sb-au logo
Story image

Experts comment: Behind the Bluetooth 'BlueBorne' zero-days

14 Sep 2017

As news spreads of the Bluetooth zero-day that affects more than 5 billion devices, security experts are warning users to use Bluetooth with caution.

Originally discovered by security firm Armis, the BlueBorne vulnerabilities spread via over-the-air (OTA) attacks via Bluetooth. Attackers can penetrate all Bluetooth-enabled devices, corporate data, airgapped networks and spread malware laterally. They can also conduct man-in-the-middle attacks.

The firm has discovered eight zero-day vulnerabilities, of which four are listed as critical. While there is no mention if they have been used in the wild, the vulnerabilities are fully operational. They affect Android, iOS, Windows and Linux devices.

According to Trend Micro, the vulnerabilities are:

  • CVE-2017-1000251: a remote code execution (RCE) vulnerability in Linux kernel
  • CVE-2017-1000250: an information leak flaw in Linux’s Bluetooth stack (BlueZ)
  • CVE-2017-0785: an information disclosure flaw in Android
  • CVE-2017-0781: an RCE vulnerability in Android
  • CVE-2017-0782: an RCE flaw in Android
  • CVE-2017-0783: an MitM attack vulnerability in Android’s Bluetooth Pineapple
  • CVE-2017-8628: a similar MitM flaw in Windows’ Bluetooth implementation
  • CVE-2017-14315: an RCE vulnerability via Apple’s Low Energy Audio Protocol

According to Armis’ blog, attackers using the BlueBorne vulnerability can strike without any user interaction. The vulnerabilities work with all versions and only needs Bluetooth to be active.

“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,” the blog says.

The company has reached out to Google, Microsoft, Apple, Samsung and Linux about the vulnerabilities. Armis says new solutions are needed to address the new airborne attack vector.

We’ve received comments from Venafi and Webroot about the BlueBorne vulnerabilities:

Venafi’s chief security strategist Kevin Bocek

“BlueBourne is a disturbing new attack on almost every computer, smartphone, and tablet. While the vulnerability itself is concerning, the real threat is most alarming: running applications and connecting to websites to execute more attacks, an issue that can only be addressed if every application, every website has a unique machine identity.”

“Without this – the attacks as demonstrated with BlueBourne – it’s all too easy for hackers to run malicious applications or redirect people to a fake website. BlueBourne shows why it’s so urgent for businesses to ensure that every web, desktop and mobile application has a unique machine identity so that they can maintain constant visibility and control.”

Webroot’s senior director of security architecture David Dufour

“BlueBorne is another example of how simple it is for hackers to quickly scan for, and then exploit, open Bluetooth devices. The learning curve to scan for Bluetooth devices isn’t that much greater than scanning for WIFI access points. To protect devices, users should turn off Bluetooth immediately after they are finished using it. Additionally, users should never connect to Bluetooth with a device that is running an old version of the software.

“For a while, Bluetooth vulnerabilities had died down as the industry responded and fixed known exploits, but this incident may be the tip of the iceberg once again. Just as we’ve seen a resurgence in worms, hackers often come back to repurpose the same exploits. Unfortunately in these cases, many connected devices don’t allow for patch management and become easy targets.”

CERT NZ:

  • In order to protect yourself from this vulnerability, these are the steps that CERT NZ recommends you take immediately to protect your devices.
  • Ensure you've patched all devices. CERT NZ recommends that you apply all security updates to all systems and software.
  • Disable Bluetooth on the device if it isn’t required.
  • If it isn’t possible to disable Bluetooth, check with the vendor or product manufacturer if an update is required and when it will be implemented.
  • Be careful when enabling Bluetooth in public as it has a range of around 10 metres, which could put the device at risk as Bluetooth attacks can be implemented remotely.
Story image
Acronis appoints new APAC General Manager and launches Partners Programme
One of Morarji’s first objectives has been to launch the new Acronis Partner Programmes in APAC, in which the Acronis team will help channel partners and managed service providers (MSPs) expand their portfolios and deliver fast ROI.More
Link image
Need better security now your workforce is remote? Get it for free
Remote working comes with all kinds of cybersecurity risks. Protect your business by leveraging multi-factor authentication, biometrics and push notification software for free.More
Story image
HP CEO: "Please stay safe" during coronavirus outbreak
“The entire HP leadership team and I are ready to support you in the coming weeks and months. Do not hesitate to reach out to us or our teams at any time.”More
Story image
Scammers using Bitcoin, sextortion to take advantage of Coronavirus fears
As people's fear and desire to do something about COVID-19 is dominating the news, it is also being exploited in every way by online criminals. More
Story image
80% of cyber threat landscape uses COVID-19 as leverage - report
A report released recently by Proofpoint reveals the extent to which cyber attackers are capitalising on fear and paranoia surrounding the pandemic, with instances of coronavirus-themed attacks increasing every day.More
Story image
It’s time for firms' cybersecurity credentials to take centre stage
leading enterprise database was also used to identify whether each company had a chief information security officer (CISO) or a chief security officer (CSO). The results proved extremely interesting…More