Security Week 45: Something About Bluetooth Vulnerabilities

The time has come to correct a three-week error in the numbering of digests put at the very beginning of this year. Therefore, today's release is a little leap, and it is devoted to vulnerabilities affecting the Bluetooth wireless interface. Three significant studies of this topic have been noted over the past year, but even the most extensive BlueBorne vulnerability series has not caused such a resonance as, say, the HeartBleed vulnerability .

Taken together, these studies are of particular interest, since we are talking about an unexpected attack vector, which in some cases allows you to completely circumvent the local area network of the enterprise or the security system of the client device. It is enough to get closer to the devices for a relatively small distance, or to have a good antenna. The most interesting in this context is the most recent vulnerability found in Bluetooth-equipped wireless access points.

A vulnerability in Texas Instruments' Bluetooth Low Energy modules was found by Armis ( news , research ). According to the established tradition, a name was invented for it - Bleedingbit - and a logo.


These chips can be used to extend the functionality of wireless Wi-Fi access points from manufacturers such as Cisco, Meraki and Aruba. As a rule, the Bluetooth Low Energy module is used to identify user devices — for example, to optimize a wireless network, for advertising and marketing purposes, or to track equipment movements. A total of two vulnerabilities were discovered. The first (CVE-2018-16986, susceptible to a number of Cisco and Meraki devices) causes a buffer overflow by sending a prepared data packet via Bluetooth, with further interception of control over the device.

The second vulnerability (CVE-2018-7080) affects only Aruba devices (for example, access point 203R). There you can remotely use the firmware update system of the Bluetooth chip, which should normally be disabled. In fact, it is not always disabled, as access to the device via the diagnostic interface is not always blocked. At Aruba access points, a firmware update is possible after entering the password, but it turned out to be the same for all devices in the series.

Let's return to the first vulnerability. An attack based on it uses Bluetooth advertising packages. This functionality can be used for advertising or informational purposes and involves the exchange of data without authorization of devices. Data can be sent by a fixed access point, or it can be collected from customers. It is the collection process that is exploited in the intended attack. It can be used, for example, to identify customers in a store who have a certain application installed on their smartphone. In general, this is such an unobvious functionality that, as it has now become known, may have applications that are unexpected for both clients and companies owning the infrastructure. An article on the ArsTechnica website states that even in the context of this vulnerability there is still something to dig, although the original problem has already been fixed by the manufacturer of the Bluetooth chip.

And what else happened on the subject of Bluetooth vulnerabilities? The most serious problem was discovered in September last year by the same company Armis Labs. The BlueBorne vulnerability series (a study in PDF ) was found in the Bluetooth protocol, which means that the vast majority of Bluetooth devices were affected if not all: Windows, and Android, and iOS, and Linux (and Tizen, if someone is interested).


On Linux, it was necessary to update both the BlueZ stack and the kernel itself (subject to versions 2.6.32–4.14). The attack, as usual, should be aimed at a specific device, but it is possible even if the module is not available for detection. In the context of Android, as shown in the video above, you can take control of the device or use one of the vulnerabilities to conduct a Man-In-The-Middle attack. In almost all cases, vulnerabilities lead to partial data leakage from the device’s RAM. In September of this year, according to Armis Labs, more than two billion devices (of the initial five, or eight billion) remained vulnerable.

Finally, in July of this year, researchers from Israel found ( news , more) Vulnerability in data encryption protocol. This is a typical scientific study: the problem was in the mechanism of checking the elliptic curves used to encrypt the transmitted data. More precisely, in the absence of this verification itself, which theoretically allows for a Man-In-The-Middle attack. An attack is possible in the process of establishing a connection between two devices: an attacker can intervene in this process and introduce an incorrect encryption key with subsequent interception of data.

According to the results of all three studies, BluBorne’s vulnerabilities represent the most serious danger, but practical cyber attacks have not been reported here. Perhaps because even a “simple” scenario requires the presence of the victim’s Bluetooth module in the coverage area, while there are plenty of ways to attack devices remotely. Meanwhile the very firstthe virus for smartphones , even in the absence of a permanent connection of devices to the network, used just Bluetooth technology for distribution. There are still a few more errors in the code, and we may face a mass attack spreading through the airborne path between mobile devices, without using the Internet at all. And we may not encounter it, but it’s worthwhile to continue monitoring the Bluetooth vulnerabilities. As with complex Specter / Meltdown attacks, the spectrum of threats using a Bluetooth connection has not yet been fully determined.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.