Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

by Vít Šembera (Cyber Threat Researcher)

BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s any available, or to switch off the device’s Bluetooth connection if not needed.

Note that while there may be proof-of-concept demonstrations for using BlueBorne as attack vectors, there are no indications that it’s actively exploited in the wild, which we are proactively monitoring. Additionally, certain conditions have to be met to exploit BlueBorne.

What is BlueBorne?
BlueBorne is a combination of vulnerabilities related to vague and outdated definitions of the Bluetooth protocol, including authorization and authentication issues. The absence or wrong validation of different protocol parameters in the Bluetooth stack code can result in stack or heap overflow in the kernel address space. When combined with an outdated implementation, they can lead to remote code execution (RCE).

The current implementation, for instance, allows establishing low-level connections without user interaction and knowledge. iOS fares better against BlueBorne, as Apple already implemented its own Bluetooth stack and has its own authentication and authorization methods during initial connection. iOS, for instance, requires direct user interaction in all cases.

On Android, there would be a red flag that’s unlikely to be noticed by an ordinary user—suspicious activity coming from the Zygote process (a daemon used for launching apps). Zygote already has high com.android.bluetooth privileges, and automatically restarts when it crashes. For example, during a Wi-Fi Pineapple-type of attack on Bluetooth, signs of possible BlueBorne exploits can be observed in sudden network configuration changes, such as in default routes and web proxy definition. Other kinds of attacks like RCE are hardly detectable.

BlueBorne Prevention and Mitigation
iOS users, particularly those that use iPhone 5 or newer models, can be protected by installing the latest iOS (version 10 or 11). Google has also released patches for the vulnerabilities affecting Android devices as per their Security Bulletin for September. Note, however, that patching Android devices is fragmented. While Pixel and Nexus devices have a steadier and more consistent rollout of updates, others don’t. Users must contact their device’s original equipment manufacturers for their availability.

Desktop users are also recommended to patch their OS. Microsoft has one as part of their September Patch Tuesday. Additionally, code execution over Bluetooth cannot be directly carried out in Windows OS using the BlueBorne flaw and will need an additional attack chain.

Updates are also underway for vulnerabilities affecting Linux devices. For CVE-2017-1000250, a Session Description Protocol (SDP) information leak flaw, a fix has been committed since September 13. It is already in the process of propagating to different Linux kernel versions. Debian 5.46-1, as well as RHEL 6 and 7 are already fixed.

A patch for CVE-2017-1000251, a buffer overflow vulnerability in the Logical Link Control and Adaptation Layer Protocol (L2CAP), has been committed since September 9. RHEL 5, 6, and 7 are already patched. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR or CONFIG_CC_STACKPROTECTOR_STRONG, depending on kernel version and platform), an unauthenticated attacker who wants to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out.

There are millions of Internet of Things (IoT) devices running Linux kernel on ARM and MIPS SoC, and many with an active Bluetooth stack. It is difficult to determine if, how, or when their vendors will patch these devices.

For systems vulnerable or potentially at risk to BlueBorne, switching off their Bluetooth stack is recommended. Bluetooth range can be anywhere between 10 and 100 meters depending on its version and environment, so users can take this into account when using their Bluetooth-enabled devices. It should be noted, however, that attackers can significantly extend the range with high-gain antenna.

*Mac OS can be affected by the same vulnerability as it shares Darwin kernel code with iOS. Although it is still officially unconfirmed, some older (before Sierra) versions can be vulnerable.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices