sb-as logo
Story image

Experts comment: Behind the Bluetooth 'BlueBorne' zero-days

14 Sep 2017

As news spreads of the Bluetooth zero-day that affects more than 5 billion devices, security experts are warning users to use Bluetooth with caution.

Originally discovered by security firm Armis, the BlueBorne vulnerabilities spread via over-the-air (OTA) attacks via Bluetooth. Attackers can penetrate all Bluetooth-enabled devices, corporate data, airgapped networks and spread malware laterally. They can also conduct man-in-the-middle attacks.

The firm has discovered eight zero-day vulnerabilities, of which four are listed as critical. While there is no mention if they have been used in the wild, the vulnerabilities are fully operational. They affect Android, iOS, Windows and Linux devices.

According to Trend Micro, the vulnerabilities are:

  • CVE-2017-1000251: a remote code execution (RCE) vulnerability in Linux kernel
  • CVE-2017-1000250: an information leak flaw in Linux’s Bluetooth stack (BlueZ)
  • CVE-2017-0785: an information disclosure flaw in Android
  • CVE-2017-0781: an RCE vulnerability in Android
  • CVE-2017-0782: an RCE flaw in Android
  • CVE-2017-0783: an MitM attack vulnerability in Android’s Bluetooth Pineapple
  • CVE-2017-8628: a similar MitM flaw in Windows’ Bluetooth implementation
  • CVE-2017-14315: an RCE vulnerability via Apple’s Low Energy Audio Protocol

According to Armis’ blog, attackers using the BlueBorne vulnerability can strike without any user interaction. The vulnerabilities work with all versions and only needs Bluetooth to be active.

“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,” the blog says.

The company has reached out to Google, Microsoft, Apple, Samsung and Linux about the vulnerabilities. Armis says new solutions are needed to address the new airborne attack vector.

We’ve received comments from Venafi and Webroot about the BlueBorne vulnerabilities:

Venafi’s chief security strategist Kevin Bocek

“BlueBourne is a disturbing new attack on almost every computer, smartphone, and tablet. While the vulnerability itself is concerning, the real threat is most alarming: running applications and connecting to websites to execute more attacks, an issue that can only be addressed if every application, every website has a unique machine identity.”

“Without this – the attacks as demonstrated with BlueBourne – it’s all too easy for hackers to run malicious applications or redirect people to a fake website. BlueBourne shows why it’s so urgent for businesses to ensure that every web, desktop and mobile application has a unique machine identity so that they can maintain constant visibility and control.”

Webroot’s senior director of security architecture David Dufour

“BlueBorne is another example of how simple it is for hackers to quickly scan for, and then exploit, open Bluetooth devices. The learning curve to scan for Bluetooth devices isn’t that much greater than scanning for WIFI access points. To protect devices, users should turn off Bluetooth immediately after they are finished using it. Additionally, users should never connect to Bluetooth with a device that is running an old version of the software.

“For a while, Bluetooth vulnerabilities had died down as the industry responded and fixed known exploits, but this incident may be the tip of the iceberg once again. Just as we’ve seen a resurgence in worms, hackers often come back to repurpose the same exploits. Unfortunately in these cases, many connected devices don’t allow for patch management and become easy targets.”

CERT NZ:

  • In order to protect yourself from this vulnerability, these are the steps that CERT NZ recommends you take immediately to protect your devices.
  • Ensure you've patched all devices. CERT NZ recommends that you apply all security updates to all systems and software.
  • Disable Bluetooth on the device if it isn’t required.
  • If it isn’t possible to disable Bluetooth, check with the vendor or product manufacturer if an update is required and when it will be implemented.
  • Be careful when enabling Bluetooth in public as it has a range of around 10 metres, which could put the device at risk as Bluetooth attacks can be implemented remotely.
Story image
Majority of industrial enterprises face increase cyber threats since COVID-19
Leadership's top cyber security priority was implementing new technology solutions since the onset of the pandemic.More
Story image
Report: Power utilities increasingly at risk of devastating cyber-attacks
“Utilities’ existing systems are becoming increasingly connected through sensors and networks, and, due to their dispersed nature, are even more difficult to control.”More
Story image
Palo Alto Networks launches new SD-WAN solutions and enhancements
Palo Alto Networks has introduced two new SD-WAN appliances and enhancements to its next-generation SD-WAN solution, expanding the company’s CloudGenix SD-WAN solutions reach.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More