by RSS Axelle Apvrille  |  Sep 19, 2017  |  Filed in: Security Research

(BlueBorne background: read our previous post from Aamir Lakhani here)

I have watched the BlueBorne demos and read the technical paper - it was tough! I am amazed at how the researchers managed to exploit several vulnerabilities to turn them into a PoC attack. My comments below.

BlueBorne does not "spread" (as such)

BlueBorne affects devices supporting Bluetooth. As such, the PoC they demoed does not spread over Bluetooth: it takes control of a given Bluetooth victim. Apparently, the researchers said they locally created a botnet. But that was clearly a local inside test, and we have no details regarding the botnet's payload.

Do you remember SymbOS/Cabir (2004)?

We've already had Bluetooth worms. The first case was Cabir, a Bluetooth worm PoC affecting Symbian OS phones. Then there was CommWarrior in 2005, and BeSeLo in 2008 which spread over Bluetooth and MMS.

The Bluetooth worm did not spread well in 2004-2008, but it may be different now

CommWarrior spread quite massively with well over 100,000 infections - and this was particularly high for those times. However, the truth is that the worm spread via MMS rather than via Bluetooth.

At that time, there were two limitations to propagation via Bluetooth:

  1. Short range. Bluetooth's range typically does not exceed 10 meters. You cannot infect another device beyond that range.

  2. Few Bluetooth devices. In 2005, there weren't that many smartphones supporting Bluetooth, and far less IoT.

Although the first point still stands today, the second no longer does. There are undoubtely far more Bluetooth devices.

Yet, now that Bluetooth Low Energy (BLE) is being adopted more and more - especially for IoT where consumption matters a lot - I doubt a Bluetooth worm would ever reach the propagation rates of malware such as WannaCry (see Fortiguard's Threat Report Q2: WannaCry 25 million hits per day). For a reminder, despite similar names, BLE is different from Bluetooth and not affected by BlueBorne.

What does the BlueBorne app do?

The researchers published an Android app to test the vulnerability of your smartphone. It also features a mode where you can scan nearby devices to assess their risk level.

I have analyzed the app and confirm it is not malicious. Good :) I ran it in our lab. See the screenshot below. Note how many devices it picked up! But most of those green dots are BLE devices.

BlueBorne app picked up my BLE smart glasses (not affected) ;)

The vulnerability test is a bit disappointing though: if I am correct, it only tests that the latest security patch date is after Aug 1, 2017(which is probably the date a patch was released for this).

 public static boolean isVulnerable() {
        boolean vulnerable = false;
        if(Build$VERSION.SDK_INT >= 17) {
        // Gets system property "ro.build.version.security_patch"   
            Date patchdate = VulnerabilityUtils.getSecurityPatchDate();
        
        // SAFE_DATE is: new GregorianCalendar(2017, 8, 1).getTime();
            if(patchdate != null && !patchdate.before(VulnerabilityUtils.SAFE_DATE)) {  
                return vulnerable;
            }

            vulnerable = true;
        }

        return vulnerable;
    }

I would have expected the app to test to see if Bluetooth was enabled, and perhaps even test for an exact vulnerability to some issues. The app does test for Bluetooth availability but only in the nearby scanning mode, not when you check your own device. Strange.

-- the Crypto Girl

by RSS Axelle Apvrille  |  Sep 19, 2017  |  Filed in: Security Research