Bluetooth Blues

September 15th, 2017 by CS Research

The proliferation of wireless devices in the world is astounding, and one of the most widely used are Bluetooth, at an estimated capable device count north of 8 billion. Earlier this week, researchers at Armis released information on their website about an attack vector dubbed “BlueBorne”.

The list of vulnerable and exploitable devices spans Android and Apple smartphones, millions of printers, smart TVs, IoT devices, and Windows PC’s (Vista to current) that use the short-range wireless protocol. Unfortunately, many of these devices will never be patched and will continue to be vulnerable to exploits like this. Such is the nature of hardware/software support life cycles.

How Does It Work?

BlueBorne abuses the fact that when a device’s Bluetooth is enabled, it is always listening for incoming connections. This behavior is expected and in fact exactly how the Bluetooth design intends. The attack is very stealthy, requiring no victim interaction and can lead to full control of the victim’s device in some cases.

An attacker starts by probing nearby Bluetooth devices to determine which operating system the victim is using and selecting the proper exploit to run. Then the attacker launches the exploit against a vulnerability in the implementation of the Bluetooth protocol. At this point the attacker can choose to execute a Man-in-the-Middle attack, intercepting web traffic and capturing credentials, or take full control of the device and use it for any number of nefarious actions.

The attack vector currently utilizes exploits for 8 vulnerabilities, listed below.

  • Linux kernel RCE vulnerability – CVE-2017-1000251
  • Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250
  • Android information Leak vulnerability – CVE-2017-0785
  • Android RCE vulnerability #1 – CVE-2017-0781
  • Android RCE vulnerability #2 – CVE-2017-0782
  • The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783
  • The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628
  • Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315

Potential Impact

To make matters worse, this type of attack vector could be made operational as a worm and weaponized to launch massive DDoS attacks or simply shutdown the devices to disrupt citizen communications on a massive scale. Taking advantage of a feature called “Bluetooth Mesh” that was introduced in Bluetooth 5, you can interconnect devices to create a much larger network with more elaborate/dense structures.  You could infect millions (or billions) of devices in an absurdly short amount of time. Consider an infected user simply walking through a crowded place – mall, airport, theater – infecting every device enabled device they pass.

In May of this year the world witnessed what is now being considered the most “successful” and prolific ransomware campaign to date: WannaCry. The pace at which WannaCry spread was astounding. If a BlueBorne inspired ransomware campaign were launched, it could theoretically eclipse WannaCry’s devastation in a matter of hours.

What Can I Do About It?

This style of attack is nearly silent and invisible to traditional security controls and procedures. Companies do not monitor these types of device to device connections within their environment. If you have no visibility, then you can’t stop it. Current security measures including endpoint protection, MDM Solutions, firewalls, and network security solutions are not designed to identify these types of attacks or the related vulnerabilities and exploits. This is due to the traditional security model focusing on threats that spread via IP connections. Therefore, new solutions are needed to detect and defend against these attack vectors.

As researchers, we need to remain vigilant and continue to investigate new protocols as they are introduced to consumers. With the already staggering number of untested and insecure desktop, mobile, and IoT devices continuing to grow at a frantic pace, it is critical we show due diligence in detecting, identifying, and stopping these types of attacks.

First thing to note here is that if you are not actively using Bluetooth on your device, turn it OFF!

Windows

Microsoft pushed out security patches to all supported Windows versions on July 11, 2017. See the release info here:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628

Android

All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).

Google has issued a security update patch and notified its partners. The patch information was made available to Android partners in early August, though it may be a while until the consumers receive the appropriate patches due to the trickle down through Third-Parties. Android users should verify that they have the September 9, 2017 Security Patch Level.

To check if your device is at risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on the Google Play Store. Link Below:

https://play.google.com/store/apps/details?id=com.armis.blueborne_detector

Linux

Linux is the underlying operating system for a wide range of devices. The most common commercial and consumer-oriented platform based on Linux is the Tizen OS.

All Linux devices running BlueZ are affected by the information disclosure vulnerability CVE-2017-1000250. All Linux devices from version 3.3-rc1 (released October 2011) are affected by the remote code execution vulnerability CVE-2017-1000251.

Unfortunately, the support for Linux based systems varies wildly. Check with your devices manufacturer for updates.

iOS

All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.

 

 

Field Offices

Connect With us