Billions of Bluetooth devices vulnerable to MITM attacks; no user action
Billions of Bluetooth devices vulnerable to MITM attacks; no user action

Billions of Bluetooth devices, including those running on Android, iOS, Linux, and Windows, contain major vulnerabilities that can allow malicious actors to remotely execute code, take over devices, and perform man-in-the-middle (MitM) attacks, researchers have reported.

What's more, attackers do not need to trick users into performing an action to compromise or infect them, nor does a target device's Bluetooth have to paired with an attacking device or even be in Discovery Mode. The device simply has to have its Bluetooth feature turned on, which for most products is the default setting.

Even worse, compromised devices can then be further leveraged to attack additional nearby systems over the air, including any segregated or air-gapped devices that happen to be Bluetooth-enabled. "Basically, it's an airborne delivery method or attack vector that could be very easily abused," said Nadis Izrael, CTO and co-founder of Armis, in an interview with SC Media.

Dubbed BlueBorne, the collection of vulnerabilities – eight in total, three of which are critical – was discovered by researchers from Internet of Things security company Armis. The flaws potentially impact at least 5.3 billion Bluetooth-enabled devices, including computers, smartphones, and IoT devices such as watches, smart TVs, and some automobile systems.

“These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them,” said Yevgeny Dibrov, CEO of Armis, in a company press release. “The research illustrates the types of threats facing us in this new connected age.”

Because phones compromised via BlueBorne bugs can quickly infect nearby devices over the air, attacks can quickly spread like wildfire, creating potentially unprecedented scenarios. Michael Parker, VP of marketing at Armis, used the WannaCry ransomware attack as an example. "You had WannaCry. Now imagine WannaCry 'Blue,'" said Parker to SC Media. "It is ransomware that is spread through Bluetooth...It can spread from device to device, unnoticed by current security measures, locking down smartphones, desktops, laptops, and it can't be stopped by traditional methods." Or, the attacker could stay under radar, perhaps delivering botnet malware that "just lays and waits to be activated" at just the right moment.

Between April and August 2017, Armis researchers contacted AppleGoogleLinux, and Microsoft Corporation to disclose the various BlueBorne vulnerabilities. In response, Google has developed a patch for Android 6 and 7 devices, and has notified its manufacturing partners of the update. Microsoft similarly has issued a patch for devices running on all supported Windows versions. Windows Phones, however, are not impacted by the vulnerabilities.

The Linux kernel security team has confirmed that it will release a patch as well, but there is no confirmation on when this will happen.

And Apple  is ahead of the game, as the specific BlueBorne vulnerability that Armis researchers discovered in iOS was actually fixed with the distribution of version 10 of the mobile operating system. However, any devices running on iOS versions 9.3.5 and earlier, as well as AppleTV devices using version 7.2.2 or lower, remain vulnerable.

Armis lists the eight vulnerabilities as follows:

  • Android information leak vulnerability – CVE-2017-0785
  • Android RCE vulnerability #1 – CVE-2017-0781
  • Android RCE vulnerability #2 – CVE-2017-0782
  • The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783
  • Linux kernel RCE vulnerability – CVE-2017-1000251
  • Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250
  • The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628
  • Apple Low Energy Audio Protocol RCE vulnerability (no designated CVE number yet)

The Android information leak bug is located in the Service Discovery Protocol (SDP) server, which enables a device to identify other Bluetooth services in its vicinity. According to an Armis blog post published today, the flaw "enables the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response." This data can then be leveraged to defeat a device's security measures, exploit RCE vulnerabilities, take over the device, and break Bluetooth encryption in order to eavesdrop on communications.

The two Android RCE flaws reside, respectively, in the Bluetooth Network Encapsulation Protocol (BNEP) service (which enables tethering) and the Personal Area Networking (PAN) profile, which exists within BNEP. In both cases, attackers can exploit these errors to create a memory corruption that allows them to run code on the device.

The Android Bluetooth Pineapple vulnerability also exists within the PAN profile, and allows attackers to intercept traffic between Bluetooth devices as well as impersonate a legitimate Bluetooth device with which a victim is attempting to communicate. This is possible, the Armis blog post explains, because the vulnerability allows bad actors "to create a malicious network interface on the victim's device, re-configure IP routing and force the device to transmit all communication through the malicious network interface." 

A second, similar vulnerability in the Bluetooth stack, referred to as the Bluetooth Pineapple in Windows, affects both Android and Windows devices. The Pineapple flaws are named so when exploited, the impacted devices essentially behave like a Wi-Fi Pineapple wireless penetration testing tool that's conducting a man-in-the-middle attack. But unlike a WiFi-based MITM scenario, this attack does not require any special equipment or a connection request from the targeted device to pull off.

The first of two BlueBorne vulnerabilities found in Linux devices consists of an information leak vulnerability – similar to the Android data leak bug – in the user space process of the Bluetooth stack. "When the process receives a response which is too long, it stores the excess part without proper validation. This can be used by an attacker to anticipate the process' activity and expose sensitive data it withholds," the Armis blog post explains.

The second Linux flaw is a stack overflow within the BlueZ kernel that causes a memory corruption that attackers can exploit to gain full control of the affected device.

Finally, the Apple vulnerability that was patched with iOS 10 was an RCE bug in the Low Energy Audio Protocol (LEAP), a new protocol for streaming audio to certain peripheral devices. The flaw allows attackers to gain control of a drive via a memory corruption that's triggered by a crafted audio command.

Armis researchers Ben Seri and Gregory Vishnepolsky are specifically credited with discovering the BlueBorne bugs.