Bluetooth bugs bedevil billions of devices

Baffling spec sinks security for short-range comms protocol

A close up at atomic level of limpits' teeth. Image via Portsmouth University

Security experts have long complained that complexity is the enemy of security, but the designers of the Bluetooth specification have evidently failed to pay attention.

Bluetooth is a wireless communication protocol for connecting devices over short ranges. It's used in mobile phones, wireless speakers, smartwatches, printers, and a variety of appliances, among other things.

It's also, according to Armis, a Palo Alto, California-based IoT security firm, too complicated. The Bluetooth specification runs over 2,800 pages compared to 450 pages to describe the Wi-Fi specification.

The spec's complexity, Armis contends, has prevented researchers from thoroughly investigating its various implementations for flaws, leaving it full of holes.

"The complications in the specifications translate into multiple pitfall junctions in the various implementations of the Bluetooth standard," the company says in a paper [PDF] describing a set of flaws referred to as BlueBorne.

"BlueBorne is a name we gave for eight vulnerabilities found in the common Bluetooth stacks of all the major vendors," said Armis co-founder and CTO Nadir Izrael in a phone interview with The Register.

The eight Bluetooth-related vulnerabilities affect an estimated 5.3 billion Android, iOS, Linux, and Windows devices, according to Izrael.

  1. Linux kernel RCE vulnerability – CVE-2017-1000251
  2. Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250
  3. Android information Leak vulnerability – CVE-2017-0785
  4. Android RCE vulnerability #1 – CVE-2017-0781
  5. Android RCE vulnerability #2 – CVE-2017-0782
  6. The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783
  7. The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628
  8. Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315

"Just having Bluetooth on puts you at risk," said Izrael.

Bluetooth is often turned on by default, or left on. And devices running Bluetooth turn out to be fairly easy to identify with network sniffing tools, even when set to be non-discoverable. This becomes a problem in light of the bugs in various parts of the Bluetooth stack, found in L2CAP, BlueZ, SDP, SMP, BNEP, PAN Profiles, and Apple's proprietary LEAP implementation.

Armis disclosed the flaws in April to Apple, Google, Linux maintainers, and Microsoft. Tuesday's announcement marks the agreed-upon coordinated disclosure date, with one exception: Armis says it attempted to contact Samsung – which makes the Linux-based Tizen OS and also uses Android extensively – on three separate occasions about the vulnerabilities, but did not hear back.

Ben Seri, head of research at Armis, offered a potential explanation for Samsung's non-responsiveness by noting that the company is a downstream vendor of patches issued by Google and Linux maintainers, which shapes how they respond to security issues.

All Android phones, tablets, and wearables, apart from those using only Bluetooth Low Energy, are potentially vulnerable to the four Android flaws. Google issued a patch to its partners on August 7, which it released as part of its September Security Update and Bulletin for Android 6.0 (Marshmallow) and Android 7.0 (Nougat). It's unclear when its partners will distribute the patch, however.

Seri acknowledged that some Android vendors may be slow to deploy the fixes. "We are concerned about this," he said. "We tried to make this as coordinated as possible."

A video posted by Armis demonstrates how a Google Pixel can be compromised.

Armis offers a Google Play app to test whether Android devices are at risk.

All iPhone, iPad and iPod touch devices running iOS 9.3.5 or earlier, as well as AppleTV devices running version 7.2.2 or earlier are potentially vulnerable to the iOS remote code execution vulnerability. Devices running iOS 10 and later should not be affected.

Linux devices running BlueZ are affected by the information leak flaw and those from version 3.3-rc1, released in October 2011, are affected by the remote code execution flaw. Among potentially vulnerable products are Samsung Gear S3 watches, Smart TVs, and Family Hub devices.

Every Windows computer since Windows Vista is potentially vulnerable to the "Bluetooth Pineapple" flaw, which can be used to conduct a man-in-the-middle attack.

Microsoft issued its regular set of patches on Tuesday, including a notification about an already deployed Bluetooth fix, which according to Seri was issued in July without any notice, to allow other vendors time to respond.

Given that some of these flaws have been present in Bluetooth for a decade, Izrael said, "We do fear that in some sense these vulnerabilities might have been found before by some actors and used."

However, he said he's not aware of any exploitation of these holes.

"We really encourage researchers and security experts to learn from them how these bugs were found and to find them in other stacks we have not studied," he said. ®


Biting the hand that feeds IT © 1998–2017