by Vít Šembera (Cyber Threat Researcher)
BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s any available, or to switch off the device’s Bluetooth connection if not needed.
Note that while there may be proof-of-concept demonstrations for using BlueBorne as attack vectors, there are no indications that it’s actively exploited in the wild, which we are proactively monitoring. Additionally, certain conditions have to be met to exploit BlueBorne.
What is BlueBorne?
BlueBorne is a combination of vulnerabilities related to vague and outdated definitions of the Bluetooth protocol, including authorization and authentication issues. The absence or wrong validation of different protocol parameters in the Bluetooth stack code can result in stack or heap overflow in the kernel address space. When combined with an outdated implementation, they can lead to remote code execution (RCE).
The current implementation, for instance, allows establishing low-level connections without user interaction and knowledge. iOS fares better against BlueBorne, as Apple already implemented its own Bluetooth stack and has its own authentication and authorization methods during initial connection. iOS, for instance, requires direct user interaction in all cases.
On Android, there would be a red flag that’s unlikely to be noticed by an ordinary user—suspicious activity coming from the Zygote process (a daemon used for launching apps). Zygote already has high com.android.bluetooth privileges, and automatically restarts when it crashes. For example, during a Wi-Fi Pineapple-type of attack on Bluetooth, signs of possible BlueBorne exploits can be observed in sudden network configuration changes, such as in default routes and web proxy definition. Other kinds of attacks like RCE are hardly detectable.
How Does BlueBorne Affect iOS and Android Devices?
On iOS, BlueBorne affects only the Low Energy Audio Protocol (LEAP) serving low energy audio devices like AirPods or Beats headphones. The vulnerability doesn’t affect the Personal Area Network (PAN) layer, which is used for data transmission between different devices. This mitigates man-in-the-middle attacks on iOS devices. Additionally, Bluetooth communication among iOS devices is managed by BlueTool, the process that acts as bridge between the Bluetooth stack and hardware. For an attack to be successful, it needs to gain privileges from BlueTool, and thus must exploit another vulnerability to bypass Address Space Layout Randomization (ASLR) — the process that defends against buffer overflow. And even if an attack somehow manages to gain BlueTool’s privileges, they are restricted (i.e., mobile/user-based privileges only).
It’s a different matter for Android. The BlueBorne vulnerabilities affect the BlueBorne stack that directly processes raw Bluetooth requests; if exploited successfully, the stack can be remotely triggered. On Android, the Bluetooth stack runs in the Hardware Abstraction Layer (HAL) layer, which provides a standard for hooking Android stacks to hardware. It runs as a service with these permissions:
u:r:bluetooth:s0 bluetooth 1419 335 1165648 36788 SyS_epoll_ b618a444 S com.android.bluetooth
Android’s Bluetooth stack has the capability to act as a Human Interface Device (HID), like that of a mouse or keyboard, so remotely hijacking the device, i.e., sending and retrieving local data over Bluetooth, is indeed possible. There is a silver lining: If the device is locked with a code, it won’t be able decrypt the key. Moreover, running HAL with the above permissions in protected permission model disables attackers from arbitrarily modifying the system or device.
BlueBorne Prevention and Mitigation
iOS users, particularly those that use iPhone 5 or newer models, can be protected by installing the latest iOS (version 10 or 11). Google has also released patches for the vulnerabilities affecting Android devices as per their Security Bulletin for September. Note, however, that patching Android devices is fragmented. While Pixel and Nexus devices have a steadier and more consistent rollout of updates, others don’t. Users must contact their device’s original equipment manufacturers for their availability. Also, while this should already come as intuitive for most mobile users, it’s worth mentioning that having the screen lock activated especially on Android devices deters attacks that exploit the platform’s Bluetooth stack.
Desktop users are also recommended to patch their OS. Microsoft has one as part of their September Patch Tuesday. Additionally, code execution over Bluetooth cannot be directly carried out in Windows OS using the BlueBorne flaw and will need an additional attack chain.
Updates are also underway for vulnerabilities affecting Linux devices. For CVE-2017-1000250, a Session Description Protocol (SDP) information leak flaw, a fix has been committed since September 13. It is already in the process of propagating to different Linux kernel versions. Debian sid, as well as RHEL 6 and 7 are already fixed.
A patch for CVE-2017-1000251, a buffer overflow vulnerability in the Logical Link Control and Adaptation Layer Protocol (L2CAP), has been committed since September 9. RHEL 5, 6, and 7 are already patched. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR or CONFIG_CC_STACKPROTECTOR_STRONG, depending on kernel version and platform), an unauthenticated attacker who wants to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out.
There are millions of Internet of Things (IoT) devices running Linux kernel on ARM and MIPS SoC, and many with an active Bluetooth stack. It is difficult to determine if, how, or when their vendors will patch these devices.
For systems vulnerable or potentially at risk to BlueBorne, switching off their Bluetooth stack is recommended. Bluetooth range can be anywhere between 10 and 100 meters depending on its version and environment, so users can take this into account when using their Bluetooth-enabled devices. It should be noted, however, that attackers can significantly extend the range with high-gain antenna.
*Mac OS can be affected by the same vulnerability as it shares Darwin kernel code with iOS. Although it is still officially unconfirmed, some older (before Sierra) versions can be vulnerable.
With additional analysis by Veo Zhang, Ju Zhu, and Jason Gu
Updated as of September 19, 2017, 12:01 AM PDT to include a section on how BlueBorne affects iOS and Android devices.