BlueBorne – Bluetooth's airborne influenza

BlueBorne – Bluetooth’s airborne influenza

Armis Labs has discovered a new attack vector that targets any device that has Bluetooth capability. This includes mobile, desktop, and IoT — roughly accounting for 8.2 billion devices. All operating systems are susceptible — Android, iOS, Windows, and Linux. Dubbed BlueBorne, it exposes several vulnerabilities in the Bluetooth technology. These vulnerabilities open up the potential to perform an array of malicious attacks. Some of which, stated by Armis, are as follows:

  • Take control of devices
  • Access corporate data and networks
  • Break into secure networks that use air gap security measures
  • Spreading malware thatise in range of device with infection

BlueBorne does not require Bluetooth devices to be paired to other devices to be exploited. Even worse, devices are susceptible even when Bluetooth is in non-discoverable mode.

The ease of exploitation

What exactly does it take to exploit these new-found Bluetooth vulnerabilities? As noted in the Armis Labs BlueBorne whitepaper, the first step to is to steal the BD_ADDR (Bluetooth Device address). This is a hardcoded 48 bit MAC address of the Bluetooth device. Stealing the BD_ADDR the Bluetooth device, especially when it is set to non-discoverable, used to be considered a feat.  With the introduction of new Bluetooth “sniffing” hardware, this has become a lot easier. One such device is the open source hardware Ubertooth which plugs into a USB port of a computer.  Simply be within range with the Ubertooth plugged in, and it will grab any Bluetooth traffic from the air. With the help of some other monitoring tools to analyze the traffic — voilà — you have BD_ADDRs.

Spreading malware via Bluetooth

One of the more intriguing attacks is the potential to propagate malware using BlueBorne vulnerabilities. More specifically, through mobile devices.

The only way I could hypothesize this happening is through an attack using a list of collected BD_ADDRs and then creating a malicious app which scans for those addresses. Any device within range on the list becomes a target. Using the BlueBorne vulnerabilities to propagate itself, the malicious app transfers to the target device. Keep in mind the user of the target device would need to accept installing the malicious app as well.

All this isn’t impossible, but unlikely with the limitation of requiring a list of BD_ADDRs. Now if a mobile device could steal BD_ADDRs for itself — which it can’t at this point — then we should start worrying.

So how bad is it?

The work done by Armis Labs to present the BlueBorne vulnerabilities is extremely valuable to the security industry. It highlights the need for improved Bluetooth security. I applaud them for their hard work in this endeavor.

The introduction of sniffing hardware like Ubertooth and the creation of other open-source tools to analyze the collected traffic like Kismet have taken down the toughest barrier for hackers — collecting the BD_ADDR. With this exposure, I agree with Armis Labs predication — we will continue to see more Bluetooth vulnerabilities arise.

The requirement of having to be within Bluetooth range creates a limitation to BlueBorne. I believe this limitation will isolate it to more targeted attacks — most likely against specific companies.  In this case scenario, a spear phishing attack would be much easier to carry out and wouldn’t require being physically within Bluetooth range. Therefore, I’m skeptical that we will see BlueBorne implemented in a real-world attack.

Disabling Bluetooth

Bluetooth, by default, is enabled. If you don’t use Bluetooth i.e. you don’t have any devices paired, it’s best to disable it. If you do use your Bluetooth, disabling it when not in use is the most secure option against BlueBorne. However, many use their mobile devices to pair with their vehicle’s handsfree unit. Ideally, remembering to enable/disable Bluetooth depending on whether you’re driving or not is the best option. Not as ideal and more likely, you will forget to enable Bluetooth before starting to drive — myself included. Therefore, you have to weigh what is more of a threat. A BlueBorne attack or looking at your phone to enable Bluetooth WHILE driving? Just something to think about.


Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.