Bose Product NFC Security Advisory

 -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Bose Product Security Advisory

 

This advisory from Bose is to provide information to users of certain products regarding a security concern that has been identified in one or more of our products. The information contained in this advisory will help customers understand the nature of the security concern,

which products are impacted by this issue, and what steps customers may take to correct or avoid the concern.

 

Security Concern

================

 

Bose is aware of certain models of NFC-enabled products manufactured with write-enabled NFC memory which, by default, may allow tampering by malicious individuals to negatively impact the product experience. Bose is not aware of any cases of an active exploitation of this issue to date.

 

Products potentially affected by this issue include:

 

* Bose QuietComfort 35

* Bose QuietComfort 35 II

* Bose Revolve

* Bose Revolve

* Bose SoundLink Color

* Bose Hearphones

 

For more detailed information, please see the full report below.

 

------------------------------------------------------------

 

Revision: 1.0
Revision Date: 27 JUL 2018
Affected CWEs: CWE-285 "Improper Authorization"
CVSS v3 Score: 6.1/Medium 

(CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L)

 

Detailed Description

~~~~~~~~~~~~~~~~~~~~

 

Certain models of Bose products contain a Near-Field Communication (NFC) chip which contains product-specific information used to provide customers for easier setup of their Bose product. The NFC memory normally will contain information that simplifies the connection setup between a mobile phone and the product. Access to the NFC memory can be obtained using any mobile phone equipped with an NFC chip, but is restricted to a very short range (usually <= 6 inches), depending on the power capacity of the phone's

NFC antenna. Accessing NFC memory does not require the product to be powered on or its battery charged. NFC memory, once set, is always readable, but should not be writeable.

 

In the case of the affected models, the NFC memory regions are not properly write-locked from the factory, and in some cases are accessible while the products are still in their original packaging. As a result, a malicious individual may utilize an NFC-enabled mobile

device to potentially modify the contents on the affected product's NFC memory without the customer's knowledge (in some cases potentially prior to their purchase or acquisition of the product). A tampered NFC-enabled device could be used to trick a user into accessing a website under the control of the malicious individual to e.g. track a user or deliver malware to the unsuspecting user's mobile device. In some cases, this tampering and redirection to an attacker-controlled server would occur without the knowledge of the victim, depending on the specific mobile device and implementation of the NFC functionality.

 

Bose is not aware of any cases of an active exploitation of this issue to date.

 

How serious is this issue

~~~~~~~~~~~~~~~~~~~~~~~~~

 

An estimated severity for this issue was calculated using the Common Vulnerability Scoring System (CVSS) v3, an industry standard method of scoring the seriousness of security issues. The estimated severity for this issue has been calculated to be:

 

6.1/Medium

(CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L)

 

What does this mean in practice

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

* A malicious individual who wishes to exploit this issue to cause harm must have close physical proximity (usually <= 6 inches) to the target device. No special skills or privileges are required, although specialized software commonly available in application marketplaces and an NFC-enabled programming device such as a mobile phone are required. The owner of the product needs to use the NFC feature on the product to be impacted by any such tampering.

 

* If successful exploitation occurs, the effect is within control of the attacker, but the impact is primarily on the user's NFC-enabled mobile device rather than the product itself. Likely scenarios include redirecting a user of the product to a malicious server hosted by the

 attacker to e.g. deliver malware, or to track the user based on information set by the attacker, and may impact the product's setup process if it normally relied on the NFC functionality.

 

Mitigations

~~~~~~~~~~~

 

Bose is taking steps to ensure affected products manufactured in the future will properly enable the write-lock capability of the NFC memory.

 

For devices already manufactured - either in stores waiting to be purchased or already acquired by customers - Bose recommends users consider disabling NFC on their mobile devices to limit the chance of those devices connecting to a potentially malicious NFC tag.

 

When using BlueTooth as part of the setup process for an affected Bose product, consider using solely the BlueTooth device discovery feature rather than the NFC-assisted method.

 

Credit & References

~~~~~~~~~~~~~~~~~~~

 

This issue was responsibly disclosed to Bose by an independent security researcher. Bose would like to thank this researcher for working with Bose to investigate and remediate this issue.

 

Ref: 7138EFF380D74392098D9F69B9B3255606DABAA7

Ref: 2CC93D8407881D69A7470337DB214C248E06EF35

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQEcBAEBAgAGBQJbWzEBAAoJEPneBdGXcm324i4H/iBN7sUncIrm8CVsjwYqMY6f

djgmYXk 1Nxz/ka9 ZuCQ4rQaIxOhGtAKAvcgtnYr9No88LNDPmtV6EkHkkKqdC0

FuVYtJ/SdtZvD/Q3NpVaVnVJksBgAvP5p9hM1kOzL2wMMQt1h5G0NaBciQ8osXOw

BzbFnZEZHPz33YPbdIJ1yROXxnCuaCT 0QYYsk5pvDnNGbd8Ba63qbQREsqekxCW

P5UmLBq/Ycrx8OZjnII0weAVmuBn8EAXerBGTDEaa2EUgn/DOnp5yv/RTU5ea48R

kHAr6CpPa7IH/p5hM mR4rOvHVU4r EJr990xPVsSE i6YkKmexYyC S5/e0Kf0=

=Nqsg

-----END PGP SIGNATURE-----