Today at the Black Hat security conference in Europe, I had the opportunity to reveal new details regarding BlueBorne, the airborne attack vector first disclosed discovered in September 2017. Along with Armis researcher Gregory Vishnepolsky, he and I delved deeper in the BlueBorne vulnerabilities found on Linux.
We covered detailed exploits of two Linux devices, the Samsung Gear S3 and Amazon Echo. The Echo was part of a coordinated disclosure with Amazon in mid November). We also discussed the complete testing framework we used, and released to provide other researchers with the opportunity to delve into Bluetooth’s inner workings. We disclosed a new information leak vulnerability in Linux, bringing the total number of vulnerabilities related to the BlueBorne attack vector to 9. The presentation also included the first live display of a BlueBorne worm, capable of spreading between devices via Bluetooth connections.
For the first time ever, we demonstrated a live Bluetooth worm which took over both the Amazon Echo and the Samsung Gear S3. We covered how we exploited both these IoT devices in depth, using the vulnerabilities discovered by Armis earlier this year. Unfortunately, we showed how IoT devices are not only vulnerable to airborne attacks, but lack proper mitigations which have become an essential cornerstone in PCs’ security, and suffer from a myriad of basic vulnerabilities such as information leaks. These type of exposures will prove to be a major issue which IoT devices will face with every new vulnerability discovered, as it leaves them with no protection.
The demonstration of a Bluetooth worm moved this severe threat from theory into practice. The demo enacted an attacker taking over one Amazon Echo device via Bluetooth, and from that “owned” device spread to another Amazon Echo, from which an attack was launched against a Gear S3 Smartwatch as well, as seen in the diagram below:
While the attacker infects devices via a Bluetooth connection, and they continue to use Bluetooth to spread the attack (using the BlueBorne Linux vulnerabilities), the victims are instructed to report back to the attacker over their Internet connection. This frees the attacker from the need to be in the proximity of the infected devices to control them. A worm of this nature can literally spread through the air, from device to device, adding new zombies to the attacker’s botnet as it goes. The grave potential here is clear. An attacker can use such a worm to create an extensive botnet capable of a wide array of malicious purposes, such as DDoS attacks, even crypto mining, or espionage, as explained in this video.
It should be noted that the Bluetooth worm demonstrated was controlled at all times. It was in no way weaponized or allowed to get into the wild.
Also presented was an new information leak vulnerability in Linux. Proper mitigations, like stack protectors and ASLR, can hinder attackers from accessing and exploiting vulnerable code which exists in the device. However, even if such mitigations are put in place, attackers can bypass them using information leak vulnerabilities, as those disclosed by Armis. The most recent example is this new vulnerability which was identified during the preparation for the conference. The vulnerability was reported to Linux, which issued a patch for it shortly thereafter. The vulnerability resides in the Linux kernel, and could disclose valuable data to the wrong hands.
Lastly, we published both the exploit source code used for this presentation, as well as the testing framework used to exploit them here. We hope that this framework can be used by other researchers to better test and audit the various implementations of the lower layers of Bluetooth, and improve the overall security for all users.
The technical white paper on the BlueBorne Linux Exploit can be accessed here.
Such additional research into Bluetooth and its internals is necessary, as the scope of BlueBorne’s effect becoming much more clear, especially with the new vulnerabilities discovered. IoT devices are probably the most affected by such vulnerabilities. They have the weakest defenses and a complex code base which exposes them to a wide array of vulnerabilities, as was the case of Amazon Echo and Google Home (please note that both devices have been successfully patched). Even if these IoT devices security would be drastically improved by adding the required mitigations, hackers will be able to bypass them using information leaks, as shown in our presentation. This proves once again that users and businesses should treat IoT devices like any other device in their network, and implement proper protections.
Sign up to receive the latest news