A series of major Bluetooth-related security flaws allows attackers to take over devices, spy on data and networks, spread malware and successfully hack even airgapped targets. Victims don’t need to click on links, download malicious files or even be connected to the internet.
Billions of devices, including smartphones, connected TVs, laptops and watches are affected. At least 2 billion such Android and Linux devices are deemed “unpatchable” and will remain vulnerable, according to researchers at Armis, the Israeli security firm where the issue was discovered in early 2017.
The weakness is being called “BlueBorne” because it impacts nearly all devices with Bluetooth capabilities. Google, Microsoft and Linux are expected to release patches and announcements on Tuesday to address and secure devices against BlueBorne.
For Apple users, the issue has been fixed since iOS 10’s release in September 2016.
BlueBorne constitutes eight zero-day vulnerabilities, four of which are deemed critical. Beyond Tuesday, however, “forever day” issues — vulnerabilities that persist even after discovery and disclosure — are a worry for researchers who point to Android and Linux IoT devices that are rarely patched.
Exploitation of BlueBorne requires proximity — Bluetooth range typically extends between 10 to 100 meters depending on if a device is indoors or outdoors — and for Bluetooth to be enabled on a device. For many devices, like smart TVs, it’s enabled by default. For others, like smartphones, it’s a setting that’s rarely turned off once it’s used.
“This is impressive work by the Armis team,” independent security researcher Kenneth White told CyberScoop. “Chaining vulnerabilities to achieve complete bypass of the ASLR mitigation is no small technical feat.”
Bluetooth, first launched in 1982, has a history of serious security flaws. Many such problems still exist. Experts say that for many professionals in information security, BlueBorne won’t be much of a surprise.
“In terms of real-world risk, it’s difficult to say, but worth emphasizing that for this to work there has to be proximity to a malicious device,” White explained. “For high-sensitivity systems, there is long-standing guidance for federal networks that strongly recommends disabling Bluetooth partly because of the long history of vulnerabilities.”
Researchers outlined one example scenario in which BlueBorne could be used to initiate a widespread infection. One potential infection vector could be a delivery person using a Bluetooth-enabled device, like a UPS employee who comes into close contact with business, government and individuals every day.
“If exploited, the vulnerabilities, which were found in the Android, Linux and Microsoft implementations of Bluetooth, could enable an attacker to take over devices or establish a ‘man-in-the-middle’ attack to gain access to critical data and networks, as well as spread malware to other Bluetooth-enabled devices,” Armis’s researchers explained. “Infections could quickly spread across a network, leaving enterprises open to data leaks and destructive malware (including ransomware) spreading through their systems.”
There have been no reports of BlueBorne in the wild.
Ben Seri, a researcher at Armis, told CyberScoop BlueBorne is “a threat to airgapped networks” because “Bluetooth is something that you may not know is on. Even if you don’t use it, it awaits new connections by default putting devices at risk.”
Armis provided demo videos of exploitation and also, in an interview with CyberScoop, performed a live takeover over a Google Pixel.
“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date,” Armis researchers explained. “Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device.”
You can read the full report below.