New Attack Vector Affecting Bluetooth Devices

Researches from Armis Labs have identified a new attack vector, dubbed BlueBorne, that endangers mobile, desktop and IoT operating systems, including Android, iOS, Windows, and Linux. BlueBorne enables attackers to take control of devices, penetrate corporate networks and distribute malware via Bluetooth. Notably, the attack does not require pairing with the targeted device or setting it in discoverable mode.

The new attack vector takes advantage of the following vulnerabilities identified by Armis Labs researchers in implementations of the Bluetooth protocol:

1. Linuх kernel RCE vulnerability – CVE-2017-1000251.
2. Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250.
3. Android information Leak vulnerability – CVE-2017-0785.
4. Android RCE vulnerability #1 – CVE-2017-0781.
5. Android RCE vulnerability #2 – CVE-2017-0782.
6. The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783.
7. The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628.
8. Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315.

A report prepared by Armis Labs provides detailed technical information on these vulnerabilities, as well as descriptions of the relevant exploits. The researchers have also published videos demonstrating attacks on different operating systems.

A BlueBorne attack is implemented in several stages. First, a device with active Bluetooth is detected and its MAC address is obtained. Then an exploit for the relevant vulnerabilities is selected based on information on the targeted device’s operating system. After exploiting the vulnerabilities, the attackers gain access to the device.

According to Armis Labs researchers, the popular notion that it is difficult to obtain the MAC address of a device’s Bluetooth adaptor is false. Although Bluetooth connections are encrypted, packet headers, which are transferred in plain text, provide sufficient information to determine the adaptor’s MAC address. This means that by using Bluetooth packet sniffing tools, such as Ubertooth, an attacker can obtain the Bluetooth adaptor’s MAC address and use it to send unicast traffic to the device. If the device is in passive mode and is not generating any Bluetooth traffic, its MAC address can be ‘guessed’ by intercepting its Wi-Fi traffic. This is possible because Wi-Fi MAC addresses are sent unencrypted over the air and because, in most devices, the MAC addresses of their Bluetooth and Wi-Fi adapters are the same or only differ in their last digit.

Authors of the report emphasize that there are over 8.2 billion Bluetooth devices globally. A significant proportion of these devices are potentially vulnerable to the newly discovered attack vector. In addition to personal computers and smartphones, Bluetooth is extensively used in IoT devices, such as Smart TVs, smart watches, and fitness bands, as well as medical appliances and cars, which can become critically dangerous to people’s health and even life if their normal operation is disrupted.

Kaspersky Lab ICS CERT security researchers believe that, although Bluetooth-based technologies are not extensively used in industrial systems, the BlueBorne attack vector can still be relevant to industrial devices. For example, some PLCs use Bluetooth for wireless configuration and programming. Bluetooth connections can also be used in wireless sensor networks to collect data and send commands to field-level actuators of industrial control systems. This means that ICS vendors should take a close look at the newly identified Bluetooth security issues to reduce possible risk.