The most salient point about the Blueborne vulnerability is that it does not require permission to pair Bluetooth devices or any action by the user (such as clicking a link or downloading a file). Simply being in range with Bluetooth enabled is enough, even if your device is not set to be discoverable. Hence the name BlueBorne, a combination of Bluetooth and "airborne" to highlight the ability for an attack to spread "through the air". It does not rely on a physical connection or an Internet connection, and for the most part, all Bluetooth-enabled devices can be discovered trivially by other Bluetooth enabled devices.
This is possible because the only information you need to be able to send traffic to a Bluetooth device is its Bluetooth Device Address/MAC address (BDADDR)—and this can be obtained through Bluetooth packets which contain enough plaintext information in its header that the BDADDR can be guessed. And, if not, the adapters for Wi-Fi and Bluetooth are usually the same, in which case extrapolating from the more accessible Wi-Fi MAC address is possible.
The vulnerability was revealed by Armis Labs, an IoT security firm, which also identified eight zero-day vulnerabilities. ("Zero-day" is a term used to describe security threats that a developer was not previously aware of and therefore has no immediate defense against.) Platforms across the board are affected, including Android, iOS (pre-version 10), Windows, and Linux systems. The vulnerabilities include the potential of remote code execution, Man-in-the-Middle attacks, and information leaking.
Armis reported that 8.2 billion Bluetooth-enabled devices could be at risk. With connectivity and IoT being so prevalent, the potential misuse of those vulnerabilities could have far-reaching implications.
Even more alarming, it is not possible to detect a BlueBorne attack or to prevent one once it is occurring. So far, the best advice out there is to update your software and to turn Bluetooth off when it is not needed.
BlueBorne in Action
With an uptick in Ransomware attacks in 2017, and more and more connected devices being used everyday, device security is becoming increasingly important even for the everyday user who may not want to lose access to, or control of, their data or privacy.
Here are some demonstrations provided by Armis Lab researchers with BlueBorne in action that demonstrate taking control of a device and listening in through the device’s microphone.
In this demonstration, an "attacker" gains access to a user's phone, takes a picture using its camera, and steals the picture from the device.
This video shows an attacker employing a "Man in the Middle" attack to give a false login page to a user in order to steal credentials.
Linux Wearable Device
Finally, this example shows an attacker listening in to ambient sounds "heard" by a wearable and then remotely restarting the device.
How to Keep Your Devices Safe
Currently, there are no typical protocols in place to protect devices from an "airborne" attack, which is part of why this particular vulnerability is especially concerning.
The best course of action, for the time being, is to ensure your software is up-to-date. Check for updates on your phone, your laptop, your wearable devices, and even your Bluetooth headphones or your car’s infotainment system if that’s available. Armis Labs contacted many of the vendors that are susceptible to the BlueBorne attack, so patches and updates may begin to roll out soon.
You can also download the BlueBorne Vulnerability Scanner that’s been put out in the Google Play Store for Android devices. The app tells you if your particular device is currently at-risk, and it can also take a scan of the devices around you, which can help if you are working in a coffee shop or want to check devices at home. However, this only works for devices that are discoverable.
While it may be inconvenient, keeping Bluetooth connectivity turned off when it’s not necessary is also important and helpful.
And, of course, staying up to date on new information available about BlueBorne, and other vulnerabilities that can impact you.
Feature image courtesy of Armis Labs.