Issue metadata
Sign in to add a comment
|
Guest account view paired the Bluetooth devices
Reported by
sajidkia...@gmail.com,
Feb 26 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 9000.91.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.110 Safari/537.36 Steps to reproduce the problem: 1. Login as a Guest Account (Bowers as Guest) 2. in the chrome://setting section, guest can view all the paired devices to OS. What is the expected behavior? Guest account has no rights to view the connected Bluetooth. What went wrong? If someone view the Bluetooth, it´s mean he/she can know how to connect with this device. Attacker can manipulate the device name and can breach the OS security. Did this work before? N/A Chrome version: 56.0.2924.110 Channel: stable OS Version: 9000.91.0 Flash Version: Shockwave Flash 24.0 r0
,
Feb 28 2017
Can you elaborate on what specifically you mean when you say "Attacker can manipulate the device name and can breach the OS security."
,
Feb 28 2017
,
Mar 1 2017
I don´t have any POC for this but as per my understanding, hacker can reader the name of Device with guest OS and spoof the MAC of bluetooth device. Both combination is enough to unlock the chrome OS.
,
Mar 1 2017
Thank you for providing more feedback. Adding requester "vakh@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 1 2017
Ah, so this relates to "SmartLock for Chromebook" https://support.google.com/chromebook/answer/6070209?hl=en ? In many cases, if an attacker has a device with which they can "spoof the MAC", it seems equally likely that such a device could simply itself look at the MAC addresses of all nearby Bluetooth devices. The interesting threat then, would be limited to cases where a person provides physical guest access to their Chromebook, has enabled SmartLock, and does not have their paired Android smartphone nearby. (It's not clear to me that spoofing a Mac address is sufficient to circumvent SmartLock, however, as that would mean any attacker could just harvest your Android phone's MAC at their leisure).
,
Mar 1 2017
rkc@, keybuk@, scheib@, ortuno@ -- do any of you know who would be the right person to triage this better?
,
Mar 1 2017
,
Mar 2 2017
scheib@ -- Please weight in with your opinion or help find the right owner. Thanks.
,
Mar 2 2017
Assigning to tengs who's more familiar with SmartLock.
,
Mar 4 2017
Setting severity to "Low" due to the requirements listed out in #6.
,
Mar 9 2017
any update on this issue?
,
Mar 9 2017
,
Mar 9 2017
Just spoofing the Mac address is not sufficient to break SmartLock. We don't rely on Bluetooth pairing for SmartLock, and we have our own layer of crypto over the Bluetooth channel. Although the Chromebook may connect to the spoofed device, it will not be authenticated.
,
Jun 16 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sajidkia...@gmail.com
, Feb 28 2017