5.3 billion devices at risk for invisible, infectious Bluetooth attack

What spreads through the air, is invisible to users, and requires no user interaction- no clicking, no pairing, no downloading, not even turning on discoverable mode- but could bring the hurt to billions of devices? It’s an attack vector dubbed Blueborne. Researchers revealed eight different bugs that affect the Bluetooth of more than 5.3 billion devices, including Android, Windows, Linux and iOS.

IoT security company Armis warned that all it takes is having Bluetooth on, and within 10 seconds, your device could be pwned from 32 feet away. And it’s wormable, a regular walking worm, meaning one infected device could spread it to others. While that already sound ominous, Armis gave a scenario that included the infection spreading ransomware from Bluetooth-enabled device to device.

The flaws are not in the Bluetooth protocol, but in the stacks – the Bluetooth implementations. The researchers discovered four of the flaws in Android’s Bluetooth stacks, one in Windows, one in iOS and two in Linux. They are not just talking about desktops, laptops and phones; Armis warned that Bluetooth “is used by devices of all kinds, from regular computers and mobile devices to IoT devices such as TVs, watches, cars and even medical appliances.”

Bluetooth devices affected by the Blueborne threat

The vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally.

Devices supporting Bluetooth Low Energy are not vulnerable.

Android: The four flaws affecting Android’s Bluetooth implantation include two that could lead to remote code execution (RCE), one that could allow attackers to perform man-in-the-middle attacks, and one that could result in information leaks.

Regarding RCE, the technical whitepaper ( pdf) released by Armis stated:

Successful exploitation results in remote code execution, under the privileges of the com.android.bluetooth service. This service is exceptionally privileged on Android devices: It has access to the filesystem (accessing the user’s phonebook, documents, photos, etc.), it has full control of the network stack (that can allow exfiltration of data, MiTM connections and bridging of networks) and it even has the ability to simulate an attached keyboard or mouse that can enable an attacker to gain full control of a device. In addition, since this service has full control of the Bluetooth interface itself, an attacker can also use the victim’s Bluetooth interface to attack other devices in its proximity, making this attack vector wormable.

Examples of impacted devices included Google Pixel, Samsung Galaxy, Samsung Galaxy Tab, LG Watch Sport, and Pumpkin car audio system.

Android devices running Gingerbread, Ice Cream Sandwich and Jelly Bean will not be patched; it will be like a never-ending zero-day for those devices. According to the September Android Security Bulletin, patches were released for devices running Android 4.4.4 on up: KitKat, Lollipop, Marshmallow, Nougat and Oreo.

Windows: Microsoft issued a Windows patch back in July, but it didn’t talk about the Bluetooth flaw allowing man-in-the-middle attacks until other vendors could patch. Armis revealed, “The vulnerability resides in the Bluetooth stack and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through it. This attack does not require any user interaction, authentication or pairing, making it also practically invisible.”

The few people with Windows Phones can cheer, as the devices were not vulnerable.

Linux: The two flaws affecting Linux are an information leak vulnerability and a stack overflow that “can lead to full control of a device.” This includes some Linux-based devices such as “Tizen devices, Samsung’s Gear S3 smart watch, several Samsung televisions, and a handful of drone models.” Linux distribution maintainers are expected to release a fix soon – on or about September 12.

Apple: While Apple said Blueborne isn’t a threat for iOS 10, Armis said devices running Apple’s mobile OS 9.3.5 or older are vulnerable to a flaw in which an attacker could exploit “to gain remote code execution in a high-privileged context (the Bluetooth process).”

Additionally, Armis warned of an RCE flaw vulnerability in Apple’s Low Energy Audio Protocol (LEAP). LEAP was designed to stream audio to low-energy peripherals such as the Siri Remote or low-energy headsets. “Since the audio commands sent via LEAP are not properly validated, an attacker can use the memory corruption to gain full control of the device.”

Patch if you can, but users of the approximated 40% of devices that will not be receiving a firmware fix should consider turning off Bluetooth.