BlueBorne, an attack vector for fast and stealth contagion

Filter by category:

October 16, 2017 by Alexandre Lai
October 16, 2017 by Nha-Khanh Nguyen
BlueBorne_logo2
Armis Labs, a company specialized in IoT, has released a collection of 0day which affect almost all mobile devices but also main operating systems used in IT and IoT world. More precisely, these vulnerabilities are issued from Bluetooth protocol implementation, widely deployed within all kind of equipment. According to Armis, more than 8.5 billions of vulnerable devices have been found including 2 billions of Android, 2 billions of Microsoft Windows and 1 billion of Apple iOS.

 

HOW DOES IT WORK?

The bundle of vulnerabilities identified by Armis have been called BlueBorne, as the trend want it, with a name, a logo and a sexy story telling describing those security flaws. "Blue" stand for Bluetooth and "Borne" for airborne as these vulnerabilities is spreading through the air. Armis says this collection of vulnerabilities could be used to access air-gapped networks, that is to say, physically segregate two networks for security reasons. According to Armis, this collection could provide access to air-gapped networks, i.e physically isolated networks for security reasons. No pairing neither user interaction is necessary: Bluetooth simply needs to be activated on the device to be vulnerable; even if the discovery mode is disabled. The Armis company has published several demonstrations of hacking a device with a Bluetooth connection and the consequences that it leads to. It is therefore enough for the attacker to locate a Bluetooth connection in order to obtain the MAC address of the equipment. Nowadays, finding a smartphone, a tablet, a watch or even a set-top box permanently emitting is quite easy. With the MAC address, the attacker can then find the type of the device used and then its operating system. Android, iOS, Windows or even Linux, the attacker just have to exploit the  right vulnerability according to its aim. Armis actually identified 8 vulnerabilities of which 4 are clearly critical.


Why is it so critical?

BlueBorne is a collection of freshly discovered vulnerabilities, and, not to be jealous, there are for all operating systems. As mentioned above, there is now a whole fauna of connected objects and devices wherever we are: at home, in the office, in the street, no place escapes from them. Computers, smartphones, watches, pacemakers, light bulbs, cameras: the Internet of Things is plenty of all kinds of devices. Not to mention that almmost all have Bluetooth embedded. The attacker dispose from a large panel of choice choice then and can get fully control of the device, and with high privileges. From now, it's up to him to exfilter data, spy on it or use it to deploy a malware. The last scenario can expand considerably. At its turn, the infected device, can then locates other devices with Bluetooth activated in te area and propagates the malware in the same way it has been infected. A real massive lateral movement of very contagious. In a rather furtive way, a malicious person is then able to make espionage just by standing near his victim's office. And it is only a matter of time before the first ransomwares using the BlueBorne vector appears, which would then spread like wildfire.

 

What are these vulnerabilities and what about their impacts?

The remote code execution

Among the 0day "BlueBorne", there are 4 vulnerabilities allowing execution of remote code. On Android side, the weakness is located in the BNEP (Bluetooth Network Encapsulation Protocol) service, which allows data sharing via Bluetooth, causing a heap-based buffer overflow (CVE-2017-0781) or an integer underflow (CVE-2017-0782). By exploiting these vulnerabilities, it is then possible to execute code and to elevate its privileges by causing memory corruption, without even alerting the user since no pairing, authentication or user interaction is required. A windfall to spread spyware within a company or on a sensitive industrial site for instance. In order to illustrate the scope of these vulnerabilities, Armis released a video of fully takeover of an individual's smartphone although this one is just next to it.

It is also possible to take full control of the device if it uses Linux or iOS. On Linux, the BlueZ stack embeds an implementation of L2CAP (Logical Link Control and Adaptation Protocol), used to connect two devices to each other, which code is also vulnerable to buffer overflow (CVE-2017-1000251). As seen in the previous vulnerabilities, the attacker only has to inject his payload and voila. Some connected objects, including some smartwatch, are running on Linux. This is the product chosen by Armis for its demonstration. A watch, more than a smartphone, emits constantly in Bluetooth plus being nearly always connected to this one for some models. Once on the wrist, it will follow its owner every movement. Imagine the extent of spread of a malware if the watch is infected, even if only during a daily routine of commuting and work. 

As for Apple, the brand has implemented its own protocol, LEAP (Low Energy Audio Protocol), and allows low-powered devices (Bluetooth Low Energy) to send audio and audio commands. However, the implementation of LEAP does not correctly handle the size of received packets (CVE-2017-14315). Exploiting this vulnerability is trivial. Simply sending a conventional Bluetooth packet would result in a heap-based buffer overflow, since it is larger than a Bluetooth Low Energy package.


A memory leak which recalls Heartbleed

In order to communicate with each other, devices equipped with Bluetooth are capable of identifying other devices whose service is also activated around them. The SDP (Service Discovery Protocol) is dedicated for this feature. The Bluetooth client requests the accessible devices in order to discover services they offer and then determine which layer of the Bluetooth stack to request. SDP requests can sometimes receive responses that exceed the PDU (Protocol Data Unit). A parameter called continuation state is sent with the partial response to signify that one or more responses units are expected. However, an implementation error in this parameter would allow an attacker to take control of it in order to cause out-of-bounds read. With a specially crafted request, the attacker can in response cause a leak of memory bytes that can contain sensitive information (encryption keys ...) contained in an Android (CVE-2017-0785) or Linux (CVE-2017- 1000250) device. This recall of a certain SSL vulnerability, called Heartbleed, which had been much written about in 2012. However, it should be noted that the two vulnerabilities impacting Android and Linux are similar but don't affect the same stack.


Bluetooth Pineapple

Like its counterpart on WiFi, Bluetooth Pineapple is the nickname given to the vulnerability affecting Android (CVE-2017-0783) and Windows (CVE-2017-8628), allowing to intercept communications between two devices, but this time on Bluetooth. A lack of security located at another level of the BNEP service, more precisely in the PAN (Personal Area Networking) protocol, responsible for the connection between two devices via an IP network, is identified by Armis. This vulnerability would give an attacker the possibility to create a rogue network interface on the victim's device and then reconfigure the IP routing to force the transmission of communication flows to that interface. Again, the attack is completely stealthy: it requires no user interaction, no authentication or pairing and, unlike Pineapple on WiFi, it does not require any specific equipments. As demonstrated in the Armis video, a user, we can imagine an employee at his office, whose credentials are being stolen in a discreet and undetectable manner even by companies, which rarely monitors radio communications.


Who is affected by BlueBorne?

All versions of Android prior to the patch issued by Google in September 2017 are affected by the described vulnerabilities (CVE-2017-0781, CVE-2017-0782, CVE-2017-0785, CVE-2017-0783), except wearables using Bluetooth Low Energy on Android.

Regarding iOS, the iPhone, iPad and iPod running a version earlier than or equal to iOS 9.3.5 as well as AppleTV having a version prior to or equal to 7.2.2 are also affected by BlueBorne. For now, only iOS 10 and 11 are not affected by the CVE-2017-14315 vulnerability.

For Microsoft part, operating systems from Vista to Windows 10 are impacted by the CVE-2017-8628 vulnerability. A patch was released on September 12, 2017.

Finally, BlueZ versions below 5.46 are impacted by the CVE-2017-1000250 vulnerability. Only versions of Linux kernel from 3.3-rc1 to 4.13.1 are affected by remote code execution (CVE-2017-1000251). For the moment, there is no patch announced yet on Linux platforms except for Red Hat.

Platform Type of vulnerability CVE identifier Description
Android Remote code execution CVE-2017-0781 Sneak attack
Android Remote code execution CVE-2017-0782 Sneak attack
Android Data leakage CVE-2017-0785 Similare to Heartbleed
Android "Man-In-The-Middle" (MiTM) attack CVE-2017-0783 Bluetooth "Pineapple"
Linux Remote code execution CVE-2017-1000251 -
Linux Data leakage CVE-2017-1000250 Similare to Heartbleed
iOS Remote code execution CVE-2017-14315 -
Windows "Man-In-The-Middle" (MiTM) attack CVE-2017-8628 Bluetooth "Pineapple"
Summary table of the BlueBorne's vulnerabilities


Recommandations

A major update was released by Google on September 9, 2017, to mitigate the BlueBorne vulnerabilities for Android systems. As always for Android, it will have to wait for the good will of the different smartphone manufacturers to distribute the patch. For Apple iOS, an upgrade to the latest version will protect against BlueBorne.

For systems on which patches against BlueBorne are unavailable, the best is to disable the Bluetooth feature or to minimize its use to avoid compromise.

In addition, Armis has released an app available on the Google Store to verify if a device is vulnerable and to identify vulnerable devices in the area.

 

Conclusion

For this time, BlueBorne exploits have not been disclosed and no exploitation in the wild has yet been identified. It is very rare, however, that security flaws affecting such a large number of devices - let's recall, close to 8.5 billion objects of all types - do not grab the attention of few attackers, especially since the company Armis published enough details for some to start looking for. For the IoT sector, after the Mirai botnet attacks, it is a second test of its ability to respond to a critical threat.