BlueBorne is the latest and the deadliest vulnerability related to Bluetooth. It’s details were published on 12 September 2017. Since it can spread like an airborne disease to any device that has bluetooth enabled on it, the exploit is aptly named. BlueBorne can spread even if bluetooth is not in discoverable mode, it just needs to be enabled, that’s it. Furthermore, the victim doesn’t need to click/touch anything, you may very well be sleeping at the airport waiting lounge, with the bluetooth on your phone enabled, when your phone gets hacked. You won’t even need to have an internet connection on your phone, no wifi connection required, even more simply put, you don’t even need a Sim card to be present in your phone to get hacked via blueborne. This is what makes it so scary. Usually, such targeted attacks need at least some kind of action to be taken by the potential victim, let it be clicking a link in an email or opening an attachment it contains, but blueborne needs zero action. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected. So, no matter how security conscious you are, you are vulnerable right now. The good news is that patches are out from all affected vendors, Microsoft being the first to release them back in July. But, how much behind, most individuals and organizations are, on patching was very well demonstrated during the recent spurt of ransomware attacks for which the patches were already out too.
As you know, Bluetooth is the leading and most widespread protocol for short-range communications, and is used by devices like, from regular computers and mobile devices to IoT devices such as TVs, watches, cars, and even medical appliances. The latest published reports show more than 2 billion Android, 2 billion Windows, and 1 billion Apple devices in use. Gartner reports that there are 8 billion connected or IoT devices in the world today, many of which have Bluetooth. Exploiting it provides virtually full control over the device. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet. The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure “air-gapped” networks which are disconnected from any other network, including the internet. This can endanger industrial systems, government agencies, and critical infrastructure. Needing close enough physical access is the only defense right now.
In the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007. Nearly all vulnerabilities found since were of low severity, and did not allow remote code execution. This transition occurred as the research community turned its eyes elsewhere, and did not scrutinize the implementations of the Bluetooth protocol in the different platforms, as it did with other major protocols.
The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.
Hearing all this, one is forced to think why couldn’t the great technocrats of the world create software that is ultra secure, so that we don’t see such vulnerabilities being discovered every few weeks. The answer lies, not in technology, but in the human nature itself. When creating something new, we tend to create something that just works, security aspect of it is the last thing on our minds. World’s first car didn’t even have any doors on it. Today’s cars have numerous security features and they still don’t prove to be enough at times. Obviously, the only focus, at the time of building the first car, was to create an automated vehicle, and not to create an automated vehicle that is super secure. Another, much closer example could be, when young people learn to write software code, they are happy to see their code working as intended, they are not even bothered about the efficiency aspect of it, forget about losing sleep over the security aspect. But having said that, Vulnerabilities that can spread over the air and between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections. New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited.