By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Corin Faife, writing for The Verge:
But in certain cases this can be skirted, as with one exploit that impersonates a trusted Bluetooth device already known to the user in order to connect to the phone, at which point the attacker can request or send data via Bluetooth. (The complexity of this attack makes it unlikely to affect regular people, but for a figure like the VP — who is undeniably a high-value target for foreign surveillance attempts — there’s a non-zero chance of falling victim. It also affects both Android and Apple devices, the latter of which Harris appears to use.) [...]
In total, the CVE Program, which tracks cybersecurity vulnerabilities, lists 459 current and historic vulnerabilities that mention Bluetooth, suggesting that Kamala Harris is right to be wary. There’s a simple way to mitigate all of these attacks — disabling Bluetooth, sticking to wired headphones — but doing so means swimming against the technological current, and maybe looking like you can’t afford AirPods.
Put another way, if Kamala Harris used wireless headphones, there is a chance — almost certainly a very small chance, but, we don’t know — that it could be taken advantage of by an adversary. If she uses wired headphones (and, presumably, disables Bluetooth on her iPhone), there’s no chance her phone can be exploited by a Bluetooth vulnerability.
@gruber Your note on the Harris/Bluetooth thing: most zero-days are now held closely by government and criminals. So there may be Bluetooth zero-days that are used very sparingly and haven’t yet been discovered. Harris’s time on the Senate Intelligence Committee might be a clue!
What we don’t know, she might.
★ Thursday, 9 December 2021