The Air Gap Won’t Save You

Most security disclosures are short-lived events. Even the most critical vulnerabilities such as Heartbleed are often quickly patched and fade into history within a week or two. But once in a while an issue pops up that forces the industry to reexamine one of its core security principles. The recently discovered BlueBorne attack vector is one such issue. It will force enterprises to reevaluate the very architecture of their network security - particularly with regards to using an Air Gap as a security strategy. That is a bold statement to be sure, but not one built on hyperbole. Let’s take a look.

Directly Exploitable and Hard to Patch

First a quick recap of BlueBorne. BlueBorne is an attack vector encompassing several vulnerabilities affecting major operating systems including Windows, Linux, Android, and iOS. The vector allows an attacker to connect to a vulnerable Bluetooth device and either man-in-the-middle the victim’s connection or directly run malicious code on the victim device. Most importantly, this can be done without any interaction from the user, and without Bluetooth being in “discoverable” mode.

That sounds bad (and it is), but what makes this any different from other remote code execution vulnerability? Well for starters it will be almost impossible to patch all of the affected devices in an enterprise for a variety of reasons. Some devices such as employee smartphones may not be under the control of the security team so may take longer to patch. But patching user smartphones will likely be a walk in the park compared to patching the multitude of Bluetooth-enabled IoT devices. These devices are typically Linux-based and rarely if ever receive system updates. Even for vendors that do respond with patches, delivery is likely to be slow, and the updates will require manual work from IT. This is all a recipe for very long-lived vulnerabilities that affect a large number of devices in the enterprise.

An Air Gap and Segmentation Shredder

One of the main problems caused by airborne exploits and attacks like BlueBorne, or KRACK for that matter, is the potential for an attacker to repeatedly bounce from one vulnerable device to the next. With Blueborne, the attacker only needs to be within Bluetooth earshot of a vulnerable device. But the bigger issue is that the malicious connection is direct from device to device, and outside the control of traditional network segmentation. To understand the risk, we need to begin thinking about how many degrees of Bluetooth separation are between an organization’s physical front door and its critical data or systems.

By directly connecting from device to device, an attacker can easily hop from one VLAN or subnet to another. Even the most highly segmented network becomes completely flat from the perspective of Bluetooth. The question is not what devices live in ‘Guest’ versus ‘Corp’. The question is can any device ‘Guest’ within Bluetooth range of ‘Corp’. The same is true for physical segmentation as well. For BlueBorne, crossing an air gap is as easy as hopping a VLAN - all that is required is a vulnerable Bluetooth device. Unfortunately, Bluetooth has made it to many of the spaces that we think of as air-gapped.

Bluetooth has quietly become a popular option for industrial automation and control systems. Bluetooth has become the preferred connectivity for a variety of connected medical devices. And Bluetooth is likewise common in a variety of additional IoT devices from security cameras to headsets to HVAC systems. Bluetooth has become a de facto option for all types of devices largely due to the fact that it “just works”. Unfortunately this is also true for attackers.

BlueBorne also makes practical sense for attackers. The ability to directly connect to and exploit a victim without any user interaction is a major improvement from an attacker perspective. There is no need to lure a user into opening an attachment - no need to smuggle in a USB drive. Attackers can bounce from host to host, and in some cases, directly affect a high-value device over Bluetooth.

What Next?

While all of this may sound dire, the news isn’t all bad. Today most organizations lack visibility and control over Bluetooth, but this is a problem that can be fixed. The network security architecture isn’t broken, per se. It simply lacks the necessary layer to provide visibility and control over Bluetooth and unmanaged devices. To learn more about how this can be done, check out the paper Protecting the Enterprise from BlueBorne.