Last week, Armis Labs identified a new attack vector, dubbed “BlueBorne”, that targets any device with Bluetooth capability. This includes mobile, desktop, and IoT — accounting for roughly 8.2 billion devices across Android, iOS, Windows, and Linux operating systems. The discovery exposes major vulnerabilities in Bluetooth technology.
BlueBorne looks like a nightmare for anyone deploying Bluetooth in IoT. Here’s the description from the firm that uncovered the exploit:
“BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector.
But then there’s this:
Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.”
For the full shock value of this exploit, here’s a short video by the firm that made the discovery that explains the risk:
Concerns for Bluetooth Deployment in IoT
1. Bluetooth radios are notoriously easy to discover and a large part of Blueborne appears based on this fact:
The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform.
2. Many Bluetooth devices are — and you are not going to believe this — not patchable.
However, Parker said that up to 40 percent of the 5.3 billion impacted devices probably would not be patchable — mainly because they are IoT devices, like smart refrigerators, that cannot be easily updated. Right now, Armis said that users could disable Bluetooth to protect their connected devices while waiting for the patch.
3. BlueBorne is targeting gateways
If there is any good news for Bluetooth developers, it is small, embeded devices do not appear — for now — to be a primary target for Blueborne, but rather higher-powered gateways running Linux, Android, Windows, or iOS which in turn connect to low power devices.
The vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities.
4. Bluetooth is never in stealth mode
I’ve written about IoT device discovery before and the principles still apply: low power IoT endpoints should operate in a “stealthy” mode unless there is a reason to make noise. It saves power, reduces network congestion, and makes discovering your IoT device much, much harder.
I didn’t say “impossible to discover”, but like prey in the jungle wanting to avoid alerting a predator, part of minimizing your chances of being discovered is just to keep quiet. Older protocols, including Bluetooth, take an opposite tack: they never stop talking and are always discoverable. Even when you tell your Bluetooth radio to go into non-discovery mode.
Bluetooth is not alone in this ease of discovery. WiFi and IEEE 802.15.4xx are just two examples of stacks (or semi-stacks) that weren’t conceived with the modern IoT in mind. Even more recent attempts like LoRaWAN were architected without thinking this through.
In the world of IoT wireless protocol development, device discovery seems to (usually) be the job given to the guys who weren’t smart enough to work on documentation. But if we are just seeing the beginning of hacks like Blueborne — as the author of the vulnerability suggests — the solution to limiting IoT device discovery is a billion-dollar opportunity.