The latest Bluetooth vulnerability

With the number of smart, connected devices on the rise, so are concerns about online privacy and security, especially with the spate of ransomware and other malware attacks dominating the headlines over the past year. Even as the world is trying to recover from the WannaCry ransomware, the Mirai botnet and other severe malware attacks, security researchers over at Armis Labs have published a detailed technical whitepaper detailing a severe vulnerability that can, potentially, leave billions of Bluetooth-enabled devices susceptible to remote code execution and MiTM (Man-in-The-Middle) attacks. So in case you are already intrigued about BlueBorne, here’s what you need to know about it so that you don’t end up becoming an unwitting victim of cyber-crime:

Simply put, BlueBorne is an attack vector that can allow cyber criminals to use Bluetooth connections to silently take control of targeted devices without any action whatsoever on part of the victim. What’s really disconcerting is that for a device to be compromised, it doesn’t have to be paired to the attacker’s device, nor does it even need to be set to ‘discoverable’ mode. As many as eight separate zero-day vulnerabilities (including four critical ones) can be used to hack into most Bluetooth devices in use today, irrespective of the operating system. What that means in essence, is that over 5 billion Bluetooth-enabled devices from around the world are potentially vulnerable from this massive security loophole that was detailed earlier this week by IoT-focused security research firm, Armis Labs. According to the technical whitepaper published by the company, BlueBorne is particularly dangerous not only because of its massive scale, but because the loopholes actually facilitate remote code execution as well as Man-in-The-Middle attacks.

Which Devices / Platforms are Potentially Vulnerable to BlueBorne?

As mentioned already, the BlueBorne attack vector potentially endangers billions of Bluetooth-enabled smartphones, desktops, entertainment systems and medical devices running on any of the major computing platforms, including Android, iOS, Windows and Linux. Overall, there are an estimated 2 billion Android devices in the world today, almost all of which are believed to have Bluetooth capabilities. Add to that an estimated 2 billion Windows devices, 1 billion Apple devices and 8 billion IoT devices, and you’ll know why this latest security threat is such a huge cause for concern for cyber-security researchers, device manufacturers and privacy advocates the world over. The two platforms that are the most vulnerable to BlueBorne, however, are Android and Linux. That’s because the way the Bluetooth functionality is implemented in these operating systems makes them highly susceptible to memory corruption exploits that can be used to run virtually any malicious code remotely, allowing the attacker to potentially access sensitive system resources on compromised devices that often fail to get rid of the infection even after multiple reboots.

How Can Hackers Exploit the BlueBorne Security Vulnerability?

BlueBorne is a highly infectious airborne attack vector that has the potential to spread from device to device through air, which means a single compromised device can, in theory, infect dozens of devices around it. What makes users especially vulnerable to the threat is the high level of privileges that Bluetooth run with on all operating systems, allowing attackers to have virtually full control over compromised devices. Once in control, cyber criminals can use these devices to serve any of their nefarious objectives, including cyber espionage and data theft. They can also remotely install ransomware or incorporate the device as part of a large botnet to carry out DDoS attacks or commit other cyber crimes. According to Armis, “The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure “air-gapped” networks which are disconnected from any other network, including the internet”.

How to Tell if Your Device is Affected by BlueBorne?

According to Armis, all the major computation platforms are affected by the BlueBorne security threat in some way or another, but some of the versions of these operating systems are inherently more vulnerable than others.

  • Windows

All Windows desktops, laptops and tablets running Windows Vista and newer versions of the OS are affected by the so-called “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).

  • Linux

Any device running on an operating system based on the Linux kernel (version 3.3-rc1 and newer) is vulnerable to the remote code execution vulnerability (CVE-2017-1000251). Additionally, all Linux devices running BlueZ are also affected by the information leak vulnerability (CVE-2017-1000250). So the impact of the BlueBorne attack vector is not just restricted desktops in this case, but also a wide array of smartwatches, televisions and kitchen appliances that run the free and open source Tizen OS. That being the case, devices like the Samsung Gear S3 smartwatch or the Samsung Family Hub refrigerator are said to be highly vulnerable to BlueBorne, according to Armis.

  • iOS

All iPhone, iPad and iPod Touch devices running iOS 9.3.5 or earlier versions of the operating system are affected by the remote code execution vulnerability, as are all AppleTV devices running tvOS version 7.2.2 or lower. All devices running iOS 10 should be safe from BlueBorne.

  • Android

Because of the sheer reach and popularity of Android, this is the one platform that is believed to be the most badly affected. According to Armis, all Android versions, bar none, are vulnerable to BlueBorne, thanks to four different vulnerabilities found in the OS. Two of those vulnerabilities allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785), while another one allows a hacker to perform a Man-in-The-Middle attack (CVE-2017-0783). Not only are smartphones and tablets running on Android affected by the threat, so are smartwatches and other wearables running on Android Wear, televisions and set-top-boxes running on Android TV, as well as in-car entertainment systems running on Android Auto, making BlueBorne one of the most comprehensive and severe attack vectors ever documented.

If you have an Android device, you can also go over to the Google Play Store and download the BlueBorne Vulnerability Scanner app that was released by Armis to help users check if their device is vulnerable to the threat.

How to Protect your Bluetooth-Enabled Device From BlueBorne?

While BlueBorne is one of the most comprehensive and threatening attack vectors in recent memory because of its sheer scale, there are ways you can protect yourself from becoming a victim. First and foremost, make sure Bluetooth is deactivated in your device when not in use. Then, make sure your device is updated with all the latest security patches, and although that may not help you in some cases, it is definitely a starting point. Depending on the operating system of the device you’re looking to safeguard, you should take the following steps to make sure your personal data don’t end up in the wrong hands.

  • Windows

Microsoft released the BlueBorne security patch for its operating systems on July 11, so as long as you have automatic updates enabled or have manually updated your PC in the past couple of months and installed all the latest security patches, you should be safe from these threats.

  • iOS

If you’re using iOS 10 on your device, you should be fine, but if you’re stuck on earlier versions of the operating system (version 9.3.5 or older), your device is vulnerable until Apple releases a security patch to fix the problem.

  • Android

Google released the BlueBorne fixes to its OEM partners on August 7th, 2017. The patches were also made available to users around the world as part of the September Security Update Bulletin, which was officially released on the 4th of this month. So if you’re using an Android device, go over to Settings > About Device > System Updates to check if your vendor has yet rolled out the September 2017 security patch for your device. If so, install it promptly to keep yourself and your Android device safe from BlueBorne.

  • Linux

If you’re running any Linux distro on your PC or using a Linux kernel-based platform like Tizen on your IoT / connected devices, you might have to wait a tad longer for the fix to filter through because of the coordination required between the Linux kernel security team and the security teams of the various independent distros. If you have the requisite technical knowhow, though, you can patch and rebuild the BlueZ and the kernel yourself by going over going over here for BlueZ and here for the kernel.

In the meantime, you can just disable Bluetooth completely on your system by following these simple steps:

  • Blacklist the core Bluetooth modules
printf "install %s /bin/true\n" bnep bluetooth btusb >> /etc/modprobe.d/disable-bluetooth.con
  • Disable and stop the Bluetooth service
systemctl disable bluetooth.service
systemctl mask bluetooth.service
systemctl stop bluetooth.service
  • Remove the Bluetooth Modules
rmmod bnep
rmmod bluetooth
rmmod btusb

If you get error messages saying other modules are using these services, make sure to remove the active modules first before trying again.

You may want to see Armis Labs video here :

Armis Labs explains the BlueBorne exploit

Android take over demo video

Linux SmartWatch take over video

Windows MiTM – Bluetooth Pineapple demo video

Blueborne exploit looks so scary, because Bluetooth not only on Android, iOS, Windows or Linux, but it is also most used on majority Iot devices. Don’t forget to secure yourself !