Bluetooth has been in use in the
public for well over a decade. Previous attacks focused on the insecurity of
the Bluetooth protocol. The new attack, BlueBorne, is unique in its approach
for this time junction.
This attack is rather substantial in
its potential reach for targets. This may affect anywhere from 5.3B
(Khandelwal, 2017; Moscaritolo, 2017) to 8.2B devices worldwide (Zorz, 2017)
with iOS, Android, Windows, and Linux OS devices with Bluetooth enabled. This
is due to its agnostic focus on the Bluetooth process itself, in comparison to
the various platforms.
The user does not have to be a
victim of malware for the attack to be successful. The user does not have to
download a file or link, click anything, or do anything to be a victim. The
only prerequisite is for the Bluetooth to be enabled and on (Zorz, 2017;
Khandelwal, 2017; Rascal23, 2017) and proximate to the attacker (Khandelwal,
2017). This distance would need to be less than 32 feet (Goodin, 2017). The
device does not have to be paired with any other device (Moscaritolo, 2017),
inclusive of the attacker’s device. This enables the attack to be silent as it
affects the device. This design does not “wake up” the targeted device (Biggs,
2017) and the user does not suspect the device is compromised. The speed of the
attack also is innovative. For the device to be compromised in its entirety
takes only up to 10 seconds for the process, inclusive of the choices the
malware has to complete (Goodin, 2017).
This attack gives the attacker a
choice of avenues to pursue in compromising the device. The attacker may take
complete control of the device, continue on the course of spreading the malware
further, or in the alternative establish a man-in-the-middle attack (MitM)
(Khandelwal, 2017). As an off-shoot of this, the attacker could in theory
create a botnet network from these. This further infection of other devices
proximate to the infected on likewise could be accomplished in seconds
(Rascal23, 2017).
This also is a valid attack against
air-gapped machines that were previously thought to be secure. As with this
target, all that has to happen is the Bluetooth is on and the attacker is
proximate.
The reports form the researchers who
detected the attack (Armis Labs) are available at http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf and https://www.armis.com/blueborne/.
Affected Devices
There are millions of unpatched
mobile phones, computers, and internet of things (IoT) devices. As these are
not patched, the attacker would have the capability to exploit the
vulnerability to control the devices (US-CERT, 2017). This is specifically
addressed with VU#240311.
The affected devices are:
a)
Samsung
Smart Watch, TVs, and Refrigerators,
b)
Samsung
Galaxy Phones and Tablets,
c)
Google
Pixel Smartphone,
d)
All
Windows Computers Beginning with Vista,
e)
All
iPhone, iPod, and iPod touch devices with iOS 9.3.5 and previous versions, and
f)
Pumpkin
Car Audio System (Zorz, 2017).
Of
these attacks, the strongest attack involves the Android and Linux OS devices.
With these, the Bluetooth implementation are vulnerable to memory corruption
exploit anyway. The attack allows the malware to run with high system
privilege. This gives the exploit access to the sensitive system resources
(Goodin, 2017).
The Linux devices don’t utilize
address space layout randomization (ASLR) or a like security feature to
mitigate the BlueBorne’s potential buffer overflow vulnerability. The Android
does use the ASLR, however the attack is able to bypass the security feature
with another vulnerability being exploited that leaks memory location where key
processes are operating (Goodin, 2017). In addition, the malware does attack
the hosts L2CAP (logical link and adaption layer protocol) at the stack data
layer. The L2CAP supports the connection multiplexing, segmentation, and
re-assembly of packets for upper layer protocols.
US-CERT
BlueBorne has eight vulnerabilities
associated with it through the various OSs (KB, 2017; Zorz, 2017; Biggs, 2017;
Goodin, 2017; Khandelwal, 2017).
a)
CVE-2017-1000251
(CWE-120)
a.
Buffer
copy without checking the size of the input (“Classic Buffer Overflow”)
b.
Linux
Kernel version 3.3-rc1 is affected. This was coded to exploit a vulnerable
implementation of L2CAP EFS in BlueZ. The I2cap_parse_conf_rsp was not coded to
check the rsp argument length prior to unpacking. This allows the attack to
overflow the 64 byte bugger on the kernel stack with an unlimited amount of
data.
b)
CVE-2017-0785
(CWE-125)
a.
Out
of bounds read
b.
There
is a vulnerable implementation of SDP. The attacker could exert control over
the device. This would take the form of controlling the continuation state
within SDP, request packets and cause the SDP server to return an out of bounds
read from the response buffer.
c)
CVE-2017-0785
(CWE-125)
a.
Out
of bounds read
b.
This
affects all versions of Android prior to September 9, 2017. The vulnerability
contains a vulnerable implementation of SDP within the Android Bluetooth
software stack. An attacker may be able to control the continuation state
within the SDP request packets and cause the SDP server to return an out of
bounds read from the response buffer. This is much like CVE-2017-1000250,
however this is directed at a different stack.
d)
CVE-2017-0781
(CWE-122)
a.
This
CVE is a heap based buffer overflow which affects all Android versions prior to
September 9, 2017. With this, an
incorrect buffer size is passed to a memcpy call within the BVEP implementation
for Android. This may allow the attacker to send crafted packets to the device
that would overflow the heap.
e)
CVE-2017-0782
(CWE-191)
a.
Integer
Underflow (Wrap or Wraparound)
b.
This
CVE focusses on the BNCP implementation for Android. Here the rem_len does not
check the size and is applicable to all versions prior to September 9, 2017.
This allows for an integer underflow and further unsafe processing of attacker
controlled packets.
f)
CVE-2017-14315
(CWE-122)
a.
This
affects Apple’s Bluetooth Low-Energy Audio Protocol (LEAP) implementation in
iOS version 9.3.5 and lower, Apple TV tv OS version 7.2.2 and lower. This does
not property validate the CID for incoming Bluetooth LEAP audio data. This may
result in a heap overflow due to this vulnerability not properly validating the
packet sizes prior to calling memcpy.
g)
CVE-2017-0783
and CVE-2017-8628 (CWE-300)
a.
With
this vulnerability there are security level requirements that are not correct in the PAN profile in the
Bluetooth implementation. This may allow an attacker to secure permission to
perform a man-in-the-middle (MitM) attack.
With these
vulnerabilities, four are critical and should be addressed first.
Solutions
The affected devices should download
and apply the patches to resolve the issue immediately. As noted, the patches
are readily available for Windows, iOS, Linux kernel, and Android (KB, 2017). Google
pushed its patches with their September Android update. This was for
Marshmallow and Nougat (KB, 2017). Microsoft pushed its patches on September
12. Apple mitigated the vulnerability with its iOS 10. Linux should provide
their mitigation soon.
There
may be an issue with the Android devices in case when the Android partners have
do not immediately pass the patch onto their clients. Until this occurs, the
Bluetooth should be turned off until this is implemented (KB, 2017; Zorz,
2017).
References
Biggs, J.
(2017, September 13). New Bluetooth vulnerability can hack a phone in 10
seconds. Retrieved from https://techcrunch.com/2017/09/12/new-bluetooth-vulnerability-can-hack-a-phone-in-ten-seconds/?ncid=rss
Goodin, D.
(2017, September 12). Billions of devices imperiled by new clickless Bluetooth
attack. Retrieved from https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/
KB. (2017,
September 12). Vulnerability note VU#240311: Multiple Bluetooth implementation
vulnerabilities affect many devices. Retrieved from http://www.kb.cert.org/vulns/id/240311
Khandelwal,
S. (2017, September 12). Blueborne: Critical Bluetooth attack puts billions of
devices at risk of hacking. Retrieved from http://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackerNews+...
Moscaritolo,
A. (2017, September 13). BlueBorne Bluetooth attack puts 5 billion devices at
risk. Retrieved from https://www.pcmag.com/news/356174/blueborne-bluetooth-attack-puts-5-billion-devices-at-risk
Rascal23.
(2017, September 13). Linux gets blasted by blueborne too. Retrieved from http://fullcirclemagazine.org/2017/09/13/linux-gets-blasted-by-blueborne-too/
US-CERT.
(2017, September 12). Blue Borne Bluetooth vulnerabilities. Retrieved from https://www.us-cert.gov/ncas/current-activity/2017/09/12/BlueBorne-Bluetooth-Vulnerabilities
Zorz, Z.
(2017, September 13). Billions of Bluetooth-enabled devices vulnerable to new
airborne attacks. Retrieved from https://www.helpnetsecurity.com/2017/09/13/blueborne/
No comments:
Post a Comment