While not observed in the wild, the BlueBorne wormable Bluetooth attack could impact more than 5.3 billion devices. Security researchers discovered eight zero–day vulnerabilities in Bluetooth protocol used in Android, iOS, Windows and Linux devices* — including mobile phones, laptops, desktops and other IoT devices. It affects the vast majority of relevant operating systems, with the exception of Sun Solaris as it doesn’t offer Bluetooth.
BlueBorne could allow attackers to “take control of devices, access corporate data and networks, penetrate secure ‘air–gapped’ networks and spread malware laterally to adjacent devices,” according to the researchers at Armis. The attack can be carried out remotely, but must be in proximity of the target device. As BlueBorne only needs Bluetooth to be enabled and requires no other user interaction such as pairing, the attack can spread like a worm and quickly create a botnet of infected devices. The botnet could then be used to deliver ransomware or other payloads.
That BlueBorne has not been used in the wild should be little comfort. The technical paper released by Armis contains enough technical details that a proof of concept or actual attack isn’t difficult to imagine. Starting in April 2017, all the affected vendors were properly notified and have all released patches.
You can keep track of updates to the BlueBorne attack and vulnerabilities at the Skybox Vulnerability Center.
*Vulnerabilities in BlueBorne Attack
- CVE-2017-0781: Remote code execution vulnerability in the Bluetooth network encapsulation protocol (BNEP) service that could enable a local attacker to execute arbitrary code within the context of a privileged process and can be triggered without any user interaction, authentication or pairing
- CVE-2017-0782: Similar to 0781, a remote code execution vulnerability in the BNEP’s personal area networking (PAN) profile
- CVE-2017-0783: Information disclosure vulnerability in the Bluetooth Pineapple that could allow a local attacker to intercept data going to or from the targeted device via a man–in–the–middle attack
- CVE-2017-0785: Remote information disclosure vulnerability could enable a local attacker to obtain sensitive information and potentially leak encryption keys from the targeted device, as well as eavesdrop on Bluetooth communications
- CVE-2017-1000250: Information disclosure vulnerability in the SDP server (which allows Bluetooth to discover which services are available in a remote device and understand their attributes) in the native Bluetooth stack in the Linux kernel, BlueZ, that could allow remote attackers to obtain sensitive information from the Bluetoothed process memory
- CVE-2017-1000251: Stack overflow vulnerability in BlueZ that could allow remote code execution in the kernel space
- CVE-2017-8628: Spoofing vulnerability in the Microsoft Bluetooth Driver due to Microsoft’s implementation of the Bluetooth stack
- CVE-2017-14315: Heap overflow vulnerability in the implementation of the low energy audio protocol (LEAP) in which a large audio command can be sent to a targeted device without validation, allowing an attacker to gain full control of the device; the attack bypasses the Bluetooth access control if the “Bluetooth On” setting is present, as is the default