-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bose Product Security Advisory This advisory from Bose is to provide information to users of certain products regarding a security concern that has been identified in one or more of our products. The information contained in this advisory will help customers understand the nature of the security concern, which products are impacted by this issue, and what steps customers may take to correct or avoid the concern. Security Concern ================ Bose is aware of certain models of NFC-enabled products manufactured with write-enabled NFC memory which, by default, may allow tampering by malicious individuals to negatively impact the product experience. Bose is not aware of any cases of an active exploitation of this issue to date. Products potentially affected by this issue include: * Bose QuietComfort 35 * Bose QuietComfort 35 II * Bose Revolve * Bose Revolve+ * Bose SoundLink Color * Bose Hearphones For more detailed information, please see the full report below. - - ----------------------------------------------------------- Bose Advisory 2018-001 Revision: 1.1 Revision Date: 17 JUN 2018 Summary: Certain models of Bose NFC-enabled products manufactured with write-enabled NFC memory Affected CWEs: CWE-285 "Improper Authorization" CVSS v3 Score: 6.1/Medium (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L) Detailed Description ~~~~~~~~~~~~~~~~~~~~ Certain models of Bose products contain a Near-Field Communication (NFC) chip which contains product-specific information used to provide customers for easier setup of their Bose product. The NFC memory normally will contain information that simplifies the connection setup between a mobile phone and the product. Access to the NFC memory can be obtained using any mobile phone equipped with an NFC chip, but is restricted to a very short range (usually <= 6 inches), depending on the power capacity of the phone's NFC antenna. Accessing NFC memory does not require the product to be powered on or its battery charged. NFC memory, once set, is always readable, but should not be writeable. In the case of the affected models, the NFC memory regions are not properly write-locked from the factory, and in some cases are accessible while the products are still in their original packaging. As a result, a malicious individual may utilize an NFC-enabled mobile device to potentially modify the contents on the affected product's NFC memory without the customer's knowledge (in some cases potentially prior to their purchase or acquisition of the product). A tampered NFC-enabled device could be used to trick a user into accessing a web site under the control of the malicious individual to e.g. track a user or deliver malware to the unsuspecting user's mobile device. In some cases, this tampering and redirection to an attacker-controlled server would occur without the knowledge of the victim, depending on the specific mobile device and implementation of the NFC functionality. Bose is not aware of any cases of an active exploitation of this issue to date. How serious is this issue ~~~~~~~~~~~~~~~~~~~~~~~~~ An estimated severity for this issue was calculated using the Common Vulnerability Scoring System (CVSS) v3, an industry standard method of scoring the seriousness of security issues. The estimated severity for this issue has been calculated to be: 6.1/Medium (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L) What does this mean in practice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * A malicious individual who wishes to exploit this issue to cause harm must have close physical proximity (usually <= 6 inches) to the target device. No special skills or privileges are required, although specialized software commonly available in application marketplaces and an NFC-enabled programming device such as a mobile phone are required. The owner of the product needs to use the NFC feature on the product to be impacted by any such tampering. * If successful exploitation occurs, the effect is within control of the attacker, but the impact is primarily on the user's NFC-enabled mobile device rather than the product itself. Likely scenarios include redirecting a user of the product to a malicious server hosted by the attacker to e.g. deliver malware, or to track the user based on information set by the attacker, and may impact the product's setup process if it normally relied on the NFC functionality. Mitigations ~~~~~~~~~~~ Bose is taking steps to ensure affected products manufactured in the future will properly enable the write-lock capability of the NFC memory. For devices already manufactured - either in stores waiting to be purchased or already acquired by customers - Bose recommends users consider disabling NFC on their mobile devices to limit the chance of those devices connecting to a potentially malicious NFC tag. When using BlueTooth as part of the setup process for an affected Bose product, consider using solely the BlueTooth device discovery feature rather than the NFC-assisted method. Credit & References ~~~~~~~~~~~~~~~~~~~ This issue was responsibly disclosed to Bose by an independent security researcher. Bose would like to thank this researcher for working with Bose to investigate and remediate this issue. Ref: 7138EFF380D74392098D9F69B9B3255606DABAA7 Ref: 2CC93D8407881D69A7470337DB214C248E06EF35 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJcF9O0AAoJEPneBdGXcm32ykoH/004LiEAb3K2ZCm1mkWYHMGr ySO3YugSNjIQ/bDB5LWB1Elr7DKCe9Y/cdDuAFeiJ64qVooQa21a3rj7RhzsTSs7 zCZhIWj1KT1rNcBcQsym9pBaeCZHKLkPRRMzuul+beIYT6L43LZfmpMjq7nSTXMg J9316rFvZ5/cNiNTxLpIgU9YKKCqOreO8SEaMq1vAVKOJusTdl4zGarV5XPTdv8u HtoECss+QK7lHFcW4V8CYqqPV1nFd2V1l2uhpny9XFHALgSfhAR1OGzD3VfHzFpw NYLzqx922tEjGh5C5C+jxeKbYM7GwsBhPTXF//cQzkFIHVeLaYEXF5MqOXFEkoU= =0Bbo -----END PGP SIGNATURE-----