IoT-focused security company Armis Labs revealed a Bluetooth-based attack that impacts billions of devices, including Android, Linux, and unpatched Windows and iOS10 or earlier devices. Along with the Bluetooth attack, which the company called “BlueBorne,” Armis also revealed eight zero-day vulnerabilities that could be used to facilitate the BlueBorne attack against some devices.
According to Armis Labs, BlueBorne not only affects billions of smartphones, desktops, sound systems, and medical devices, but it requires no action from users. It's also invisible to users, and worst of all, it can start spreading from device to device on its own.
Because the Bluetooth process has high privileges on most operating systems, that means once BlueBorne reaches a device, it can also cause significant damage through remote code execution, man-in-the-middle (MITM) attacks, or by penetrating air-gapped networks that otherwise have no internet connectivity. This can make the BlueBorne attack vector useful in cyber espionage, data theft, ransomware, and even for creating large botnets out of infected IoT devices.
What makes BlueBorne special is that unlike similar attacks such as the recent one against Broadcom Wi-Fi chips, which also happened to be airborne, the BlueBorne attack doesn’t affect only the peripherals of a device but can give an attacker full control over the infected device right from the start.
Armis also said that Bluetooth software offers a larger attack surface than Wi-Fi software does, especially since it's been largely ignored by the security community until now.
Armis Labs argued that airborne attacks show a new type of threat that’s typically not taken into account by traditional security solutions. Airborne attacks that can bypass traditional security and even air-gapped internal networks can also endanger industrial systems, government agencies, and critical infrastructure.
The airborne attacks are also easier to spread because the user doesn’t have to download or click anything for the infection to occur. Such attacks are compatible with all software versions of a device, as long as Bluetooth is active.
Devices with Bluetooth enabled are constantly searching for other Bluetooth devices, which can allow an attacker to use the BlueBorne vulnerability to connect to it without having to pair with said device. This makes BlueBorne one of the most broad potential attacks in recent years, while allowing attackers to strike undetected.
Next-Generation Bluetooth Vulnerabilities
Most previous Bluetooth vulnerabilities were related to the protocol itself. The most serious one in recent years was fixed in the Bluetooth 2.1 protocol. Since then, newly found vulnerabilities were minor and did not allow remote code execution. This is also why the security research community started turning its eyes towards other protocols and systems.
Armis said that it's seen two main issues with how platform vendors have implemented the Bluetooth protocol: Either the platform vendors followed the implementation guidelines word for word, which has led to the same Bluetooth bug to exist on both Android and Windows, or in some areas, the Bluetooth specifications have left too much room for interpretation, which opened the possibility for multiple bugs to exist in various implementations.
The security firm also said that BlueBorne is based on the vulnerabilities found in the various implementations, and it’s worried that other vulnerabilities may exist on other Bluetooth-connected platforms that it hasn't yet tested.
How BlueBorne Works
The BlueBorne attack vector has several stages. First, the attacker finds some local Bluetooth-enabled devices. Next, they obtain the MAC address of the device to determine which operating system is running on it and adjust the exploit accordingly.
The attacker will exploit a vulnerability in the implementation of the Bluetooth protocol on that platform and then choose whether or not to do a MITM attack to intercept communications or take over the device for other malicious purposes.
Android Attack Vectors
An attack on the Android platform can make use of four different vulnerabilities (which Armis also discovered):
- An information leak vulnerability resembling Heartbleed that could leak the encryption keys of the device
- A remote code execution vulnerability that doesn’t require authentication or user interaction and uses the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering)
- Another remote code execution vulnerability that is similar to the previous one and can be triggered without user interaction and can allow the attacker to take full control of the device.
- The Bluetooth Pineapple vulnerability allows an attacker to create a MITM attack using only a Bluetooth-connected device and no special equipment, which is often required for Wi-Fi interception.
Windows Attack Vector
The Bluetooth Pineapple vulnerability is also present on unpatched Windows systems, allowing the same type of MITM attack to occur. Microsoft patched the vulnerability in the July update, but not all users patch their machines as soon as an update is available.
Linux Attack Vectors
Linux is affected by two vulnerabilities: an information leak flaw that allows the attacker to adjust the attack accordingly and a stack overflow bug that attackers to take full control over the device.
iOS Attack Vector
The vulnerability uncovered by Armis in older versions of iOS had been fixed by Apple in iOS 10 and Apple TV 7.2.2. However, the company still warns users who are on older versions of iOS that they're at risk. The vulnerability found in Apple’s Low Energy Audio Protocol (LEAP), which works on top of Bluetooth, enables a remote code execution attack that could allow an attacker to silently take over a device.
Protecting Against AirBorne Bluetooth Attacks
Armis Labs argued that current security measures such as endpoint protection, mobile data management, firewalls, and network security solutions are not designed to deal with airborne attacks, because their main focus is to block attacks that happen over IP connections.
Armis also called for more attention on implementing secure Bluetooth protocols in the future, as the impact of any newly found threat could be quite significant, considering that billions of devices make use of the technology.
Users who aren’t expecting a patch for the BlueBorne attack on their devices (such as owners of older Android smartphones) would do best to disable Bluetooth and only enable it for a short time when needed, if at all.