Last night, Armis lab revealed eight new vulnerabilities in the Bluetooth stack that would allow a (fairly close) remote attacker to gain root/system level access to a device which had Bluetooth switched on. The attack is easily exploited, because it doesn’t require the device to be visible, nor does it require a pin, password, or the user to confirm a connection. The vulnerability affects Linux, Windows, IOS and Android devices, affecting virtually all devices – including embedded IOT devices.
In theory, the vulnerability is “wormable”. Visions of a digital Typhoid Mary walking through a city’s CBD come to mind, infecting every phone with line of sight followed by a zombie apocalypse: Millennials mindlessly walking around in the throes of phone separation anxiety, wondering what their friends ate for lunch.
A devastating attack should be possible, and would likely look something like this:
- A propagation tool would actively seek out nearby Bluetooth devices to infect. As part of the infection process, the tool would need to identify which operating system is to be infected;
- To keep the infection traffic small and quick, only a dropper will be installed. This dropper will download two additional components: – a device specific copy of the propagation tool, and a payload. This payload could be anything from a Remote Access Trojan, or a time or condition triggered ransomware;
- The newly infected device will now look for additional devices to infect. A phone brought into the office might look for laptops, printers, headsets and fitness trackers to infect. A laptop brought home could find a car’s entertainment system on the drive home, and once home, fridges, home entertainment systems and even kitchen appliances could be a victim if they run embedded Linux.
- After conditions have been met, the ransomware executes. For many devices, this would be a meaningless attack – nobody would be able to log into their fridge to pay a ransom, and likely those devices will be permanently “bricked”. But the attacks on devices which could be recovered would still generate large revenues for the criminal.
While possible, in my opinion, an attack like this would be unlikely. Criminals tend to avoid attacks where there needs to be a physical presence, so there’s already a discouragement from doing so. Starting in one city where the criminal is located may be disruptive for that city, but it doesn’t have the impact of a world-wide simultaneous attack, and while ransomware is still profitable, even Wannacry only netted about $140,000USD. That’s fine when you have public exploit code already available and can distribute on a world-wide basis from the comfort of your mother’s basement, but to write entirely new code, and physically have to go out and spread it – to just one city? It’s starting to sound like work, and criminals tend to detest work.
So, should we just relax? Maybe. The vulnerabilities are real, and mobile phones are very valuable to a lot of parties – Nation State Actors, Industrial Espionage, journalists, Terrorist Groups and Organised Crime. You may laugh, but it would not surprise me if criminals wrote a tool to copy all photos off a phone, gained control of an iCloud or Google Photos account, and tried to target female celebrities looking for nudes.
What can you do if you are concerned? There is no guaranteed defence at this point in time, as not all vendors have released security fixes yet. However, disabling Bluetooth will render you immune. It is also always good practice to run mobile security on your devices – Mobile Device Management and Mobile Antivirus is not enough – They are designed to stop packages which are downloaded from authorised and unauthorised stores, and in some cases, from sideloading.
A solution like Check Point’s Sandblast Mobile which performs behaviour analysis is a much stronger solution, which can detect malicious activity no matter how it’s introduced to your phone – including through exploitation of vulnerabilities.
So, if you’re a politician, carry around classified information, a CEO or a CFO in the middle of an acquisition, or female celebrity, you may want to think about taking action. Turn off Bluetooth until your vendor supplies a patch, and run a strong mobile security suite. Otherwise, you’re probably safe waiting to see if criminals to try a worm, and accept the miniscule risk you may be patient zero.