Bluetooth is one of the most popular short-range wireless communications technologies in use today and is built into many types of devices, from phones, smartwatches and TVs to medical equipment and car infotainment systems. Many of those devices are now at risk of being hacked due to critical flaws found in the Bluetooth implementations of the operating systems they use.
Over the past several months, a team of researchers from IoT security firm Armis have been working with Google, Microsoft, Apple and Linux developers, to silently coordinate the release of patches for eight serious vulnerabilities that could allow attackers to completely take over Bluetooth-enabled devices or to hijack their Internet traffic.
The flaws found by Armis are particularly dangerous because they can be exploited over the air without any type of authentication or device pairing. Simply having Bluetooth enabled on a device is enough to make it vulnerable if patches for these issues are not installed.
The attacks can be fully automated and they don’t require any user interaction, as attackers can force vulnerable devices to open Bluetooth connections. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range. This can lead to the creation of massive botnets.
The Armis researchers have dubbed this new attack vector BlueBorne and they estimate that it affects over 5.3 billion devices. Furthermore, based on their discussions with vendors, they believe that 40% of the impacted devices will never be patched, either because they’re old and won’t receive firmware updates at all or because updating them is too complicated and users won’t bother.
The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations — or stacks — that are present in Android, Windows, Linux and iOS. Because of this, it doesn’t matter what version of the Bluetooth protocol a device supports — they’re all affected, with the exception of those that support only Bluetooth Low Energy, also known as Bluetooth Smart.
The Armis team first stumbled across one of the flaws during their regular work on the company’s security product, which helps organizations identify rogue or compromised IoT devices on their networks. The team then checked the similar code in other Bluetooth stacks and found additional vulnerabilities.
Four of the eight vulnerabilities were found in Android’s Bluetooth implementation, two in Linux, one in iOS and one in Windows. Their impact varies based on operating system.
“I think this is really just the tip of the iceberg as far as vulnerabilities in Bluetooth implementations go,” the Armis researchers said. “We feel that there are potentially other stacks affected by similar issues, but future research needs to be done to determine this.”
The vulnerability that affects the Bluetooth stack in Windows Vista and later does not lead to remote code execution but allows hackers to launch man-in-the-middle traffic interception attacks. Attackers can remotely force vulnerable Windows computers to set up a malicious Bluetooth-based network interface and route all of their communications through it. In this way, attackers can get all of a victim’s Internet traffic over Bluetooth.
Microsoft released security updates to address this vulnerability on supported Windows versions in July and customers who installed those updates are protected against this attack.
“We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said in an emailed statement.
An almost identical man-in-the-middle issue was found in the Android Bluetooth stack. However, Android’s implementation also has an information leak flaw and two remote code execution vulnerabilities.
Attackers can exploit the information leak problem in order to extract sensitive information from the device memory, information that can then help them exploit the remote code execution vulnerabilities and take complete control of the targeted devices. According to the Armis team, this attack would be completely invisible to the user.
“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” Google said in an emailed statement.
Google releases security fixes for its Pixel and Nexus devices every month and also contributes those patches to the Android Open Source Project. Device manufacturers that are in the Android partner program receive security patches a month or more before they’re made public, to give them enough time to integrate them in their own Android-based firmware.
Even so, there are millions of Android devices out there that have long reached end of support and will not get these patches. Those devices will remain vulnerable to these Bluetooth attacks indefinitely.
The situation is similar with Linux-based devices, which are affected by two Bluetooth vulnerabilities found by Armis. When combined, exploits for these two flaws allow attackers to gain full control over affected devices.
Linux is used as the base for the firmware of many devices, including smartwatches, wearables, drones, smart TVs, gaming consoles, car infotainment systems and even network-connected refrigerators. The Tizen operating system, which is used on many Samsung consumer electronics, is based on the Linux kernel and is also affected.
The Armis researchers have been in contact with the Linux community about these flaws, but claim they were unable to establish communication with Samsung despite repeated attempts.
Samsung did not immediately respond to a request for comment.
A remote code execution vulnerability has also been found in the Bluetooth stack of Apple’s iOS operating system. All iPhone, iPad and iPod touch devices running iOS version 9.3.5 or older, and AppleTV devices running firmware version 7.2.2 or older, are vulnerable, according to the Armis researchers. Apple fixed the vulnerability in iOS 10.
Android users can download a scanner app developed by Armis from Google Play in order to check if their devices are affected, but for other types of devices it will be much harder to determine if they’re at risk. For example, users don’t have a simple way to check the Linux kernel version on their smart TV or on their car’s infotainment system.
In theory, devices that have not received a patch can be protected from this attack by disabling Bluetooth, however, this isn’t practical because users might have many Bluetooth-based peripherals such as headsets and keyboards they need to use with those devices. On some devices disabling Bluetooth might simply not be possible at all.
Armis created a few videos to show how the BlueBorne attacks work against a Google Pixel phone that runs Android, a Samsung Gear S3 smartwatch running Tizen OS and a Windows computer: