Here is another Security Alert for all of you!
If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side. So, Another Bluetooth hacking technique has been uncovered.
A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.
These vulnerabilities include:
Information Leak Vulnerability in Android (CVE-2017-0785)
- Remote Code Execution Vulnerability (CVE-2017-0781) in Android’s Bluetooth Network Encapsulation Protocol (BNEP) service
- Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP’s Personal Area Networking (PAN) profile
- The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
- Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)
- Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)
- The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)
- Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)
How the Bluetooth Hack Works?
Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.
Since this specification is optional, some vendors’ Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.
In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.
Here’s what the Bluetooth Special Interest Group (SIG), the maintainers of the technology, says about the flaw:
“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.”
“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.”
On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.
According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.The ECDH key exchange involves a private and a public key, and the public keys are exchanged to produce a shared pairing key.
The devices must also agree on the elliptic curve parameters being used, but in some implementations, these parameters are not sufficiently validated, allowing remote attackers within wireless range “to inject an invalid public key to determine the session key with high probability.”
Stop Bluetooth Hacking—Install Patches from Vendors
To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.
Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.
The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.
What’s worst? All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack.
Moreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs.
Android users need to wait for security patches for their devices, as it depends on your device manufacturers.
In the meantime, they can install “BlueBorne Vulnerability Scanner” app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.
To stay tuned and get updated visit our Facebook page.