BlueBorne exploit on Android, iOS, Linux and Windows: more than 8 billion devices are critically vulnerable

The BlueBorne attack vector could potentially affect all Bluetooth devices, which are estimated at more than 8.2 billion today. Bluetooth is the leading and most common protocol for short-range communications and is used by all devices - from ordinary computers and mobile to IoT devices, such as TVs, watches, cars and medical devices.

So what's the problem? Bluetooth is complicated. This excessive complexity is a direct consequence of the tremendous work that was done in creating the Bluetooth specification. To illustrate this, we note that while the WiFi (802.11) specification fits on 450 pages, the volume of the Bluetooth specification reaches 2822 pages. The result of opacity is a large number of vulnerabilities, some of which we will discuss in this article.
')
The Bluetooth specification has at least 4 different levels of fragmentation, as shown in the diagram taken from the specification:

BlueBorne Review

The BlueBorne attack vector consists of several stages. First, the attacker detects active Bluetooth connections around. Devices can be identified without even being in “discovery” mode. The attacker then obtains the MAC addresses of the vulnerable devices. Having “tested” the device, the attacker determines which operating system the victim uses, and sets up the exploit accordingly. Then using a vulnerability in the implementation of the Bluetooth protocol on the appropriate platform, the attacker gains the access necessary to achieve his malicious purpose. At this stage, the hacker can choose to attack "Man-in-the-Middle", "listen to" the device or get complete control in order to use it in a wide range of cyber-attacks, such as the WireX botnet.

BlueBorne attack on Android

Once an attacker has determined that his target is using the Android operating system, he can exploit the four vulnerabilities discovered for these devices or the Man-in-The-Middle attack.

Below is a brief demonstration of how an attacker can take control of an Android device using BlueBorne:

Vulnerability in Android that may lead to information leakage (CVE-2017-0785

The first vulnerability in Android reveals valuable information that helps an attacker exploit one of the remote code execution vulnerabilities described below. A vulnerability is found in the Service Discovery Protocol (SDP) implementation, which allows a device to identify other Bluetooth devices around it. The flaw allows an attacker to send a set of requests to the server, forcing him to uncover a bit of memory in response. This information can then be used by the attacker to overcome security measures and seize control of the device. It also allows an attacker to obtain encryption keys from the target device and eavesdrop on Bluetooth messages.

Remote Code Execution Vulnerability # 1 Vulnerability (CVE-2017-0781)

This vulnerability is located in the Bluetooth Network Encapsulation Protocol (BNEP) service. BNEP allows you to use the Internet via Bluetooth, turning a mobile phone with a modem into a router, an Internet access point. Due to a lack of BNEP service, a hacker can cause a violation of the integrity of information in memory, which will allow him to run the code on the device. Due to the lack of proper verification of authorization, launching this vulnerability does not require any user interaction, so it will not know about the attack.

Remote Code Execution Vulnerability # 2 Vulnerability (CVE-2017-0782)

This vulnerability is similar to the previous one, but is on a higher level of the BNEP service - Personal Area Networking (PAN) profile, which is responsible for establishing an IP-based network connection between two devices. In this attack, the violation of the integrity of information in the memory can also be used by an attacker to gain complete control over the infected device.

Man-in-the-Middle (CVE-2017-0783)

Man-in-the-middle (MiTM) attacks allow an attacker to intercept and modify data coming to or from the target device. To implement a MiTM attack using Wi-Fi, an attacker will need special equipment and a request to connect the target device to an open WiFi network. The vulnerability exists in the PAN profile of the Bluetooth stack and allows an attacker to create a malicious network interface on the victim's device, reconfigure IP routing and force all messages through the malicious network interface. Attack once again does not require user interaction or any authentication, which makes it almost imperceptible.

BlueBorne attack on Windows

We have discovered a vulnerability in Windows that allows an attacker to conduct a Man-in-The-Middle attack. Below is a brief demonstration of this:

Man-in-the-Middle №2 (CVE-2017-8628)

This vulnerability is identical to that found in the Android operating system, and affects both systems, since they use the same principles in the implementation of some Bluetooth protocols.

BlueBorne attack on Linux

Armis has uncovered two vulnerabilities in the Linux operating system that allow attackers to fully control infected devices. The first one is a leak of information that can help an attacker determine the exact version used by the target device and adjust its exploit accordingly. The second is stack overflow, which can lead to full control over the device.

Here is a brief description of how a hacker can take control of a Linux device using BlueBorne:

Information Leakage (CVE-2017-1000250)

Like the Android information leakage vulnerability, this vulnerability resides on the SDP server, which is responsible for one of the most important features of Bluetooth — the automatic connection of Bluetooth devices to services provided by other devices. The lack of SDP allows an attacker to send a set of requests to the server, forcing him to uncover a bit of memory in response. This can be used by an attacker to obtain sensitive data from Bluetooth procedures, which may contain encryption keys.

BlueZ stack overflow (CVE-2017-1000251)

This vulnerability has been discovered in the Bluetooth stack of the Linux kernel. An internal defect in L2CAP (Logical link control and adaptation protocol), which is used to connect between two devices, causes memory corruption that allows the attacker to execute code.

BlueBorne attack on iOS

Armis revealed to Apple about this attack. The exploit was eliminated in IOS 10 and Apple TV versions above 7.2.2, but this vulnerability still poses a big risk for any iOS device up to version 10. The attacker can be used by an attacker to execute code with elevated privileges.

Remote code execution using the Apple Low Energy Audio protocol

This vulnerability was discovered in the new LEAP (Low Energy Audio Protocol), developed by Apple and running on top of Bluetooth. The protocol is designed to stream audio to peripheral devices, such as headsets or Siri Remote. Since audio commands sent using LEAP are not properly tested, an attacker can use memory corruption to gain complete control over the device.

How to protect against BlueBorne?

Vulnerabilities that can spread through the air and between devices pose a huge threat to any organization or individual. Existing security measures, including endpoint protection, firewalls, and network security solutions, are not intended to identify these types of attacks and related vulnerabilities. Their main task is to block attacks that can spread through IP connections.

In the Linux kernel, the problem is present in the code of the l2cap_parse_conf_rsp function, present since kernel 3.3 (October 2011). The problem was fixed on September 9th. In Linux kernels with stack overflow protection enabled (CONFIG_CC_STACKPROTECTOR = y), the vulnerability only leads to a crash of the kernel. Such protection is enabled by default in the RHEL, CentOS, Fedora, Ubuntu, and most of the stationary Linux distributions. Therefore, in normal distributions, only a collapse call is possible, and the main danger is mobile Linux platforms, such as Tizen.

Android users should wait for security patches for their devices, since this depends on the manufacturer of the specific device. For now, you can install the BlueBorne Vulnerability Scanner app (created by the Armis team) from the Google Play Store to see if your devices are vulnerable to BlueBorne attacks or not.

"Microsoft released security updates in July." Clients who have Windows Update enabled and security updates applied are automatically protected. We released the update as soon as possible, but as a responsible industry partner, we did not disclose the information until other manufacturers developed patches, ”said a Microsoft representative.

Before installing updates, all users are advised to turn off Bluetooth by default and only enable it when necessary.

Full technical details on code analysis can be obtained from Technical White Paper on BlueBorne.