Armis Labs has revealed eight vulnerabilities, called "BlueBorne", which put 5.3 billion Android, iOS, Windows, and Linux devices that use Bluetooth at risk. With it, hackers can control devices, access data, and spread malware to other vulnerable devices through networks. In this post, we will learn about the vulnerabilities, then look at how to find devices that have them.
On their release page for BlueBorne Armis provides a very good overview video, which you can see below.
The biggest danger of BlueBorne is that it can spread malware to other Bluetooth devices. This would be bad enough on its own, but some of these vulnerabilities don't even require being paired to be vulnerable.
Let me explain. If you infected a Bluetooth speaker with malware that spread itself to any device that connected to it, that would be bad, but only a limited number of devices would connect and become infected.
Now, imagine instead that every device that simply comes within range (around 33 feet for Bluetooth) of it is instantly infected, and each of those devices would work the same way to infect other devices in range as they go about the world. Now you get an idea of how dangerous this exploit could be, because of how prolifically it spreads, exploits like this have the potential to quite literally become an electronic pandemic.
These silent attacks are invisible to traditional security controls and procedures ... Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them.
Furthermore, unlike a real pandemic where the victim will show signs of being infected, such as a cough, a BlueBorne victim will not, depending on how the malware is written. With no interaction needed with an infected host other than being in proximity to infect it, you can see how this has the potential to quickly spread through an environment without detection.
The real icing on the cake is that Bluetooth often has high privileges within the operating system, which can give you almost complete control over the device. With these two capabilities, remote control and pandemic level spreading potential, you could conduct data theft, espionage, and install ransomware on a massive scale.
You may be thinking that it doesn't matter how easily it spreads, because there can't be that many Bluetooth devices out there. Unfortunately, Bluetooth is the de facto wireless protocol choice by many wearable developers, and much of the emerging internet of things (IoT) market. Needless to mention, Bluetooth is a near-ubiquitous option on any modern smartphone, tablet, or computer.
In fact, on their website, Bluetooth SIG, Inc. says it "is integrated into more than 8.2 billion products produced by over 30,000 Bluetooth SIG members." The majortiy of those are the 2 billion Android, 2 billion Windows, and 1 billion Apple devices.
BlueBorne is unique for several reasons. First, it doesn't require an internet connection, nor does it even involve Wi-Fi at all. In the past, Bluetooth vulnerabilities rooted from the protocol itself, many of which were fixed in version 2.1 back in 2007. Since then, few new vulnerabilities have been found, not because they don't exist, but simply because few researchers were interested in it, and the community as a whole focused on the Wi-Fi and other protocols.
Vendors have a tendency to follow the Bluetooth protocol to the letter, because of how difficult it can be to implement. This means if we find a weakness in the protocol, many Bluetooth devices will be affected, and we'll get the most impact out of our research. That is why Armis chose to focus on it, and it paid off when they found mirrored vulnerabilities like CVE-2017-8628 and CVE-2017-0783 (Windows and Android), which we will look at below.
We are concerned that the vulnerabilities we found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities.
Fortunately (or unfortunately depending on your point of view) Armis did contact Google, Microsoft, Apple, Samsung, and Linux in early August. They have all since released security updates. Except for Samsung and Apple, Apple didn't need to, as it had no vulnerability in its current versions. On the other hand, Samsung wasn't so lucky — they just didn't get back to Armis on three different occasions.
- All Android phones, tablets, and wearables that don't use exclusively Bluetooth Low Energy, with some notable examples being the Samsung Galaxy and Google Pixel.
- Windows computers since Windows Vista.
- All Linux devices running BlueZ, including Samsung Smart TVs and the infamous Samsung Family Hub.
- All iPhone, iPad, and iPod touch devices with iOS 9.3.5 and lower.
- AppleTV devices with version 7.2.2 and lower.
If you have one of these devices, make sure to update it immediately in order to patch the vulnerabilities. If you can't for whatever reason, then disabling Bluetooth is the only safe choice you have for the moment. Until October of 2017, the same was true of Samsung devices, when a patch was finally relased.
Let's take a look at the steps that would need to be carried out in order to perform one of these attacks.
- We locate active Bluetooth connections by using a program like Blue Hydra, which allows us to see devices not set to "discoverable" mode.
- Obtain the device's MAC address, which can also be done using Blue Hydra.
- Probe the device to uncover the operating system.
- Employ a vulnerability based on which OS is being used.
- Upload malware, or simply stay connected and perform a man in the middle attack.
Below, we will go over the vulnerabilities in general, but if you are interested in more detail, you can read the white paper.
Armis disclosed four vulnerabilities that impact the Android OS. One is information leaking, two allow remote code execution, and the last is a man in the middle attack. This makes it the most compromised of all the systems.
Information Leaking (CVE-2017-0785): This vulnerability in the Service Discovery Protocol, that is how it detects other devices around it, can be manipulated by a crafted request that will return memory bits leaking encryption keys in a way that might remind some of heartbleed.
Remote Code Execution #1 (CVE-2017-0781): When you tether a device to the internet, such as with the use of a Fitbit and smartphone, they use something referred to as the Bluetooth Network Encapsulation Protocol (BNEP). There is a flaw in it which lets a hacker without authentication or pairing to the device corrupt memory in a way that is easy to exploit, and allows the running of arbitrary code with the privileges of the com.android.bluetooth service. This means access to the file system, network stack, and the ability to emulate a keyboard or mouse.
Remote Code Execution #2 (CVE-2017-0782): This is almost the exact same the previous one, however, the fault is higher in the BNEP service, this time residing in the Personal Area Networking (PAN) profile.
The Bluetooth Pineapple (CVE-2017-0783): This is a man in the middle attack on the PAN profile we just mentioned. It allows hackers to create network interfaces and re-configure IP routing. Additionally, since it is a man in the middle attack, if the device has a microphone, then a bug or listening device has effectively been placed on the victim.
Now, let's take a look at what this attack would look like on a Google Pixel and how it can happen in just 23 seconds.
Currently, there is one proof of concept scanner and exploit under development for Android exploits, located at this link.
The Bluetooth Pineapple #2 (CVE-2017-8628): As we discussed before, since the problem is in the Bluetooth stack itself, it can stretch across platforms — like it has here. The Windows platform has the exact same issues as the Android one. Below, we will see an example of how it can be used in a phishing attack to steal the credentials of the user as an example of just how powerful this attack is.
Information leak (CVE-2017-1000250): Here yet again, we see the same attack, from Android, but on a different OS.
Stack overflow in BlueZ (CVE-2017-1000251): BlueZ is a core part of the Linux Kernel, enabling Bluetooth communication. This is another memory corruption attack employed against the L2CAP (Logical Link Control and Adaptation Protocol). Below, we can see how this is used to turn a smartwatch into a listening device.
Currently, there is one proof of concept of a Linux attack in development, available at this link.
Armis did not develop a full attack for this, because it was resolved with the iOS version 10 update. In spite of this, older apple devices are still vulnerable. The flaw is in Apple's LEAP (Low energy audio protocol), which works on top of Bluetooth and is used to stream audio. Any sufficiently large audio command will lead to a memory corruption, which can be used to take over the device.
Armis was kind enough to create an app which will detect if your device is vulnerable, and scan those around you to find if they are vulnerable too. Unfortunately, the app is only for Android, you can download it on Google Play.
Now, it is as easy as opening the app, and tapping the "Tap To Check" button. Despite the little loading screen, it seems to be checking the security patch date. If you do find yourself vulnerable, turn off Bluetooth and update your device.
Next, we can check to see if the devices around us are vulnerable too. The red dots in the screenshot below are high-risk devices. If we click on them, we can see some information on them, including their MAC ID. For example, in the image below, the ID is the lower line which begins with 94:35.
If only there was some way to hack a Bluetooth device with a Mac ID. Oh, that's right, we just learned about vulnerabilities, and we have a whole white paper full of details on how to take advantage of such knowledge. You shouldn't hack any devices you don't own, but if you do find you own a vulnerable one, then you may want to test your skills against it.
If you're interested in the Armis proof of concept, you can check out the code on Github. Be warned, the installation was not straightforward for beginners, and we weren't able to get it to run.
Today, we've looked at the vulnerabilities involved in the BlueBorne disclosure, and the picture it paints doesn't bode well for Bluetooth. It's critical that the owners of vulnerable devices find and update them, due to the possible pandemic-like spread of potential Blueborne malware, potentially causing one infected device moving throughout a city to infect many others.
It's worth considering adding rules to your phone that automatically disable connections when you don't need them, and be mindful of what devices you own use bluetooth. We can only hope that the cybersecurity research community takes Bluetooth more seriously in the future, and pours as much research attention into Bluetooth as they have Wi-Fi, or hackers will. And unlike Armis team, malicious hackers won't be so friendly with their zero-day disclosures.
Thanks for reading! If you have any questions, you can leave them in the comments below, or on Twitter.
Cover Photo By Null Byte