not much reason for people to worry about a vulnerability like this one. Like almost all Bluetooth security flaws, BleedingTooth requires proximity to a vulnerable device. It also requires highly specialized knowledge and works on only a tiny fraction of the world’s Bluetooth devices. Those limitations greatly reduce the number of people—if any—who are in a position to successfully carry out an attack.

If you don’t need Bluetooth, just disable it in the BIOS. Also BlueZ
doesn’t appear to be installed (at least in my) dom0.

I remember there was an important reason to disable thunderbolt
discussed here a few months back too. It would allow an attacker direct
memory access I think.

I have disabled all peripherals I don’t use (e.g. wireless WAN,
fingerprint reader, bluetooth, thunderbolt, memory card reader). If you
don’t use it, why leave it on?

1 Like

At least on Dells, you can also disable wifi and USB from BIOS. Not sure how secure the BIOS of one of the largest PC vendors is though. Most laptops that aren’t ultrathin have wifi and bluetooth on a separate PCI (?) card, so you can remove it and remove all uncertainty, then re-install it if you the need arises.

I remember this as being a fairly old exploit that was especially problematic since, at the time, Thunderbolt drives were most prominent on MacBooks (since around 2012 I think, so it was probably around then).

Strongly agree. If you’re using Qubes for security, then there’s really no reason not to drastically reduce your attack surface. Wireless protocols like wifi and bluetooth are especially vulnerable in my eyes because they’re wireless–i.e. broadcasting and receiving in a radius, which means even the neighbour next door can get at you without physically touching your PC.