Key Negotiation of Bluetooth Vulnerability

A weakness in the Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol core specification exposes a vulnerability that could allow for an unauthenticated, adjacent attacker to perform a man-in-the-middle attack on an encrypted Bluetooth connection. The attack must be performed during negotiation or renegotiation of a paired device connection; existing sessions cannot be attacked.

The issue could allow the attacker to reduce the entropy of the negotiated session key that is used to secure a Bluetooth connection between a paired device and a host device. An attacker who can successfully inject a malicious message into a Bluetooth connection during session negotiation or renegotiation could cause the strength of the session key to be susceptible to brute force attack.

This advisory will be updated as additional information becomes available. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190813-bluetooth

Security Impact Rating: Medium

CVE: CVE-2019-9506

Related:

  • No Related Posts

Not Just Another G: What Exactly is 5G?

We have all heard about 5G, but what exactly is it? 5G is simply defined as the fifth generation networks. It’s not just another G. Yes, this wireless system upgrade delivers data to our mobile phones at remarkably fast speeds. But while 5G will indeed make our smartphones faster, it will also play a large role in the development of other kinds of wireless technology including but not limited to artificial intelligence, drones, IoT, TeleHealth, Autonomous vehicles etc. Uber is considered the ‘app that 4G built’ so what will 5G build? The possibilities are endless with … READ MORE

Related:

  • No Related Posts

Unified Agent – No Access to Internet in WiFi with Captive Portals

I need a solution

Hello,

we have the Main Problem that our Users cannot use free WiFi in Hotels or Airport Lounges when they have a Captive Portal.

The Unified Agents detect this but the User didn’t have any possibility to access the Cative Portal to get access to the Internet.

The Only two Poissibilities are

1. Disable the Unified Agent

2. User there own WiFi with Tethering

Did anybody hav a solution for that?

Thanks for help and answering.

Kind Regards

Alen 

0

Related:

  • No Related Posts

2020 vision: What MWC19 tells us about the year ahead

MWC mobile world Image credit pixabay/mohamed_HassanIf hindsight is 20/20 vision, can the melee of announcements and exhibitor displays at this year’s Mobile World Congress provide us with the foresight for the year ahead and what to expect at MWC20?

As a conference, Mobile World Congress (MWC) has built a reputation for providing a window on innovation and market direction in the communication arena. Every year, the conference has grown both in stature, audience attendance and topic focus. It is no longer simply a conference for the telecoms and mobile operators and handset providers with exhibitors coming from key industry sectors like manufacturing, healthcare, automotive through to independent software vendors (ISVs), system integrators and consultancies and special interest communities. The conference’s impact and influence has seen greater representation from different countries industry business consortiums and is such that there is representation from the United Nations and other globally focused groups. Even CEOs of global brands now make time for an appearance at the show.

The CIC analysts team that attended MWC19 reflect on what they saw and heard to offer a clue to the future coming. In listening to the CIC MWC19 podcasts conducted at the conference there is a definite theme that gives rise to what MWC20 might have in store.

From CIC’s podcasts

“Linux Foundation’s Hyperledger Project at MWC19 – Why it’s a first”, hear Brian Behlendorf, Executive Director of the Hyperledger Project at the Linux Foundation and Marta Piekarska, Director of Ecosystem at Hyperledger discuss the important significance of MWC19 to the Hyperledger Project.

“AT&T at MWC19 – A platform for making money from the Internet of Things (IoT) the Telco way”, highlights the very real way that a Telecom operator such as AT&T can make good business from IoT with strong valued based partner interactions.

“Zeetta Networks at MWC19 – The network innovations that’s propelling them forward and what’s holding back 5G”, looks at how MWC19 is reflecting new thinking and changed approaches in the telecommunication industry.

“CIC MWC19 – Wrap up – Insights into the future” the CIC analyst team offer Insights into the potential future for both the conference and the wider industry.

In brief – summary insights from our analysts.

Bola Rotibi, Research Director

Anyone who has pounded the halls of the annual Mobile World Congress held at Barcelona’s sprawling Fira conference centre in last week of February, will know the sheer scale of the event and the overwhelming amount of information and products on display. Don’t be fooled by the 4 days posted as the official duration of the conference. MWC started in earnest on the Sunday with a pre-conference day that was packed with mini subject matter events, pre-announcements and sneak peaks. The paradox of the event is that from the vantage of the conference footprint, the number of exhibitors, the country trade and regulatory bodies present and products and solutions on display, the 5 days the conference spans doesn’t seem long enough. And yet most who attend will feel done in after 2 days even if ones schedule wasn’t packed with meetings that require traversing the 1km stretch of conference halls multiple times. There is just too much to see and hear.

In the cacophony of announcements and the melee of stands with their different messages and focal points it can be hard to decipher what is really being said to ascertain the value being offered.

But there were signals in all the noise that offer some clues as to where the technology market (digital, information and communication) and the conference may be heading.

Ahead of 5G the reality is that more can and is being done with what is in place. Attending the GSMA’s pre-conference event on Mobile Internet of Things (IoT) held on the Sunday, I was struck by just how much had been achieved with Mobile IoT networks – LTE-M and Narrow Band IoT. The GSMA provided a roll-call of Mobile IoT achievements – e.g. 47 IoT labs in 21 countries, 94 commercial launches etc.

Attending previous MWCs where IoT was talked about a lot, the quote ‘Show me the money’ from the film ‘Jerry Maguire’ would constantly play in my head – it regularly does even now. However, for me MWC19 showcased a lot more commercial potential and realities for technology initiatives such as IoT and Edge computing and how the cloud model was really making a difference. Perhaps the most pressing theme was the fact there is a lot more to be gained from what is already in place. The new, in terms of forward thinking solutions, operational expansion and product capabilities is actually being delivered today by what we have today.

In a market that is inundated with technology with the pressure to absorb more and more in order to move fast forward – slowing down to take stock and exploring the capabilities already available to innovate must surely be one signal worth exploring.

Cathy Mulligan PhD., Principal Analyst

I left a lot less disappointed than usual, actually for once, I left very hopeful – but it had nothing to do with 5G. There’s a lot more fire left in this industry.

I’ve been in the telco industry in various guises for the last 22 years and attended mobile world congress since 2011. As I moved around congress this year, two glaring thoughts hit me repeatedly:

  • This industry is in a period of transition from one structure to another – when it tips to a new way of organising itself, the process will be fast and brutal
  • Have any of the traditional big telco guys actually understood that yet?

It was interesting therefore that the biggest news was not the technology but the way in which operators and the rest of the ecosystem are approaching how industry boundaries are being redrawn. Because it truly feels that there’s a lot more life in this industry if it drops its “G” obsession.

I say more in my two blogs MWC19 Insights Part I: An industry in motion, but where to? and MWC19 Insights Part II: Tech Review

Clive Howard, Principal Analyst

The theme of this year’s MWC (25-28 March) was perhaps that there was no theme. The newly rebranded MWC (no longer Mobile World Congress) has evolved from a conference specifically for the telecommunications industry to become all things to all men.

This year one could find exhibitors promoting everything from mobile to Blockchain to Artificial Intelligence (AI). Internet of Things (IoT) is not even new, there was a garden dedicated to showing off a connected lawnmower.

The rebrand may reflect that the organisers – GSMA – have recognised this is now far more than a telco event. Instead it is a massive tech conference to rival the likes of CES, Hannover Messe or SXSW. While this increases the audience, it runs the risk of becoming unfocused and susceptible to the major exhibitors thinking that their message is lost in the noise.

There was a time when the likes of Samsung, LG, Huawei announced their new products on the Sunday. This year, Samsung announced their folding phone almost a week before. If people start to feel that their big news is being drowned out, they may decide to go their own way – like Apple has always done.

There’s little chance of that any time soon. In fact, Microsoft – who usually run their own launch events – chose MWC to show-off HoloLens 2. MWC’s place in the calendar is safe for a while yet, but it will be interesting to see how the GSMA embrace the new change and avoid the event stagnating or becoming too big for itself – like what happened to SXSW. For now, for many of us MWC is more relevant than ever.



CIC logoCreative Intellect Consulting is an analyst research, advisory and consulting firm founded by Bola Rotibi, an experienced and renowned expert analyst in the field of software development, delivery and lifecycle management processes, technologies and tools.

The blog was written by Bola Rotibi, Research Director at CiC and the CiC analysts that attended the event. It was first published by Creative Intellect Consulting and is reused here with permission.

Related:

  • No Related Posts

Advisory: Bleedingbit vulnerabilities do not affect Sophos Access Points

The BLE protocol or Bluetooth Smart is a protocol designed for providing low powered connections to various devices, such as IoT appliances. A set of two new zero-day vulnerabilities have been announced which could cause various access points(APs) with BLE protocol enabled to be exposed to remote code execution attacks.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

Sophos AP

Sophos Firewall

Sophos Central Wireless

No Sophos Access Points are affected by this vulnerability. We recommend all customers check to ensure that their 3rd party wireless APs are not affected.

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Filr adds support for AppConfig!

kdevadas

With great gains come greater pains! A prevalent example of this is mobile devices, which give users greater freedom to access and share data from anywhere, anytime, on any device. But for IT Administrators, it means a greater amount of time spent managing these devices—especially in organizations where BYOD is the norm. That’s where Mobile …

+read more

The post Filr adds support for AppConfig! appeared first on Cool Solutions. kdevadas

Related:

  • No Related Posts

Enrolling Android device without using user’s google account to configure device

Advised customer to use AFW managed mode as it does not require user to enter the google account.

Provision work-managed device mode for Android for Work

Work-managed device mode for Android for Work is available for corporate-owned devices only. XenMobile supports these methods of enrollment in work-managed device mode:

  • afw#xenmobile: With this enrollment method, the user enters the characters “afw#xenmobile” when setting up the device. This token identifies the device as managed by XenMobile and downloads Secure Hub.
  • QR code: QR code provisioning is an easy way to provision a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method can be used on fleet devices that have been reset to their factory settings. The QR code enrollment method sets up and configures work-managed device mode by scanning a QR code from the setup wizard.
  • Near field communication (NFC) bump: The NFC bump enrollment method can be used on fleet devices that have been reset to their factory settings. An NFC bump transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a factory-reset device. NFC is the only communication protocol that the device can use in this state.

afw#xenmobile

The enrollment method is used after powering on a new or factory reset devices for initial setup. Users enter “afw#xenmobile” when prompted to enter a Google account. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

In this enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the XenMobile server.

Prerequisites:

  • Supported on all Android devices running Android 5.0 and above.

QR code

To enroll a device in device mode using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

Prerequisites:

  • Supported on all Android devices running Android 7.0 and above.

Create a QR code from a JSON

Create a JSON with the following fields.

These fields are required:

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Value: com.zenprise/com.zenprise.configuration.AdminFunction

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

Value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Value: https://path/to/securehub.apk

Note:

If Secure Hub is uploaded onto Citrix XenMobile server as an enterprise app, it can be downloaded from https://<fqdn>:4443/*instanceName*/worxhome.apk. The path to the Secure Hub APK must be accessible over the Wi-Fi connection that the device connects to during provisioning.

Related: