Armis published details of the Bluetooth vulnerability it is calling ‘Blueborne’. The attack disguises itself as a Bluetooth device and exploits a weaknesses in the protocol to deploy malicious code. It is similar in nature to the Broadcom Wi-Fi attack disclosed earlier this year.
But what makes this vulnerability so worrying is the fact that Bluetooth is available in pretty much all connected devices from smartphones, laptops, tablets, smart TVs and IoT devices.
And this Blueborne attack exploits the fact that Bluetooth is given high privileges in most operating systems.
This means the attack can be carried over the air, and executed without any input from the victim. Blueborne doesn’t even need the device to be paired with the malicious device, or even be set in discoverable mode.
These were the stark warnings from Armis in its blog posting on the subject. A video of the exploit in action can be found here.
“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,” warned the researchers.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” they added.
“This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.”
Armis said the vulnerabilities it had detected affects all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use.
This means that a number of vendors are impacted, but thankfully these vendors are already on the case thanks to the responsible disclosure of the flaw by Armis.
Apple devices running iOS 10 are immune to the attack. Microsoft deployed a patch to fix the bug in July. And Google has patch its devices (i.e Pixel etc) and also sent a fix to manufacturers, but it is up to these individual hardware makers to device when they push the patch out to their devices.
The way BlueBorne works is in a number of stages.
“First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to ‘discoverable’ mode,” said Armis.
“Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly.
“The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective.
“At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.”
News of the vulnerability has prompted a swift response from security experts.
“When exploits like these are found on technology that is integrated into almost every device we use, it’s a real concern,” said Mark James, a security specialist at ESET. “This (Bluetooth) is found on virtually all our modern day devices in one form or another. We don’t know if attacks exist using this exploit yet, but something this widespread could cause serious problems if not fixed soon.
“Bluetooth needs to be disabled until a patch is applied and if no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained.”
“Bluetooth is everywhere from your laptop to your front door lock,” added Lamar Bailey, senior director of security research and development at Tripwire. “The vulnerabilities in Blueborne are very wide spread and patches will be coming out for months. Bluetooth should be treated like any open port if you do no need it then turn it off.”
Another expert warned of the security risks associated with IoT devices, and this should act as a warning that industry needs to take these vulnerabilities seriously.
“It is also should be a wake-up call that better vulnerability and penetration testing is a must for all IoT vendors,” said Jackson Shaw of One Identity. “It’s time for the IoT Cybersecurity Improvements Act of 2017 to be debated and enacted.”