Bluetooth is one of the most widely deployed and used connectivity protocols in the world. Everything from electronic devices to smartphones uses it, as do a growing number of IoT devices. Now, a new Bluetooth exploit, known as BlueBorne, exploits a number of Bluetooth vulnerabilities, making literally billions of devices potentially vulnerable to attack.
BlueBorne is a hybrid Trojan-Worm malware that spreads via Bluetooth. Because it includes worm-like properties, any infected system is also a potential carrier, and will actively search for vulnerable hosts. Unfortunately, vulnerable hosts can include any Bluetooth-enabled device, including Android, iOS, Mac OSX, and Windows systems. Additionally, many IoT devices, such as smart watches, fitness trackers, electronics systems, and other Bluetooth-enabled devices may also be vulnerable.
The flaws aren't in the Bluetooth standard itself, but in Wi-Fi/Bluetooth hardware controller chips, and includes a number of CVEs and advisories, including:
- Linux kernel RCE vulnerability - CVE-2017-1000251
- Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250
- Android information Leak vulnerability - CVE-2017-0785
- Android RCE vulnerability #1 - CVE-2017-0781
- Android RCE vulnerability #2 - CVE-2017-0782
- The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783
- The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628
- Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315
While there is no evidence that these vulnerabilities are currently being exploited in the wild, some proof-of-concept attacks may exist which have not yet been publicly disclosed. Since this technology has not really been a focus for security researchers, it’s highly likely that we will see an increase in attackers looking to exploit Bluetooth implementations in the future.
The implications of this threat vector are huge. Literally every Bluetooth-capable device could potentially include a number of vulnerabilities that could be exploited by BlueBorne and similar Bluetooth-targeted attacks. Even more challenging, because Bluetooth is not a communications protocol that is monitored and inspected by most network security tools, traditional security devices such as intrusion detection systems will most likely not be able to detect BlueBorne attacks.
In addition to endangering smartphones and PCs, BlueBorne can also compromise the billions of Bluetooth-equipped IoT devices in the world, including smart TVs and entertainment systems, speakers, headphones, smart car devices, and even things like home security systems. And in addition to consumer-based products that rely on Bluetooth communications, this exploit could also affect many commercial-grade IoT devices that connect to the network using Bluetooth technology. Unfortunately, the exact scale and potential for this vulnerability is still largely unknown.
The BlueBorne malware works by scanning for Bluetooth-enabled devices and then probing them to see if they have relevant vulnerabilities. Once a target is identified, the hack takes less than 10 seconds, and targeted devices don't even need to accept an incoming connection in order to be compromised. Once a device has been compromised, attackers are able run arbitrary commands on the device and even access and potentially steal data. The attack also immediately begins to seek out and spread to other vulnerable Bluetooth-enabled targets.
Even though Bluetooth devices are not usually in the kill-chain of most network security devices, FortiGuard Labs expects that because BlueBorne is a potentially powerful delivery mechanism it is likely to lead to multi-stage attacks where an attacker first exploits one of the Bluetooth vulnerabilities and then infects the compromised device with additional malware, including ransomware, remote exploit kits, or other dangerous files. Fortunately, most of these potential second-stage attacks are likely to be detectable by network and endpoint security devices, especially when they attempt to activate or communicate with a command and control server. While there is no evidence that such attack vectors currently exist in the wild, some security researchers insist that proof-of-concept exploits now exist in labs, or could easily be developed.
What Can You Do?
To protect yourself and your Bluetooth-enabled devices, you need to immediately do three things:
- Disable Bluetooth on your devices unless it is absolutely needed. If you turn it on, then turn it off as soon as you are done using it.
- Identify the devices you own or that are attached to your network. Closely monitor those manufacturers for Bluetooth updates.
- Patch systems as soon as updates become available. Apple iOS was patched in 2016 with an iOS 10 release. Microsoft issued a patch for Windows in July. And Google is reportedly now working on distributing a patch.
However, a large number of IoT devices are built on Linux, which hasn't yet issued a BlueBorne patch. But even when they do, many IoT devices don't have a mechanism for distributing or receiving updates. And even for those that do, users are rarely aware of them or ever update their devices.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.