Story image

Experts comment: Behind the Bluetooth 'BlueBorne' zero-days

14 Sep 17

As news spreads of the Bluetooth zero-day that affects more than 5 billion devices, security experts are warning users to use Bluetooth with caution.

Originally discovered by security firm Armis, the BlueBorne vulnerabilities spread via over-the-air (OTA) attacks via Bluetooth. Attackers can penetrate all Bluetooth-enabled devices, corporate data, airgapped networks and spread malware laterally. They can also conduct man-in-the-middle attacks.

The firm has discovered eight zero-day vulnerabilities, of which four are listed as critical. While there is no mention if they have been used in the wild, the vulnerabilities are fully operational. They affect Android, iOS, Windows and Linux devices.

According to Trend Micro, the vulnerabilities are:

  • CVE-2017-1000251: a remote code execution (RCE) vulnerability in Linux kernel
  • CVE-2017-1000250: an information leak flaw in Linux’s Bluetooth stack (BlueZ)
  • CVE-2017-0785: an information disclosure flaw in Android
  • CVE-2017-0781: an RCE vulnerability in Android
  • CVE-2017-0782: an RCE flaw in Android
  • CVE-2017-0783: an MitM attack vulnerability in Android’s Bluetooth Pineapple
  • CVE-2017-8628: a similar MitM flaw in Windows’ Bluetooth implementation
  • CVE-2017-14315: an RCE vulnerability via Apple’s Low Energy Audio Protocol

According to Armis’ blog, attackers using the BlueBorne vulnerability can strike without any user interaction. The vulnerabilities work with all versions and only needs Bluetooth to be active.

“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,” the blog says.

The company has reached out to Google, Microsoft, Apple, Samsung and Linux about the vulnerabilities. Armis says new solutions are needed to address the new airborne attack vector.

We’ve received comments from Venafi and Webroot about the BlueBorne vulnerabilities:

Venafi’s chief security strategist Kevin Bocek

“BlueBourne is a disturbing new attack on almost every computer, smartphone, and tablet. While the vulnerability itself is concerning, the real threat is most alarming: running applications and connecting to websites to execute more attacks, an issue that can only be addressed if every application, every website has a unique machine identity.”

“Without this – the attacks as demonstrated with BlueBourne – it’s all too easy for hackers to run malicious applications or redirect people to a fake website. BlueBourne shows why it’s so urgent for businesses to ensure that every web, desktop and mobile application has a unique machine identity so that they can maintain constant visibility and control.”

Webroot’s senior director of security architecture David Dufour

“BlueBorne is another example of how simple it is for hackers to quickly scan for, and then exploit, open Bluetooth devices. The learning curve to scan for Bluetooth devices isn’t that much greater than scanning for WIFI access points. To protect devices, users should turn off Bluetooth immediately after they are finished using it. Additionally, users should never connect to Bluetooth with a device that is running an old version of the software.

“For a while, Bluetooth vulnerabilities had died down as the industry responded and fixed known exploits, but this incident may be the tip of the iceberg once again. Just as we’ve seen a resurgence in worms, hackers often come back to repurpose the same exploits. Unfortunately in these cases, many connected devices don’t allow for patch management and become easy targets.”

CERT NZ:

  • In order to protect yourself from this vulnerability, these are the steps that CERT NZ recommends you take immediately to protect your devices.
  • Ensure you've patched all devices. CERT NZ recommends that you apply all security updates to all systems and software.
  • Disable Bluetooth on the device if it isn’t required.
  • If it isn’t possible to disable Bluetooth, check with the vendor or product manufacturer if an update is required and when it will be implemented.
  • Be careful when enabling Bluetooth in public as it has a range of around 10 metres, which could put the device at risk as Bluetooth attacks can be implemented remotely.
HPE promotes 'circular economy' for end-of-use tech
HPE is planning to show businesses worldwide that throwing old tech and assets into landfill is not the best option when it comes to end-of-use disposal.
This could be the future of ridesharing
When you hear the words ‘driverless vehicle technology’, the company Bosch may not immediately spring to mind.
2019 threat landscape predictions - Proofpoint
Proofpoint researchers have looked ahead at the trends and events likely to shape the threat landscape in the year to come.
InternetNZ welcomes Govt's 99.8% broadband coverage plan
The additional coverage will roll out over the next four years as part of the Rural Broadband Initiative phase two/Mobile Black Spots Fund (RBI2/MBSF) programme expansion.
Commerce Commission report shows fibre is hot on the heels of copper
The report shows that as of 30 September 2018 there were 668,850 households and businesses connected to fibre, an increase of 45% from 2017.
Dr Ryan Ko steps down as head of Cybersecurity Researchers of Waikato
Dr Ko is off to Australia to become the University of Queensland’s UQ Cyber Security chair and director.
Businesses in APAC are ahead of the global digital transformation game
“And it’s more about people and culture - about change management - along with investing in the technology.”
HubSpot announces fund for 'customer first' startups
HubSpot is pouring US$30 million (NZ$40 million) into a new fund to support startups that demonstrate ‘customer first’ approach of not only growing bigger, but growing better.