We got to see something cool and terrible (yes, it's possible to be both at the same time) earlier this week when Armis Security published the details of a new Bluetooth exploit. Called "Blueborne," the exploit allows a person with the right tools and who is within Bluetooth range of your smart thing — laptop, phone, car, or anything else that runs Android (as well as most every other operating systems, including iOS and Windows) — to gain control over the device without any action from the user.
That's because the exploit cleverly attacks portions of the software needed to establish a connection to hijack the Bluetooth stack itself, which is pretty much done in a universal way because of how complicated Bluetooth is and how the stack itself handles so many things the OS could be doing instead.
Interested yet? If not, you should be.
Before we go any further, here is the good(ish) news: Apple, Google, and Microsoft have all patched the exploit. On the Android side, we saw the fix in this month's security patch released the same day the vulnerability was made public. This surely isn't a coincidence and kudos to Armis for working with the companies who write the software we all use every day to get this fixed. Of course, almost every Android-powered device doesn't yet have this patch and won't for a while.
I'll resist the temptation to make this all about Android's update woes and the million-and-one different reasons that it happens. I'll just say that if you value being protected against most vulnerabilities like this you currently have three options: an Android-powered device from BlackBerry, an Android-powered device direct from Google, or an iPhone. You decide what to do here.
Instead let's talk about what Blueborne is and how it does it, as well as what you can do about it.
What is Blueborne?
It's a series of simple attacks on various parts of the Bluetooth stack running on almost every smart device in the world. Including 2 billion Android phones. It's not a MiTM (Man in The Middle) attack, where someone intercepts Bluetooth traffic between you and a thing you're connected to. Instead, it's posed as a device that wants to discover and connect over Bluetooth but the exploit happens before the connection attempt gets to a stage where a user needs to act.
For people into this sort of thing, the short version of how the exploit works on Android is that the attacker sends out a discovery query, then manipulates both the timestamp and size of a second discovery query for a separate service to the same machine. This causes a buffer underflow and bypasses the standard Bluetooth Security Management Protocols to hit the failsafe "just works" connection. While it sounds crazy that this works, it's better than the default BlueZ stack version of the exploit which is a straight-up buffer overflow that bypasses every connection check. I'm not familiar enough with Windows or iOS to parse the exploit code for those operating systems, but if you are hit the link in the opening paragraph and check it out. Then hit the comments and help us all understand better.
If you're not into looking through code (it's a special sort of illness, I do admit) the short short version is that a person with a computer that has a Bluetooth connection can type a few lines in a terminal and connect to your phone. How easy it is for him or her to connect is ridiculous (we'll talk about why that is later) and anyone with even just a passing knowledge of this sort of thing can do it. That's why it was important that Armis hold the release until Apple, Google, and Microsoft were able to act.
The scary part is what happens after the connection is made. There is no secret magic app that roots your phone and hacks all your data. It's too easy to prevent any process from getting that level of control, and permissions prevent it from happening unless a process does have that level of access. Instead, an attacker can act as the logged in user. That's you.
With 8 billion devices that need to connect, Bluetooth is a big target for people who want to steal data.
In the example video above we see the attacker establishing a Bluetooth mouse connection to a sleeping Pixel, then doing the same things you could do if you were holding it in your hands. Apps can be started, pictures, video, and audio can be recorded, and your files can be downloaded directly to the attacker's computer. there is nothing on your phone to say "Stop, this is not cool" because it is cool — it's acting as you. And none of your data is safe. If the attacker is unable to access a sandboxed directory, he or she can simply open the associated app and pull images of what's on the screen while it is running.
The frustrating part of all this is why it works. I'm not talking about how the stack is exploited and someone crashes their way in, I mean why in the broader sense. Why something this preventable was able to slip past the experts who oversee security and are really good at writing this sort of thing out of the operating system. And the answer is that it happened because Bluetooth is a giant, complicated mess.
It's not the Bluetooth SIG's (Special Interest Group) fault, even if it is their responsibility to ultimately address this. Bluetooth started out in 1998 as a simple short-range wireless connection. It's now on more than 8 billion devices worldwide and has grown and grown in features and complexity. And it has to be backward compatible, so portions of it have to be left as-is when it comes to things like advanced connection security standards. If an encrypted paired-key connection can't be established, it has to be able to try something less secure and keep trying until it connects, runs out of ways to try, or the security management features tell it to stop. Exploit the SMP layer and you're in. And as new features get added to newer versions, it only gets worse.
There are exploits in proprietary software, too. We just don't know about them until it's too late.
The people writing an operating system and the security team whose job it is to break it will all take their share of the responsibility here, too. The problem here is that they're dealing with impossibly complex code in the Bluetooth stack and while they are busy trying to patch it against one thing other things could also be exploited. Google did change a good bit of the "default" Bluetooth implementation for Linux, as did Apple and Microsoft. The things you use are well-protected against things like a man in the middle attack or a way to get admin permission over Bluetooth. That's because those have traditionally been the way Bluetooth was exploited, and there is always plenty of work to do prevent it from happening.
Finally, this is a great example of why open-source code is great. The researchers at Armis were able to find this exploit, see exactly how it works and determine exactly how to patch it because they have access to the code itself. While Apple and Microsoft don't use a fully open source Bluetooth stack, they knew exactly where to look to patch their version. If every company involved used closed proprietary code this exploit would still exist, but we wouldn't know about it until it was too late and other folks knew about it, too.
What should you do about it?
Every person reading this probably has one or more Bluetooth devices. Your watch, your phone, your laptop, your TV, and the list could go on and on; Bluetooth is everywhere and on almost everything. That means you're likely to have Bluetooth enabled on your phone, and that's all it takes to be vulnerable to this if your phone is still unpatched.
The saving grace here is that Bluetooth is a short-range connection standard. Bluetooth 5 is working on extending the range, but you're pretty much confined to about 30 feet before the signal gets bad. That means you're really only at risk when you're within 30 feet of the person trying to get into your phone.
Bluetooth's short range means an attacker has to be near you to use the Blueborne exploit.
And the way this exploit works is scary, but it also means you're probably going to notice it. If your phone is sleeping and locked, an attacker can still connect. But as soon as they attempt to access your stuff or get tricky and try to take control, the screen would light up and they would need to unlock the phone. For now, at least. Don't think for a minute that people aren't working on a way around this because they are. And they will find it.
I'm not going to suggest you stop using your smartwatch or your favorite Bluetooth headset and shut down Bluetooth permanently. But there are a few things we can do to make it harder for someone to get in through Bluetooth while we're waiting for a patch. And again — if your phone has the September 2017 security patch, you're protected.
- Shut Bluetooth off when you're not using it. You're probably safe at home or at work, but if you get into the habit of turning Bluetooth off when you don't need it you won't forget the next time you go to Starbucks. There is no way for an attacker to turn Bluetooth on. At least not yet.
- Make sure you have a secure lock screen. Dead stop. If you don't already have a password, PIN, pattern, fingerprints or anything else set up so your phone is locked until you unlock it yourself, go do it now.
- Turn off trusted devices while you're at it. Tapping in a 4-digit PIN or scanning your eyeballs is way more convenient than getting new credit cards and talking to your bank, even once. Trust me, I've been there. (Thanks, Target. Idiots, I swear.)
- Don't leave your phone unattended. Put it in your pocket or purse and take it with you even if you're only stepping away for a minute or two.
- If you see the screen turn on, look and see why. This is the biggest "flaw" in the exploit; it will turn your screen on if someone tries to do anything after they are connected.
- Ask the company you gave money to when you bought your phone when you should expect an update to fix this. Asking nicely lets it know that you care about it, and when enough people show they care a company will decide to care. The patch is available to every phone running Android 4.4 and higher.
There probably isn't an army of people armed with laptops and Mountain Dew patrolling the streets, ready to hack "all the phones" through Bluetooth. But there could be that one guy, and he could be at McDonald's or the library or anywhere else. In cases like this, it's always better to be safe because the things we can do are pretty easy.
Your stuff is worth it.
