Last month, I wrote about Broadpwn. Broadpwn is an exploit which can be used to take over many smartphones and tablets, iPhones and Android devices alike. It targets Broadcom Wifi chipsets, which are used in mobile devices from a variety of OEMs including Apple and Samsung.
The bright side is that it's simply a vulnerability that was found by a security researcher, and updating to the latest versions of iOS and Android patches the vulnerability.
That's not the case for this Bluetooth exploit, however. Armis Labs discovered eight zero day vulnerabilities. That's right - BlueBorne is a collection of vulnerabilities, many with patches that are still being developed.
But like Broadpwn, BlueBorne can be used to attack devices while bypassing operating system security measures like data execution prevention and address space layout randomization. Attacks that target hardware exploits and bypass operating systems are fast becoming the future of cyberattacks.
Devices that can be attacked through BlueBorne include not only mobile devices, but also PCs that have Bluetooth functionality, and many of the Internet of Things (IoT) devices which are becoming increasingly numerous and ubiquitous.
Like Broadpwn, BlueBorne bypasses operating systems, no matter what system you’re using. Armis Labs has found that BlueBorne can exploit devices running iOS, Android, Windows, and Linux operating systems.
Out of the estimated 8.2 billion Bluetooth devices worldwide, more than 5.3 billion of them are definitely vulnerable to a BlueBorne attack. But according to Armis Labs, all Bluetooth devices may be vulnerable, at least to some extent.
Bluetooth enables devices to connect effortlessly and, most alarming, is that someone with a device that gets a BlueBorne attack probably won't know it. For a BlueBorne attack to work, all that's required is for Bluetooth to be turned on, which many people use by default to connect to external speakers, GPS trackers, fitness trackers, etc.
Bluetooth is especially challenging to secure. According to Armis Labs:
“Bluetooth is a difficult protocol to implement, which makes it prone to two kinds of vulnerabilities. On the one hand, vendors are likely to follow the protocol’s implementation guidelines word-for-word, which means that when a vulnerability is found in one platform it might affect others. These mirrored vulnerabilities happened with CVE-2017-8628 and CVE-2017-0783 (Windows & Android MiTM) which are 'identical twins.' On the other hand, in some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own.
This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years. We are concerned that the vulnerabilities we found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities.”
This is how BlueBorne attacks work. First, an attacker looks for Bluetooth devices around them. An attacker can even find Bluetooth devices which aren't in ‘discoverable’ mode, provided that Bluetooth is still enabled.
Then an attacker acquires the MAC address of their targeted device. An attacker can use the MAC address to find the operating system being used, in order to fine tune their attack to exploit further vulnerabilities.
An attacker then uses the vulnerabilities in the Bluetooth protocol to acquire the access they need to control their targeted device. Then, an attacker can engage in a man-in-the-middle attack, or take full control of their target. Ouch! The device's user won't know what hit them.
Armis Labs has been doing their due diligence to reach out to vendors with their findings. They contacted Google and Microsoft on April 19. Apple was contacted on August 9, and Linux developers were contacted on August 15 and 17. Ever since, the vendors have been working on patch development.
Google made a BlueBorne patch part of the September Security Update and Bulletin on September 4. Microsoft released a patch to all currently supported versions of windows on July 11, but Windows users ought to check the related Microsoft release information to ensure that their computers are patched.
Certain Linux IoT devices such as the Samsung Gear S3 smartwatch, Samsung Smart TVs, and Samsung Family Hub smart refrigerators are still vulnerable, but patches are currently in development.
iPhones, iPads, and iPods running iOS 9.3.5 or older are vulnerable to BlueBorne, but can be patched if users upgrade to iOS 10. If your device cannot be upgraded to iOS 10, you should consider retiring it and buying a more recent iPhone, iPad, or iPod.
Even though BlueBorne is being patched across operating systems and vendors, I fully expect that new Bluetooth exploits and attacks will be discovered in the future. Installing available security patches is important, but I also leave Bluetooth disabled on my devices most of the time, only enabling it when needed. That's a good practice for not only closing an attack vector, but also for saving battery life.