Story image

Experts comment: Behind the Bluetooth 'BlueBorne' zero-days

14 Sep 2017

As news spreads of the Bluetooth zero-day that affects more than 5 billion devices, security experts are warning users to use Bluetooth with caution.

Originally discovered by security firm Armis, the BlueBorne vulnerabilities spread via over-the-air (OTA) attacks via Bluetooth. Attackers can penetrate all Bluetooth-enabled devices, corporate data, airgapped networks and spread malware laterally. They can also conduct man-in-the-middle attacks.

The firm has discovered eight zero-day vulnerabilities, of which four are listed as critical. While there is no mention if they have been used in the wild, the vulnerabilities are fully operational. They affect Android, iOS, Windows and Linux devices.

According to Trend Micro, the vulnerabilities are:

  • CVE-2017-1000251: a remote code execution (RCE) vulnerability in Linux kernel
  • CVE-2017-1000250: an information leak flaw in Linux’s Bluetooth stack (BlueZ)
  • CVE-2017-0785: an information disclosure flaw in Android
  • CVE-2017-0781: an RCE vulnerability in Android
  • CVE-2017-0782: an RCE flaw in Android
  • CVE-2017-0783: an MitM attack vulnerability in Android’s Bluetooth Pineapple
  • CVE-2017-8628: a similar MitM flaw in Windows’ Bluetooth implementation
  • CVE-2017-14315: an RCE vulnerability via Apple’s Low Energy Audio Protocol

According to Armis’ blog, attackers using the BlueBorne vulnerability can strike without any user interaction. The vulnerabilities work with all versions and only needs Bluetooth to be active.

“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected,” the blog says.

The company has reached out to Google, Microsoft, Apple, Samsung and Linux about the vulnerabilities. Armis says new solutions are needed to address the new airborne attack vector.

We’ve received comments from Venafi and Webroot about the BlueBorne vulnerabilities:

Venafi’s chief security strategist Kevin Bocek

“BlueBourne is a disturbing new attack on almost every computer, smartphone, and tablet. While the vulnerability itself is concerning, the real threat is most alarming: running applications and connecting to websites to execute more attacks, an issue that can only be addressed if every application, every website has a unique machine identity.”

“Without this – the attacks as demonstrated with BlueBourne – it’s all too easy for hackers to run malicious applications or redirect people to a fake website. BlueBourne shows why it’s so urgent for businesses to ensure that every web, desktop and mobile application has a unique machine identity so that they can maintain constant visibility and control.”

Webroot’s senior director of security architecture David Dufour

“BlueBorne is another example of how simple it is for hackers to quickly scan for, and then exploit, open Bluetooth devices. The learning curve to scan for Bluetooth devices isn’t that much greater than scanning for WIFI access points. To protect devices, users should turn off Bluetooth immediately after they are finished using it. Additionally, users should never connect to Bluetooth with a device that is running an old version of the software.

“For a while, Bluetooth vulnerabilities had died down as the industry responded and fixed known exploits, but this incident may be the tip of the iceberg once again. Just as we’ve seen a resurgence in worms, hackers often come back to repurpose the same exploits. Unfortunately in these cases, many connected devices don’t allow for patch management and become easy targets.”

CERT NZ:

  • In order to protect yourself from this vulnerability, these are the steps that CERT NZ recommends you take immediately to protect your devices.
  • Ensure you've patched all devices. CERT NZ recommends that you apply all security updates to all systems and software.
  • Disable Bluetooth on the device if it isn’t required.
  • If it isn’t possible to disable Bluetooth, check with the vendor or product manufacturer if an update is required and when it will be implemented.
  • Be careful when enabling Bluetooth in public as it has a range of around 10 metres, which could put the device at risk as Bluetooth attacks can be implemented remotely.
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
ADLINK and Charles announce multi-access pole-mounted edge AI solution
The new solution is a compact low profile pole or wall mountable unit based on an integration of ADLINK’s latest AI Edge Server MECS-7210 and Charles’ SC102 Micro Edge Enclosure. 
How Dell EMC and NVIDIA aim to simplify the AI data centre
Businesses are realising they need AI at scale, and so enterprise IT teams are increasingly inserting themselves into their company’s AI agenda. 
Orange Belgium opens 1,000 sqm Antwerp data centre
It consists of more than 500 high-density 52 unit racks, installed on the equivalent of 12 tennis courts.
Time to build tech on the automobile, not the horse and cart
Nutanix’s Jeff Smith believes one of the core problems of businesses struggling to digitally ‘transform’ lies in the infrastructure they use, the data centre.