Hacker News new | past | comments | ask | show | jobs | submit login

How in the world is this a CVSS 8.8 if this is the case? What a waste of everyone's time if this is true.



Ctrl+alt+t (insert malicious shell command)


That is only part of the CVSS scoring system. Not only do you need near-physical access (i.e. not open to the internet, already drops the rating significantly), it requires the victim to interact with a suspicious prompt, which basically drops it to the level of a phishing email (i.e. not CVSS 8.8).


No victim operation is needed, just type it by automated pseudo HID device


Ok, but any reasonable threat model has assumed forever that physical access to the machine is essentially game over regardless.

Or to put it another way... who cares about that when the adversary is in position to just do a snatch and grab of the whole device?


This is an automatic bluetooth pairing attack. With the right equipment (which can be as simple as a Pringles can and an antenna aimed through a window) you can execute this attack from a hundred meters away. That's not physical access.


Wireless protocols don't count as physical access, since I can perform the attack from a car outside your house.


Even more scary: (launch child porn web site)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: