The recently disclosed collection of “BlueBorne” vulnerabilities that were found to affect at least 5.3 billion Bluetooth-enabled devices has revealed several inconvenient truths about the short-range communications protocol, experts are saying.
One, Bluetooth technology have long been overlooked by security experts and bug hunters, especially in comparison to other protocols. And two, because of the highly eclectic and fragmented nature of devices relying on Bluetooth, it could take weeks or months for some product manufacturers to apply software patches, while others may never issue secure updates.
“Bluetooth is complicated. Too complicated,” states a technical paper published by IoT security company Armis, whose researchers discovered the eight BlueBorne vulnerabilities on products running on Android, iOS, Linux, and Windows. “Too many specific applications are defined in the stack layer, with endless replication of facilities and features. These over-complications are a direct result of the immense work and over-engineering that was put into creating the Bluetooth specification.”
“The complications in the specifications translate into multiple pitfall junctions in the various implementations of the Bluetooth standard,” adds Armis, which posits that the complex nature of Bluetooth has dissuaded researchers “from auditing its implementations at the same level of scrutiny that other highly exposed protocols, and outwards-facing interfaces have been treated with.”
For that reason, a large number of vulnerabilities in Bluetooth may yet remain, noted Armis, warning that BlueBorne may be just the tip of the iceberg.
In a blog post today, Check Point Software Technologies agreed with the premise that the Bluetooth protocol has been “discarded and ignored by the research community for years,” noting that bug hunters may have been misled by two common misconceptions.
“The first misconception is that Bluetooth cannot be intercepted via the air, the second [is] that it always requires some sort of user interaction,” the Check Point research team states. Armis disabused the security community of these false notions, after announcing that attackers can leverage BlueBorne flaws to intercept Bluetooth devices’ communications and infect them over the air, and that a device’s Bluetooth feature only needs to be turned on for such exploits to work.
Experts also pointed out the difficulties of patching vulnerable Bluetooth devices, both on the part of the consumer and the original equipment manufacturers who must implement security updates issued by the OS developer.
From the consumer’s perspective, “It’s not easy for the average person to ensure their laptop is running the latest OS. Add a dozen IoT enabled devices into the mix, and it becomes nearly impossible to ensure every product and system is patch, especially when patches aren’t available for many of these item,” said Mike Buckbee, security engineer at Varonis Systems, a data protection company focused on insider threats and cyberattacks.
And from the OEM’s perspective, BlueBorne underscores the “fragmented and forgotten manner in which OS updates and patches are distributed to connected devices,” continued Buckbee, who predicted that many devices will remain unpatched and vulnerable to BlueBorne “for years to come.” (Google and Microsoft have already developed patches for Android and Windows devices, respectively, while Apple resolved the issue with the introduction of iOS 10.)
Leigh-Anne Galloway, cyber security resilience officer at Positive Technologies, said that patching efforts will depend on the type of device affected.
“While patches for smartphones, laptops and other internet-enabled devices are relatively easy to push out, for dumber gadgets the same can’t be said,” stated Galloway. “There’s a huge number of ‘things’ that rely on Bluetooth to perform their function, like speakers, or computer keyboards and mice. And short of turning them off, there isn’t a fix and that is going to leave millions vulnerable.”
Lamar Bailey, director of security research and development with advanced threat, security, and compliance solutions provider Tripwire, said manufacturers will be distributing patches for months, and that the situation could especially tricky for IoT device-makers.
According to Bailey, some of these companies “will not have patches either because they do not know they are vulnerable, will not know how to patch the issue, or will consider the products out of support and just release new versions… Consumers should look at the devices they own and contact the vendors to see if they are vulnerable. The larger well-established vendors should be putting out information in their support section and contacting registered customers.”
Despite the magnitude of BlueBorne, Mike Weber, VP of labs at IT audit and compliance firm Coalfire, suggested that the resulting outcry may be somewhat of an overreaction. “While the research discusses the possibility of worm-style attacks being possible in the wild, there are no currently known instances of this actually occurring and the difficulty level of writing a single worm to impact all devices would be high,” said Weber.
Weber also noted that BlueBorne “can only be used against devices within the effective Bluetooth range of the attacker, which is 33 feet on average in mobile phones and headsets, and 328 feet on average in laptops and desktops.” However, it must be noted that infected devices, in theory, can be compromised to launch more attacks on other devices within their range, creating a chain reaction of additional infections.
Both Buckbee and Galloway said that the BlueBorne disclosure is a key lesson for manufacturers to start approaching security from within.
“We’ve gotten the IoT wake-up call loud and clear and now it’s up to manufacturers to heed the warning and bake in security into their products before jumping in feet first with the latest connected devices,” said Buckbee.
“Long term, the answer is that if any device can connect to another in any way, it needs to have security built in from the outset or hackers are going to take advantage of it,” concurred Galloway.
And consumers must do their part as well by stay up-to-date with patches and using Bluetooth responsibly.
“Bluetooth should be treated like any open port: if you do not need it, then turn it off,” said Bailey. “That may not always be easy with Bluetooth keyboards and mice/trackpads, but in situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not reply on Bluetooth.”