Over the years our reliance on software and machines have grown exponentially. Our activities and data are scattered everywhere over the internet. They serve as a medium for people with malicious intent to gain access to our internal systems, thereby disrupting services, demanding ransoms and destroying our data. Today the world is plagued with series of cyber-attacks, starting from Ransomware to DDos, Phishing to Trojans and many more. With security measures being enforced to safeguard us from these adversaries, the hackers are also growing smart and coming up with different attack vectors and stealth ways to bypass these restrictions and achieving their goal. One of such recent attack is the BlueBorne attack.
Majority of today’s security attacks are over the internet but this attack is quite different and is coined "BlueBorne", as it spreads through the air (airborne) and attacks via Bluetooth. Security researcher Firm, Armis Labs has published eight related zero-day vulnerabilities, out of which four are classified as critical. This attack vector is present on all major operating systems (Linux, Windows, iOS, Android) irrespective of the devices (laptops, Desktops, smartphone, Tablets and IoT devices). A device having Bluetooth that runs over an unpatched version of the software is vulnerable to this attack.
The BlueBorne Vulnerability includes the following:
- Linux kernel RCE vulnerability – CVE-2017-1000251
- Linux Bluetooth stack (BlueZ) information leak vulnerability – CVE-2017-1000250
- Android information leak vulnerability – CVE-2017-0785
- Android RCE vulnerabilities CVE-2017-0781 & CVE-2017-0782
- The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783
- The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628
- Apple Low Energy Audio Protocol RCE vulnerability – CVE Pending
How severe is the Threat?
Bluetooth is the most widespread short-range communication protocol, used by almost all devices starting from smartphones, laptops, tablets, TVs, Watches, cars, medical appliances, and many more IoT devices. While previous Bluetooth related vulnerabilities were found at the protocol level, BlueBorne resides at the implementation level, making it even more serious and powerful. As Bluetooth devices have high privileges in most of the operating systems, this attack is independent of the user's input. Moreover, BlueBorne doesn’t even require the targeted device to be paired with the malicious device, or even to be in discoverable mode.
The attack field of this vector is huge and includes remote code execution and man-in-the-middle attack. Automatic connectivity of the Bluetooth and considering that the nearby devices have their Bluetooth turned on, the repercussion of this vulnerability can be devastating. Once infected with malware, the infected device can easily broadcast the malware to nearby Bluetooth-enabled devices irrespective of the location. These silent attacks are invisible to traditional security measures and procedures. Nobody monitors these device-to-device connections in their environment and hence these attacks achieves their target seamlessly. Also, their potential to be in a stealth mode makes them more powerful and devastating.
BlueBorne is a big deal not only because of the immense devices that are vulnerable to it but because of the ease with which someone can take full control of your device without your consent to tap a link or download/install any malicious software. Device to device forms a chain due to its spreading capabilities.
The market is now flooded with IoT and intelligent home devices. The data tracked, stored and shared by these devices are beyond the understandability of an average user. Taking into consideration the sensitive nature of tasks these devices are entrusted with, and the data they store, the security exploitation could be severe.
Android devices older than Marshmallow (6.x) are vulnerable. All Windows computers since Windows Vista are affected. Millions of devices running Linux (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable.
Android Device Attack Scenario
The BlueBorne attack can be classified into two types. Firstly, when an attack goes undetected and targets any specific device to execute malicious code and infiltrate the networks and gain access to the systems and data. Secondly, creating a Bluetooth pineapple and sniff or redirect user traffic and hence perform the man-in-the-middle attacks.
Typically, in a BlueBorne attack, the attacker locates an active Bluetooth device in his/her vicinity and connects to it via Bluetooth. The attack starts from controlling the screens and the apps. Then it forces the device to give up its information like MAC address, release keys and passwords. With further exploration, the attacker would be able to determine the operating system used by the user. This will decide the following course of exploit.
Following this, the attacker exploits the vulnerability present in the BNEP (Bluetooth Network Encapsulation Protocol) service that facilitates Bluetooth tethering. This flaw allows the attacker to trigger a surgical memory corruption that allows the attacker to execute codes on the targeted device thereby gaining full control over the device.
Furthermore, the attacker can exploit the vulnerability present in the PAN profile of the Bluetooth stack and create a malicious network interface on the victim’s device, configure the IP routing and force the device to use the created malicious network interface, thereby can perform the man-in-the-middle attack and access all the streaming data from the device.
How to Stay Safe?
As of now, there are two possible solutions that will effectively address this attack.
- Turn Off your Bluetooth service.
- Update your Operating System to the security patches released by the vendors.
Microsoft, Google, Linux, and Apple has already released the patches for this vulnerability. But there are many devices that will always be vulnerable to these attacks.
Vulnerabilities like BlueBorne have a widespread impact. Prevailing security measures, like endpoint protection, network security solution, firewalls, data management are not designed to identify or stop these type of attacks as they are particularly focused on IP based attacks. Hence, new solutions are required to address these air gapping related attacks.
Authored By - Ankit Das
TCS Cyber Security Practice