5

While reading through the technical whitepaper of the BlueBorne attacks I've noted that it is required for the attacker to know my Bluetooth MAC-Address. They claim it should be really easy to obtain it by using one of the following techniques:

  1. Sniff Wifi traffic and get the unencrypted MAC from the raw wifi frames, assuming the attacker is not connected to the WIFI I am (for example by using this device)
  2. Sniff Bluetooth traffic, for example while I use it with headphones (for example by using the mentioned Ubertooth)

Both of these things are easy to do as long as you have the special hardware.

However if one infects my phone and wants it to infect a third device, how can my phone sniff the required MAC-address of the third device?

Most phones have no special sniffing hardware nether for Bluethooth[1] nor Wifi[2] so it is hard to get the third device MAC, which is required for the attack. The only way I can think of getting MACs would be to guess/brute-force them?

So, are we then "safe" from phone-to-phone-spreading malware horror case?

[1] "Since the “Monitor Mode” of Bluetooth is very limited in tools widely accessible for researchers, [...]" http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf

[2] "It is not possible to capture from the internal Wi-Fi interface on Android without running a custom firmware and gaining root access." https://www.kismetwireless.net/android-pcap/

GameScripting
  • 233
  • 1
  • 5
  • 3
    The App "BLE Scanner", running on my Android device, easily shows Bluetooth MAC addresses of devices in the vicinity. So, no real problem there. – nulldev Sep 14 '17 at 07:54
  • 2
    I don't know why you mention Wifi. Wifi has nothing to do with that, it is about Bluetooth and only Bluetooth MAC addresses! Capturing Wifi has nothing at all to do with BlueBorne! – Josef Sep 20 '17 at 09:46

2 Answers2

4

I guess BlueBorne is a big thread but is still a "ghost". At the moment, there is no public exploit published. The author of the paper used eight different zero-day vulnerabilities (four in android bluedroid , two in linux BlueZ, one in windows and one in iOS) to perform the hack and to perform this, a lot of knowledge is required. Only very skilled hackers can do it. The probability of being hacked is still very low. But I guess soon there will be public exploits available and the thread will be real.

You can see here an awesome video of the hack pwning a Google Pixel device:

Video thumbnail
BlueBorne on YouTube

There is available an app to check if your device is vulnerable to this hack:

https://play.google.com/store/apps/details?id=com.armis.blueborne_detector

Regarding the spreading. I'm not sure if it can be a big problem (this is purely opinion based).

Anyway, remember best practices. Only to turn on Bluetooth if you really are going to use it (at car or however). Bluetooth has a very short range. The probability of being hacked at car is almost none :)

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • 1
    I was not looking for an opinion based answer but one that builds on the technical details they published/are known. I am trying to verify what they are claiming as they are a company and may claim some things to sell more of their IT-sec/pentesting services. – GameScripting Sep 14 '17 at 07:24
  • "The probability of being hacked at car is almost none" I'm not so sure about that. If you stop at a traffic light on a busy street, there are probably a dozen or so Bluetooth devices in range. (Probably everyone in every car next to you has a phone with Bluetooth capabilities.) That's assuming the answer to the OP's question about whether this attack is wormable or not is "yes" though. – Ajedi32 Sep 15 '17 at 15:53
  • 2
    One remark: The attacker did not need to "use eight different vulnerabilities" - he found eight vulns in different stacks - four in android bluedroid , two in linux BlueZ, one in windows and one in iOS. Each of the vulnerabilities can be exploited independently of the others. – user5626466 Sep 20 '17 at 07:30
  • Good to know, thanks for the clarification. Editing answer. – OscarAkaElvis Sep 20 '17 at 09:12
2

I don't think it would be as hard as you assume to get the MAC address. For one thing, most Android devices broadcast their MAC address even when not connected to anything, so the information is out there for sniffing. For another, well-known root exploits on Android are legion (especially for old out-of-support devices), so once you can run arbitrary code on the device, you can probably manage to get root access in many cases, allowing you to sniff out your next victim.

But Bluetooth has relatively short range. So avoid leaving your Bluetooth on when it's not needed or you're in risky areas (like high-traffic tourist spots, crowded event venues, etc.) and you'll probably be fine.

Ben
  • 3,846
  • 1
  • 9
  • 22
  • 2
    I've clearified my question: I assume the attack not to be on the same wifi, thus needing the ability to capture true raw wifi frames. So even if the devices are breadcasting them all the time, usual phones lack the hardware to capture them, right? – GameScripting Sep 14 '17 at 07:22