Warning over ‘BlueBorne’ Bluetooth attack vector

Armis warns of danger posed by vulnerable Bluetooth implementations

Comments

Security firm Armis has issued a warning over the potential of Bluetooth-based attacks using a new vector it has dubbed ‘BlueBorne’.

The company said that almost 5.3 billion devices running Windows, iOS, Android and other Linux-based operating systems are at risk.

The attack is based on exploiting vulnerabilities in Bluetooth implementations, with Armis warning that because it can spread locally from device to device even air-gapped networks are vulnerable.

There is no need for a target device to be paired, Armis said. The attack could be used to take control of a device and potentially use it to spread ransomware and other kinds of malware or recruit it to be part of a botnet.

“BlueBorne concerns us because of the medium by which it operates,” the Armis Labs briefing on BlueBorne states.

“Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus. The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device.”

“With BlueBorne, attackers can gain full control right from the start,” Armis warned. “Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities.”

Armis has identified eight vulnerabilities that could be employed for a BlueBorne attack: One Linux kernel RCE vulnerability, a Linux Bluetooth stack vulnerability; four Android vulnerabilities; a vulnerability affecting all versions of Windows since Vista (patched this week by Microsoft); and a vulnerability in iOS versions prior to 10. Google has released a security update patch for Android.

The complexity of Bluetooth has “kept researchers from auditing its implementations at the same level of scrutiny that other highly exposed protocols, and outwards-facing interfaces have been treated with,” an Armis technical whitepaper (PDF) states.