Bluetooth flaws put billions of devices at risk


This attack would not require people to click on links, download malicious files, or "pair" devices to work; it would merely require people to have Bluetooth enabled. It's also invisible to users, and worst of all, it can start spreading from device to device on its own.

Blueborne consists of a number of ways to attack a device, the most serious of which would allow a threat actor to gain control over a Bluetooth enabled device and its data.

The eight vulnerabilities include a Linux kernel RCE vulnerability (CVE-2017-1000251), Linux Bluetooth stack (BlueZ) information Leak vulnerability (CVE-2017-1000250), Android information Leak vulnerability (CVE-2017-0785), Android Remote Code Execution vulnerabilities (CVE-2017-0781 and CVE-2017-0782), The Bluetooth Pineapple in Android - Logical Flaw (CVE-2017-0783) and Bluetooth Pineapple in Windows - Logical Flaw (CVE-2017-8628).

"This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus".

It's also, according to Armis, a Palo Alto, California-based IoT security firm, too complicated. "This can endanger industrial systems, government agencies, and critical infrastructure".

Part of the blame for these flaws falls on how device makers have implemented the overly complex Bluetooth protocol across devices over the years, which is where numerous weak spots are found.

This morning, Armis security published details of a new Bluetooth vulnerability that could potentially expose millions of devices to remote attack. This makes BlueBorne one of the most broad potential attacks in recent years, while allowing attackers to strike undetected.

The eighth flaw is a Remote Code Execution vulnerability in Apple's Low Energy Audio Protocol that now does not yet have a CVE number assigned. Further, the hack requires an attacker to chain together several vulnerabilities and have proximity to the device, making it hard to duplicate in the wild.

There are technically several distinct attack vectors spread across current mobile operating systems. The next step involves the attacker obtaining the target's MAC address, and then they need to probe it to identify the operating system. Malware exploiting the attack vector may be particularly virulent by passing peer-to-peer and jumping laterally, infecting adjacent devices when Bluetooth is switched on, said the researchers.

✯ Users of Android devices can determine if their device is vulnerable by downloading the BlueBorne Android App [link to be added soon] on the Google Play Store and use it to run a simple and quick check.

Windows machines with Bluetooth are also at risk of a vulnerability that lets an attacker invisibly intercepting or rerouting wireless traffic by creating a malicious networking interface on the device. Google patched the flaws in its September Android Security Bulletin.

Finally, when the hacker has access they are able to begin streaming data from the device in a "man-in-the-middle" attack. As Armis noted in its BlueBorne info page, Apple's iOS beyond version 9.3.5 are vulnerable, but that vector was ironed out in iOS 10.

The researchers state Windows Vista and later devices are affected by BlueBorne.

The group that oversees Bluetooth technology, called the Bluetooth Special Interest Group, estimates that there are more than 8 billion Bluetooth devices on the market today.