Bluetooth is one of the most widely deployed and used connectivity protocols in the world. Everything from electronic devices to smartphones uses it, as do a growing number of IoT devices. Now, a new Bluetooth exploit, known as BlueBorne, exploits a number of Bluetooth vulnerabilities, making literally billions of devices potentially vulnerable to attack.
BlueBorne is a hybrid Trojan-Worm malware that spreads via Bluetooth. Because it includes worm-like properties, any infected system is also a potential carrier, and will actively search for vulnerable hosts. Unfortunately, vulnerable hosts can include any Bluetooth-enabled device, including Android, iOS, Mac OSX, and Windows systems. Additionally, many IoT devices, such as smart watches, fitness trackers, electronics systems, and other Bluetooth-enabled devices may also be vulnerable.
The flaws aren’t in the Bluetooth standard itself, but in Wi-Fi/Bluetooth hardware controller chips, and includes a number of CVEs and advisories, including:
- Linux kernel RCE vulnerability – CVE-2017-1000251
- Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250
- Android information Leak vulnerability – CVE-2017-0785
- Android RCE vulnerability #1 – CVE-2017-0781
- Android RCE vulnerability #2 – CVE-2017-0782
- The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783
- The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628
- Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315
While there is no evidence that these vulnerabilities are currently being exploited in the wild, some proof-of-concept attacks may exist which have not yet been publicly disclosed. Since this technology has not really been a focus for security researchers, it’s highly likely that we will see an increase in attackers looking to exploit Bluetooth implementations in the future.
The implications of this threat vector are huge. Literally every Bluetooth-capable device could potentially include a number of vulnerabilities that could be exploited by BlueBorne and similar Bluetooth-targeted attacks. Even more challenging, because Bluetooth is not a communications protocol that is monitored and inspected by most network security tools, traditional security devices such as intrusion detection systems will most likely not be able to detect BlueBorne attacks.
In addition to endangering smartphones and PCs, BlueBorne can also compromise the billions of Bluetooth-equipped IoT devices in the world, including smart TVs and entertainment systems, speakers, headphones, smart car devices, and even things like home security systems. And in addition to consumer-based products that rely on Bluetooth communications, this exploit could also affect many commercial-grade IoT devices that connect to the network using Bluetooth technology. Unfortunately, the exact scale and potential for this vulnerability is still largely unknown.
The BlueBorne malware works by scanning for Bluetooth-enabled devices and then probing them to see if they have relevant vulnerabilities. Once a target is identified, the hack takes less than 10 seconds, and targeted devices don’t even need to accept an incoming connection in order to be compromised. Once a device has been compromised, attackers are able run arbitrary commands on the device and even access and potentially steal data. The attack also immediately begins to seek out and spread to other vulnerable Bluetooth-enabled targets.
Even though Bluetooth devices are not usually in the kill-chain of most network security devices, FortiGuard Labs expects that because BlueBorne is a potentially powerful delivery mechanism it is likely to lead to multi-stage attacks where an attacker first exploits one of the Bluetooth vulnerabilities and then infects the compromised device with additional malware, including ransomware, remote exploit kits, or other dangerous files. Fortunately, most of these potential second-stage attacks are likely to be detectable by network and endpoint security devices, especially when they attempt to activate or communicate with a command and control server. While there is no evidence that such attack vectors currently exist in the wild, some security researchers insist that proof-of-concept exploits now exist in labs, or could easily be developed.