-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bose Product Security Advisory This advisory from Bose is to provide information to users of certain products regarding a security concern that has been identified in one or more of our products. The information contained in this advisory is intended to help customers understand the nature of the security concern, which products are impacted by this issue, and what steps customers may take to avoid the concern. Security Concern ================ A vulnerability was identified in the way Slack calls were answered when using Bose QuietComfort 35 II headphones in multi-point mode. The vulnerability resulted in an iOS device in a multi-point connection environment to auto-answer an incoming Slack call without requiring user interaction. This vulnerability is only present when the following configuration exists: * QuietComfort 35 II headphones with impacted firmware is configured in multi-point mode (i.e. connected to 2 devices simultaneously) * One connected device is a mobile device running iOS 12 or newer with a recent version Slack communications client running * One connected device is a system running MacOS 10.14 or newer with a recent version Slack communications client running Products impacted by this issue include the following versions: * QuietComfort 35 II headphones, firmware version 4.5.2 The Bose QuietComfort 35 II software update 4.8.1 addresses this issue. For more detailed information, please see the full report below. ================================================================ Bose Advisory 2020-001 Revision: 1.0 Revision Date: 06 OCT 2020 CVE Identifier: Not Applicable Summary: Bose QuietComfort 35 II headphones require an update to address a vulnerability in the Slack call answering process on iOS when paired to 2 devices simultaneously. Affected CWEs: Not Applicable CVSS v3 Score: 7.7/High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) Detailed Description ~~~~~~~~~~~~~~~~~~~~ The Slack communications application running on an iOS mobile device could utilize the QuietComfort 35 II product to answer an incoming call. When the QuietComfort 35 II product is configured in multi-point mode (i.e. connected to a primary and secondary mobile device at the same time), and an incoming call is received on both devices, the QuietComfort 35 II headphones will incorrectly send a signal to answer the call on the iOS device without user interaction. The October 2020 software update for QuietComfort 35 II addresses this issue by preventing the signal to automatically answer the Slack call on the iOS device when in a multi-point configuration. How serious is this issue ~~~~~~~~~~~~~~~~~~~~~~~~~ An estimated severity for this issue was calculated using the Common Vulnerability Scoring System (CVSS) v3, an industry standard method of scoring the seriousness of security issues. The estimated severity for this issue has been calculated to be: 7.7/High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) What does this mean in practice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerable Bose products used in this configuration could potentially allow an individual with access to the secondary device to listen to the Slack call communications, or more likely, the owner of the secondary mobile device may incur additional connection and bandwidth charges for the unexpected usage. Bose encourages users to follow best practice recommendations for how to secure access to their mobile devices. Mitigations ~~~~~~~~~~~ Vulnerable Bose products mitigate this issue by eliminating the incorrect answer signal on the secondary device in a multi-point configuration when accepting an incoming Slack call on iOS 12 and newer. The vulnerability is addressed by applying the update matching the products below: * Bose QuietComfort 35 II, firmware version 4.8.1 or newer Credit & References ~~~~~~~~~~~~~~~~~~~ Bose would like to thank Slack Technologies, Inc for discovering and reporting this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJffcSbAAoJEPneBdGXcm32t+4H/0MRQQQSUXDUNsl42Qg/VL2g d8G7YmsYCXAs3gxgik3AOlLW3mzAUNvRSkm88R6VlUDG44EZqXw9o4ycy1z+9LZr 6/ojWl1T1XsysYZ7GmH7tHzFhnFrQNT/vTWjA0lPmGCeW6+T9Y4NGcWXOK78dXmz GwEa1Mkk8+K2XMzAnVmS2kFKHLnemqOHJ3YaHTF0m8yCe7/SuN/5NOqJQwV6uLlT e6f1sT9phhQwSE/HtjZBlw1oRiMLj3bqARcOluVscgsaCiCLAefpeDaUp1qf0l4H EcNiTSgKO1XhJ5av9jlcqmNSopq8CRNuo5tM+PpHwT8g/ydKOm5Zew7D46aqqls= =H0eW -----END PGP SIGNATURE-----