sb-nz logo
Story image

Experts comment: Behind the Bluetooth 'BlueBorne' zero-days

14 Sep 2017

As news spreads of the Bluetooth zero-day that affects more than 5 billion devices, security experts are warning users to use Bluetooth with caution.

Originally discovered by security firm Armis, the BlueBorne vulnerabilities spread via over-the-air (OTA) attacks via Bluetooth. Attackers can penetrate all Bluetooth-enabled devices, corporate data, airgapped networks and spread malware laterally. They can also conduct man-in-the-middle attacks.

The firm has discovered eight zero-day vulnerabilities, of which four are listed as critical. While there is no mention if they have been used in the wild, the vulnerabilities are fully operational. They affect Android, iOS, Windows and Linux devices.

According to Trend Micro, the vulnerabilities are:

  • CVE-2017-1000251: a remote code execution (RCE) vulnerability in Linux kernel
  • CVE-2017-1000250: an information leak flaw in Linux’s Bluetooth stack (BlueZ)
  • CVE-2017-0785: an information disclosure flaw in Android
  • CVE-2017-0781: an RCE vulnerability in Android
  • CVE-2017-0782: an RCE flaw in Android
  • CVE-2017-0783: an MitM attack vulnerability in Android’s Bluetooth Pineapple
  • CVE-2017-8628: a similar MitM flaw in Windows’ Bluetooth implementation
  • CVE-2017-14315: an RCE vulnerability via Apple’s Low Energy Audio Protocol

According to Armis’ blog, attackers using the BlueBorne vulnerability can strike without any user interaction. The vulnerabilities work with all versions and only needs Bluetooth to be active.

“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,” the blog says.

The company has reached out to Google, Microsoft, Apple, Samsung and Linux about the vulnerabilities. Armis says new solutions are needed to address the new airborne attack vector.

We’ve received comments from Venafi and Webroot about the BlueBorne vulnerabilities:

Venafi’s chief security strategist Kevin Bocek

“BlueBourne is a disturbing new attack on almost every computer, smartphone, and tablet. While the vulnerability itself is concerning, the real threat is most alarming: running applications and connecting to websites to execute more attacks, an issue that can only be addressed if every application, every website has a unique machine identity.”

“Without this – the attacks as demonstrated with BlueBourne – it’s all too easy for hackers to run malicious applications or redirect people to a fake website. BlueBourne shows why it’s so urgent for businesses to ensure that every web, desktop and mobile application has a unique machine identity so that they can maintain constant visibility and control.”

Webroot’s senior director of security architecture David Dufour

“BlueBorne is another example of how simple it is for hackers to quickly scan for, and then exploit, open Bluetooth devices. The learning curve to scan for Bluetooth devices isn’t that much greater than scanning for WIFI access points. To protect devices, users should turn off Bluetooth immediately after they are finished using it. Additionally, users should never connect to Bluetooth with a device that is running an old version of the software.

“For a while, Bluetooth vulnerabilities had died down as the industry responded and fixed known exploits, but this incident may be the tip of the iceberg once again. Just as we’ve seen a resurgence in worms, hackers often come back to repurpose the same exploits. Unfortunately in these cases, many connected devices don’t allow for patch management and become easy targets.”

CERT NZ:

  • In order to protect yourself from this vulnerability, these are the steps that CERT NZ recommends you take immediately to protect your devices.
  • Ensure you've patched all devices. CERT NZ recommends that you apply all security updates to all systems and software.
  • Disable Bluetooth on the device if it isn’t required.
  • If it isn’t possible to disable Bluetooth, check with the vendor or product manufacturer if an update is required and when it will be implemented.
  • Be careful when enabling Bluetooth in public as it has a range of around 10 metres, which could put the device at risk as Bluetooth attacks can be implemented remotely.
Story image
Aruba updates edge security platform with SD-WAN capabilities
Aruba’s latest iteration of its Edge Services Platform (ESP) has been quick to make use of HPE’s acquisition of Silver Peak in September last year.More
Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
FortiGuard appoints former cyber warfare officer
Former RAAF cyber warfare officer Mark Robson has been appointed as senior tactical threat analyst in FortiGuard’s managed detection and response team, FortiResponder.More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
Hackers offering forged “official” COVID vaccination certificates and negative test results on dark net 
There has been a 350% increase in the number of advertisements selling alleged COVID vaccines within the last three months.More