On September 12, 2017, a series of Bluetooth vulnerabilities collectively referred to as BlueBorne was made public by Armis Labs. Numerous major platforms were impacted and have released patches as a result, making this a major event for businesses and regular consumers alike.
Bluetooth is a wireless communications technology comprised of dozens of protocols working in parallel and in layers, and is commonly used for short-range communication between various devices. It is often associated with the Internet of Things and those devices’ interactions with more conventional technology such as computers and smartphones.
On some platforms, part of the subsystems contain vulnerabilities that range from information leakage to remote code execution. Not all platforms are vulnerable to all of the vulnerabilities, although some devices are vulnerable to more than one. The overall collection of this research known as BlueBorne covers these loosely-related vulnerabilities, with the idea that it stresses the underlying issues of vulnerabilities in complex codebases being rapidly adopted by both existing and new technologically-dependent industries.
In other words, a number of serious Bluetooth bugs were found, and the research suggests that more may exist in similar protocols in Bluetooth implementations in any number of other Bluetooth-enabled devices. It is these theoretical vulnerabilities out there that have been driving the headlines, and why we wanted to address some of the concerns, as the press is making it seem like the entirety of technology is affected (it is not).
Analysis of BlueBorne Vulnerabilities
The BlueBorne vulnerabilities themselves can be broken down into groups based upon platform. There were vulnerabilities found in the Linux Bluetooth code; the Windows platform starting with Windows Vista up to and including current Microsoft offerings; older versions of Apple’s iOS; and Android versions, including the most recent.
The Linux platform contained two flaws - an information leak and a remote code execution vulnerability. The information leak is in the SDP protocol, and allows for small pieces of adjacent memory to be read by an attacker remotely. The remote code execution vulnerability is in the Bluez library that is included in the kernel code, making for a serious vulnerability. Not only are the major flavors of Linux impacted, but devices running code based upon these libraries will also be impacted. For example, a number of Samsung devices (e.g. smart watches, TVs, refrigerators) use some of the same libraries.
The Windows platform contains a flaw allowing for IP communication to be intercepted and altered via a man-in-the-middle (MITM) attack with the Bluetooth protocol stack being the attack vector.
The Apple iOS vulnerability was a remote code execution vulnerability, however, this vulnerability is not present in current versions of iOS. If your version of iOS is 10.3.3 or greater, you are not vulnerable to this issue.
The Android vulnerabilities consist of two remote code execution vulnerabilities, an information leak, and a man-in-the-middle attack similar to the Windows flaw. These can be used in conjunction with each other to “strengthen” the attack against vulnerable Android systems.
Likelihood of Attack
This area of consideration involves deciding on the level of risk your device may be at, and taking into consideration the likelihood of a successful attack against the device.
Bluetooth Sniffing is Hard
The BlueBorne vulnerabilities were researched in a lab environment. Duo Labs has done similar research involving Bluetooth, and we can definitively report to you that it can be quite challenging and complex. Working in a controlled environment, things may just barely work at times and real-world application could be a serious challenge.
Think of it this way, have you ever had an instance where you have a dead spot in your house where something wireless did not work? For example, you can’t use the app on your phone to turn on the lights in the kitchen if you sit in the brown chair by the window. If you sit on the couch it works, but not the brown chair. The real world is filled with these little environmental areas that you don’t encounter in a lab.
Just about every presentation at a security conference involving Bluetooth includes a slide that says or mentions that Bluetooth sniffing is hard. It can be hard enough in a lab; in a real-world attack scenario, the attacker not only faces any number of brown chairs, but they have to find the exact spot on the couch. The Bluetooth signal has to be sniffed - already a challenge - and then an attack has to be launched against a potential moving target. Not easy.
Wireless Attacks Require Proximity
For any wireless attack to work, including attacks involving Bluetooth, the attacker has to be within physical proximity of the victim. This is not the classic scenario where the attacker is sitting in the middle of suburbia in a basement; for this attack to work, the attacker has to leave that basement and go physically find a victim.
As a result, it makes sense that the attacker would go where the most possible victims might be, such as a coffee shop, food court, busy conference floor, or popular sporting event - you pick. Even then, the effective range of Bluetooth narrows it down to a few dozen feet in most cases.
The BlueBorne attacks are, as of this writing, non-trivial. The technical details that surround the flaws require more knowledge than your average script kiddie possesses to pull off - these vulnerabilities were released without exploit code.
An attack could make use of the included Bluetooth hardware in an average laptop, but would greatly benefit from the added enhancement of extra hardware that is more powerful, such as a USB Bluetooth device with a large antenna.
The attacks against platforms or devices that were not included in the BlueBorne release are speculative. They will require an attacker to perform non-trivial research to find them, and are currently non-existent and theoretical. It doesn’t mean they aren’t there - any security person worth their salt will tell you they are probably there - but the threat from them is not immediate as the actual threats that have been found and reported.
Timing and The Odds
Timing is another factor. You, the potential victim, have to show up at the exact physical place that the attacker is at. At the same time. An attacker with a Liam Neeson special set of skills. And extra hardware. Who knows where the couch is, and avoids the brown chair. And you have to be there long enough for Liam to pull this off, assuming another victim doesn’t already have his attention.
Okay, we’ve had some fun exploring how likely the attack is - it is serious, but keep in mind the drive in the car to the coffee shop was much more dangerous and more likely to impact you than our friend Liam.
Mitigation of BlueBorne-Related Risks
There are two main areas of mitigation involving the BlueBorne vulnerabilities.
First and foremost, patch as soon as you are able to do so. Google has released patches for Android systems, and all partners that support regular patching are already releasing their fixes for their devices. Windows has already released a patch, and the iOS platform is already patched if you are on a current and supported version of iOS. Linux is in the process of releasing patches on their various platforms.
Your second line of defense, if you are unable to patch immediately, is to disable Bluetooth on your devices. This simple step prevents all of the vulnerabilities. If you are out and about with your unpatched phone, disable Bluetooth when you are in areas where people might congregate or other areas where you might be at risk, or simply leave it off.
While the vulnerabilities are serious, it is easy to mitigate and there are patches available from the major vendors. It is true that other vulnerabilities might exist in other products that have yet to be discovered, but that holds true with pretty much all technology.
Keep your devices patched up, disable Bluetooth if you don’t need it, and most importantly, do not feel overwhelmed with the flashy headlines that are screaming about everything being affected.