18

The BlueBorne vulnerability was announced on September 12, 2017. It's a family of attacks against several implementations of the Bluetooth protocol that enable full compromises of various Bluetooth stacks, including Linux BlueZ (including Android), iOS, and allows for MitM takeover of Windows network connections.

The discoverers at Armis claim that the vulnerabilities are so bad that they are fully "wormable"; and the evidence they've presented supports that assertion.

All the big manufacturers have been notified and patched their newer systems. However, the problems will remain in the smaller players, as well as all the existing embedded devices that have Bluetooth connectivity. These would include cars, activity trackers, headphones, TVs, selfie sticks, and every other ridiculous "we-jammed-Bluetooth-chips-in-there-because-we-are-so-IoT" device.

What options exist to help companies and people prevent this from spreading, as it is almost certain to? Can we build "worm detectors" to help prevent carriers from bringing infected devices into secure environments? Can we build "vulnerability testers" to constantly scan nearby devices, warning us when they encounter a device that needs to be replaced? What can we do to respond?

hft
  • 4,910
  • 17
  • 32
John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 3
    Turn off Bluetooth in public and/or when you don't need it? – Ben Sep 12 '17 at 19:17
  • This is only an issue for client computers and peripherals. And that is only for people the auto-accept connections... but at least it sells IoT pen testing services. – Matthew Whited Sep 13 '17 at 11:32
  • 3
    "and not peripherals" ... stupid stack exchange won't let fix my comment – Matthew Whited Sep 13 '17 at 11:43
  • 7
    @MatthewWhited "And that is only for people the auto-accept connections" That's not what [the whitepaper](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf) says: "The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. " – Ajedi32 Sep 15 '17 at 16:00
  • 6
    Bluetooth has been, and will remain one of the most insecure algorithms known to man. I never use, even use an AUX cable in my car. No risks no losses. So to be fully secure, do not turn it on! That is the protection I would advise. But patching it would fix this until the next zero day in bluetooth. – Dr_Bunsen Sep 18 '17 at 13:33
  • @Ben But is it actually possible to completely disable Bluetooth on a smartphone? The UI on smartphones can definitely not be trusted on this matter. I mean we've seen again and again that even airplane mode is not capable of disabling all the radios reliably. – Forivin Sep 23 '17 at 08:31
  • @john-deters are you sure you don't mean unsupported? If something is old and supported and receives an update that fixes this... etc. This would only be a problem if something is unsupported and remains unpatched. In which case, it depends on if the attack designs an attack for that specific system – Robert Mennell Oct 03 '17 at 00:04

2 Answers2

1

It really depends on your use case, but generally if you're wanting to defend your company:

  1. If you are worried about employees or visitors bringing in older, unpatched devices onto your network, segment those devices to a completely separate WiFi network that doesn't in any way touch your main network.
  2. Similarly, if your organization uses IoT devices, create a special segmented network that only those devices are given the password to. Don't let this network touch either your public WiFi network or your main network.
  3. For monitoring these networks, there are products that specifically monitor networks for unusual IoT and BYOD activity (Senr.io is one example). These products can monitor these vulnerable networks and alert you when unusual or malicious traffic occurs.

Beyond that, there is not much you can do. Turn off Bluetooth on any vulnerable device you have control over and educate your employees on this danger.

S.A.
  • 41
  • 5
-1

Armis' white paper warned Blueborne could be the tip of the ice berg. So expect more zero-day exploits. What I've done: bought audio cables for my home sound system again, turned off all BT everything and got one of those cigarette-lighter-adapters for my micro-USB for phone again. Party like it's 2004! If you need BT in a professional capacity I am truly sorry.

Nicola Li
  • 27
  • 2
  • This isn't a realistic approach. Millions (billions?) of people find Bluetooth to be more valuable than the risk of getting hacked, so it's not going away. So the question is "how do we prepare to defend against the inevitable?" – John Deters Oct 24 '17 at 02:42
  • this does not answer the question about what to do with all those devices that only have BT as an option nor does it answer what to do with devices that are not under your control - you yourself say that you do not know how to handle the situation ("professional capacity"). – schroeder Oct 24 '17 at 10:18