“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date,” Armis said on September 12. “Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device.”
The problem starts with the complexity of Bluetooth itself. The specification stretches across 2,822 pages, which is massive compared to the base Wi-Fi specification (802.11), which consists of only 450 pages. Because of its complexity, Bluetooth does not receive the same scrutinized audits as other less-complicated protocols. That means vulnerabilities get buried as Bluetooth evolves.
Many issues prior to Bluetooth v2.1 were resolved with the introduction of Secure Simple Pairing, thus the security community shifted its attention away from Bluetooth. But a thorough inspection still needed to be performed and Armis says that its discovery of eight vulnerabilities in a recent analysis of Bluetooth could very well be “the tip of the iceberg.”
Overall, the BlueBorne set of vulnerabilities can enable a hacker to take control of a device, access its content, and use it to infect other Bluetooth-enabled devices with malware. Outside the actual vulnerabilities, the root of the issue stems from keeping Bluetooth turned on. A device will listen for Bluetooth traffic even if it is not set to discoverable mode, so all a hacker needs to know is its Bluetooth device address (BDADDR), and its MAC address.
But how do you get this information? By using open-source hardware sold online that can sniff out encrypted Bluetooth connections passing through the air. These packets of information contain plain text data pointing to the Bluetooth device address. Hackers can then use that address to send unicast traffic if they are within physical proximity of the target device: 33 feet for mobile phones and headsets, and 328 feet for laptops and desktops.
“If the device generates no Bluetooth traffic, and is only listening, it is still possible to ‘guess’ the BDADDR, by sniffing its Wi-Fi traffic,” the firm explains. “This is viable since Wi-Fi MAC addresses appear unencrypted over the air, and due to the MACs of internal Bluetooth/Wi-Fi adapters are either the same, or only differ in the last digit.”
But according to Mike Weber of cyber risk management service provider Coalfire, there is no need to panic. There are no known instances of hackers taking advantage of the vulnerabilities. Even more, creating malware to possibly attack a multitude of devices spanning Windows, iOS, and Linux in a single sweep would be extremely difficult. The discovery of the vulnerabilities only points to possibilities, not an actual attack in the wild.
“If you are on a device that is no longer supported, cannot be updated, or has not yet received a patch from a vendor, it is recommended to keep Bluetooth on the device turned off except when necessary,” Weber suggests.
Microsoft produced a patch for Windows on September 12, 2017. Apple nuked the vulnerabilities on its products with the release of iOS 10, but all devices running iOS 9.3.5 and older are still vulnerable. Google patched the issues on Android 6.0 (Marshmallow) and Android 7.0 (Nougat) on August 7, 2017, but if you’re still worried about BlueBorne, Armis Security provides an app on the Google Play Store.
Updated: Now reflects new information provided by Coalfire.