As many as 8 zero-day vulnerabilities using short-range wireless communication technology have been recently identified in the Bluetooth protocol.
These vulnerabilities affect 5.3 billion devices that utilize Android, iOS, Windwos, Linux, as well as devices utilizing the Internet.
In the event of a ‘BlueBorne’ attack which takes advantage of the recently discovered vulnerabilities, hackers completely take control of a Bluetooth enabled device and spread malware while an intermediary attack can be executed to accesses the device’s data and network, even without any action taken by the user.
A hacker need only be in the vicinity of the victim’s Bluetooth enabled device. Moreover, the hacker’s device no longer needs to be paired following a successful attack.
A Blueborne attack has many features desired by hackers, such as cyber espionage, data hijacking, ransomware, large-scale IoT botnet creation such as Mirai, and massive mobile botnet creation such as WireX.
Blueborne attacks are more powerful than other attacks because they can penetrate secure “air gap” networks that are not connected to other networks, including the Internet.
- Blueborne vulnerabilities
|CVE number||Summary of vulnerabilities|
|CVE-2017-0781||Remote code execution vulnerability from Android’s BNEP(Bluetooth Network Encapsulation Protocol, tethering)|
|CVE-2017-0782||Remote code execution vulnerability from Android’s BNEP PAN(Personal Area Networking, Network connections between IP based devices)|
|CVE-2017-0783||Vulnerability to Man-in-the-Middle attacks from PAN profiles of Android Bluetooth|
|CVE-2017-0785||Information leakage vulnerability from Android SDP(Service Discovery Protocol, peripheral device identification)|
|CVE-2017-8628||Spoofing vulnerability from Window’s Bluetooth drive|
|CVE-2017-1000250||Information leakage vulnerability from Linux Bluetooth stack(BlueZ)|
|CVE-2017-1000251||Linux kernel remote code execution vulnerability|
|CVE-2017-14315||Apple’s low energy audio protocol remote code execution vulnerability|
(1) Vulnerabilities of Android
Information leakage vulnerability (CVE-2017-0785)
The first vulnerability in the Android operating systems is that it provides useful information that aids hackers in exploiting one of the below mentioned vulnerabilities of remote code execution.
As this vulnerability was discovered in the SDP (Service Discovery Protocol), the device can identify other Bluetooth services in the vicinity. This defect allows an intruder to send a series of sophisticated requests to the server to expose memory areas in response. Such information can then be exploited by a hacker to bypass the security measures to take control of the device. This vulnerability also allows a hacker to compromise the encryption key of the target device and eavesdrop on Bluetooth communications.
Remote code execution vulnerability (CVE-2017-0781)
This vulnerability lies within the Bluetooth Network Encapsulation Protocol (BNEP) service and can be shared via the Internet through Bluetooth connection (tethering). Flaws in the BNEP service can cause external memory damage by the hacker. This can easily be exploited to execute code on a device to effectively control it. Users are unaware of an ongoing attack as user interaction, authentication, or paring are not required to cause the vulnerability due to the lack of adequate authorization verification.
Remote code execution vulnerability # 2 (CVE-2017-0782)
This vulnerability resembles the previous one but resides in the PAN (Personal Area Networking), a higher level BNEP service, and establishes an IP-based network connection between two devices. In this case, memory corruption is greater, but the hacker cannot take complete control of the infected device. As with the previous vulnerability, this can be triggered without user interaction, authentication, or paring.
Bluetooth – Pineapple – Intermediate hacker (CVE-2017-0783)
Man-in-the-Middle (MiTM) allows an intruder to intercept and intervene with all data coming and going from a device. To create a MiTM attack using Wi-Fi, a hacker would need special equipment and a connection request to the Wi-Fi network opened from the from the target device. A hacker can actively participate in a goal using any device with Bluetooth capability. The vulnerability lies in the PAN profile of the Bluetooth stack and an hacker can create a malicious network interface on the target device, reconfigure IP routing, and cause the target device to send all communications over a malicious network interface. As this attack does not require user interaction, authentication, or pairing, it is virtually invisible.
(2) Vulnerabilities of Windows
Bluetooth pinapple # 2 – Intermediate hacker (CVE-2017-8628)
This vulnerability is identical to the one found in the Android operating system. It affects both systems as the same principles were shared in implementation of some Bluetooth protocols. It is present in the Bluetooth stack and allows a hacker to create a malicious network interface on the target device, reconfigure IP routing, and forces transmission of all communication. As this attack does not require user interaction, authentication, or pairing, it is virtually invisible.
(3) Vulnerabilities of Linux
All Linux devices utilizing BlueZ are affected by information leakage vulnerability (CVE-2017-1000250). All Linux devices utilizing version 2.6.32 (released in July 2009) to version 4.14 are affected by remote code execution vulnerability (CVE-2017-1000251).
Information leakage vulnerability (CVE-2017-1000250)
As with Android information leakage vulnerability, this vulnerability lies in the SDP server which identifies other services using Bluetooth in the vicinity. This flaw can be exploited to expose sensitive data in a Bluetooth process that may include an encryption key in a Bluetooth communication by allowing an intruder to send a series of sophisticated requests to the server to expose memory bits in response.
Stack overflow of BlueZ (CVE-2017-1000251)
This vulnerability was found in the Bluetooth stack of the Linux kernel, the core of the operating system. Memory corruption occurs due to an internal defect in L2CAP (logical link control and adaptation protocol), which connects two devices. This memory corruption allows the hacker to take complete control of a device.
(4) Vulnerabilities of iOS
This vulnerability poses a significant risk to all iOS devices prior to version 10. This is due to the fact that user interaction is not required while not all types of configuration of target devices are required. This vulnerability could be exploited by a hacker to execute remote code in a highly privileged context (Bluetooth process).
Remote code execution via Apple’s low energy audio protocol (CVE-2017-14315)
This vulnerability was found in Apple’s new low energy audio protocol (LEAP), which utilizes Bluetooth. This protocol was designed to stream audio to the vicinity of low energy audio devices (ie: low energy headset or Siri Remote). This allows only Bluetooth low energy devices to stream audio and send audio commands. A flaw in LEAP implementation may cause large scale audio commands to be sent to the target device, causing memory corruption. Because validity of audio commands transmitted through LEAP are not properly verified, a hacker can use memory corruption to take complete control over a target device.
Recommendations for Bluetooth use:
– Bluetooth should be disabled unless absolutely necessary. Power should be turned off immediately after use.
– Identify devices that you own or devices that are connected to a network. Identify the device manufacturer and update Bluetooth.
– System patches should be applied as soon as updates are available.