Eight zero-day vulnerabilities affecting the Android, Windows, Linux and iOS implementations of Bluetooth can be exploited by attackers to extract information from, execute malicious code on, or perform a MitM attack against vulnerable devices.
The vulnerabilities, collectively dubbed BlueBorne by the researchers who discovered them, can be exploited without users having to click on a link or download a questionable file – in fact, no action by the user is required to perform the attack. Also, attacks exploiting them spread through the air, so it’s difficult to detect them and are highly contagious. Users will also not be able to detect whether they are being hit with a BlueBorne attack.
The only prerequisite for a successful attack is that Bluetooth, a widely used wireless communication protocol for exchanging data over short distances, is enabled on a target device. Unfortunately, it is often enabled by default on too many devices.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” the researchers explained. “This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.”
The researchers, from enterprise IoT security company Armis, identified the following security flaws:
- Linux kernel RCE vulnerability – CVE-2017-1000251
- Linux Bluetooth stack (BlueZ) information leak vulnerability – CVE-2017-1000250
- Android information leak vulnerability – CVE-2017-0785
- Android RCE vulnerability #1 – CVE-2017-0781
- Android RCE vulnerability #2 – CVE-2017-0782
- The Bluetooth Pineapple in Android – Logical Flaw – CVE-2017-0783
- The Bluetooth Pineapple in Windows – Logical Flaw – CVE-2017-8628
- Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315
More technical details about each can be found in this paper, but the short story is this:
“The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “’discoverable’ mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.”
Here is a demonstration of a BlueBorne attack against a Samsung smartwatch running the Linux-based Tizen OS:
“These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them,” noted Yevgeny Dibrov, CEO of Armis.
How many and which devices are vulnerable?
According to the researchers, the BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today.
Among the vulnerable devices are Google Pixel smartphones, Samsung Galaxy phones and tablets, all Windows computers since Windows Vista, Samsung smartwatches, TVs and refrigerators, All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower, the Pumpkin Car Audio System, and so on.
Naturally, the discovery of the vulnerabilities was shared months ago with the likes of Google, Microsoft, Apple, Samsung, and the Linux kernel security team.
Google has pushed out patches in the September Android update (for Nougat and Marshmallow, i.e v7.0 and 6.0) and provided the patches to its partners in August (but who knowns how soon those partners will ready them for users). Microsoft pushed out patches on Tuesday, September 12.
Apple will not be pushing out an update, because the vulnerability affecting its Bluetooth implementation has already been mitigated in iOS 10 and users are encouraged to upgrade to it. Finally, Linux maintainers will release a fix soon.
But, in the meantime, users can also protect themselves by simply switching off Bluetooth on their devices.
The scope of the risk
“In the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007. Nearly all vulnerabilities found since were of low severity, and did not allow remote code execution. This transition occurred as the research community turned its eyes elsewhere, and did not scrutinize the implementations of the Bluetooth protocol in the different platforms, as it did with other major protocols,” the researchers noted.
Bluetooth is a difficult protocol to implement, and the researchers are concerned that the vulnerabilities they found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities.
“Bluetooth has become one of the most commonly used technologies to connect one device to another and as the discovery of this zero-day clearly shows, it’s also a big risk,” Leigh Anne Galloway, cyber security resilience lead at Positive Technologies, commented.
“While patches for smartphones, laptops and other internet-enabled devices are relatively easy to push out, for dumber gadgets the same can’t be said. There’s a huge number of ‘things’ that rely on Bluetooth to perform their function – like speakers, or computer keyboards and mice – and, short of turning them off, there isn’t fix and that is going to leave millions vulnerable.”
“Long term, the answer is that if any device can connect to another in any way, it needs to have security built in from the outset or hackers are going to take advantage of it. In the short term, make sure that any devices that can be updated are and, where possible, turn the Bluetooth off of anything not in use,” she concluded.