Conversation

Sep 21, 2020

“official BLE specification didn't contain strong-enough language to describe the reconnection process. As a result, 2 systemic issues have made their way into BLE software implementations, down the software supply-chain Android: no fix😱 Apple: fixed😰 Windows: not vulnerable😶

Quote Tweet

Threat Intelligence

@threatintel

Sep 20, 2020

BLESA: Bluetooth bug affects billions of devices zdnet.com/article/billio

Replying to

Google Pixel XL has been end-of-life since November 2019. It hasn't received security updates for almost a year. It's not an indicator of what has been fixed in the monthly security updates and it's strange to be testing the impact of updates on a device not receiving them.

Replying to

It’s not at all strange to test devices that are still in widespread use. Users still need to be warned of their exposure. Mitigations can often still be provided, even in the absence of official support. A device that went out of support recently absolutely falls in that group

Replying to

> It’s not at all strange to test devices that are still in widespread use. That's not what I said. I pointed out that it hasn't received OS security updates for almost a year, and it's illogical to use it to test what was fixed in those OS security updates. Doesn't make sense.

Replying to

and

> Users still need to be warned of their exposure. Mitigations can often still be provided, even in the absence of official support. It's vulnerable to many far more serious issues since it hasn't received the monthly Android security updates since way back in November 2019.

Replying to

Then I don’t understand the point you came to make & I still don’t. You were saying it didn’t make sense to test against a device that was out of support. I still disagree with that assertion for the reasons I gave. No idea what you’re nitpicking at in 2 separate tweets.

GIF

read image description

ALT

Replying to

You posted a tweet stating that the issue isn't fixed on Android, based on it not being fixed on an end-of-life device which doesn't receive the security updates. The paper doesn't say it wasn't fixed on Android. It says it wasn't fixed on their EOL Google Pixel XL device.

Replying to

Ah, so you’re saying it is fixed in Android. Is that it? Why send a series of tweets that don’t convey that message at all, including the one above, if that’s what you meant? Where did you see the Android CVE fixed? I must have missed it. If you find it share and I’ll retweet.

Replying to

I'm pointing out that the paper doesn't say that the issue wasn't fixed. It says that in June, a Google Pixel XL was still vulnerable to it. Since it doesn't receive OS updates, it's not an indicator that it wasn't fixed in Android. There isn't a source for that claim being made.

Replying to

Omg dude go shave your nuance beard somewhere else. I’ve been as polite as possible, but seriously take the hint and leave now.

Quote Tweet

Gentlemen of Twitter: Every day, every tweet, ask yourself 1. Do I need to weigh in to make my point on this woman’s timeline? 2. Is it possible that she’s right & my quest to shave my nuance beard in her sink is wrong? 3. Where else can I shave this nuance beard it itches me so?

GIF

read image description

ALT

Daniel Micay

@DanielMicay

Replying to

@k8em0

I was trying my best not to mislead anyone before I've had time to look into this further. I hadn't found that commit yet when I posted my tweet here and in the other thread. It will take me some time to confirm if it's the fix for this issue. I learned about it from your post.

3:54 PM · Sep 21, 2020Twitter Web App

Replying to

Daniel, your next tweet at me gets you blocked. Your timeline is a nice place. Why don’t you go spend the rest of the day on it, and out of mine.