Researchers have discovered a new attack vector they’ve named “BlueBorne” that enables bad actors to compromise nearly every connected device via Bluetooth.
Discovered by Armis Labs, this new threat applies to mobile phones, computers, and IoT devices. To leverage it, an attacker begins by scanning for active Bluetooth connections within 32 feet. They then choose a device (even if it’s not in “discoverable” mode) and obtain its MAC address, an identifier which they can use to probe the device and determine its operating system. With that knowledge, the bad actor can craft an exploit for one of eight zero-day vulnerabilities affecting the implementation of the Bluetooth protocol to take full control of the device… all within a mere 10 seconds!
Here’s a demonstration video of how someone could leverage Blueborne to compromise an Android phone.
Once a nefarious individual has successfully taken over a device using BlueBorne, they can do lots of things. They could choose to create a man-in-the-middle attack, for instance, and thereby intercept the device’s communication. Alternatively, they could enlist a compromised IoT device into a Mirai-based botnet in order to conduct distributed denial-of-service (DDoS) attacks and/or fulfill other criminal purposes.
So what makes BlueBorne so serious? Armis Labs has the answer:
“The BlueBorne attack vector has several qualities which can have a devastating effect when combined. By spreading through the air, BlueBorne targets the weakest spot in the networks’ defense – and the only one that no security measure protects. Spreading from device to device through the air also makes BlueBorne highly infectious. Moreover, since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.”
More than 8 million devices come with Bluetooth capabilities today. Given BlueBorne’s widespread threat profile, Armis Labs took it upon itself to notify some of the biggest tech manufacturers about the attack vector and the eight zero-day flaws of which it consists.
Google and Microsoft both subsequently released updates by the beginning of September 2017, for their affected devices, which included all Android phones of every version and every Windows computer since Windows Vista.
Meanwhile, the flaws don’t affect any of Apple’s products so long as users are running a device with an iOS version above 9.3.5.
Armis Labs also contacted Samsung on three separate occasions. But the company didn’t respond back to any of the researchers’ correspondence. Perhaps they’d have better luck submitting a bug report through Samsung’s new bug bounty program?
Users can help protect themselves against attacks like Blueborne by patching their devices of all (available) software updates. They should also not leave Bluetooth enabled all the time. Whenever they’re not using the protocol, they should disable it.
For more discussion on BlueBorne, be sure to listen to this episode of the “Smashing Security” podcast:
Smashing Security #042: 'Equifax, BlueBorne, and the iPhone X'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.