Armis Labs researchers recently uncovered a new Bluetooth attack vector that allows attackers to take control of devices, access corporate data and networks, penetrate air-gapped networks, and spread malware to adjacent devices.
Notably, the attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode.
The attack vector, which the researchers are calling BlueBorne, leverages eight zero-day vulnerabilities, four of them critical. It affects mobile, desktop and IoT operating systems, including Android, iOS, Windows and Linux.
According to the Bluetooth SIG, more than 8.2 billion products using Bluetooth are currently in use worldwide.
No User Interaction Required
“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active. … Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” the researchers wrote.
“This means a Bluetooth conection can be established without pairing the devices at all,” they added. “This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.”
BlueBorne can be used to launch remote code execution and Man-in-the-Middle attacks, and the researchers suggest it could be used for a wide variety of malicious objectives, including cyber espionage, data theft, ransomware, and even the creation of IoT botnets.
“We are concerned that the vulnerabilities we found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities,” the researchers wrote.
Armis notified Google, Microsoft, Apple, Samsung and Linux of the vulnerabilities prior to disclosure. A technical white paper on BlueBorne can be viewed here [PDF].
Managing Connected Devices
Lamar Bailey, director of security research and development at Tripwire, told eSecurity Planet by email that Bluetooth should be treated like any open port — if you don’t need it, turn it off. “That may not always be easy with Bluetooth keyboards and mice/trackpads, but in situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not rely on Bluetooth,” he said.
Varonis security engineer Mike Buckbee said BlueBorne highlights how challenging it can be to secure connected devices. “We’ve gotten the IoT wake-up call loud and clear, and now it’s up to manufacturers to heed the warning and bake security into their products before jumping in feet first with the latest connected devices,” he said.
“Attackers will continue to rapidly develop exploits to crack IoT devices to spy on us, steal our information, and even put our lives in danger,” Buckbee added. “As we become ever more dependent upon our mobile devices, and the world becomes increasingly automated, attacks like Blueborne which hit specific chips, components and stacks are going to become much more dangerous.”