Bluetooth: A Potential Entry Point into Your System
Bluetooth is a commonly used protocol for a wide rande of devices. We use it for several hours a day on phones, computers, game consoles, IoT devices and often leave it turned on without realizing that it might be used as an intrusion point.
What is Bluetooth?
Bluetooth is a wireless communication standard developed in 1998 by the mobile manufacturer Ericsson, aimed at transforming the market for personal and portable electronic devices.
It provides a protocol for RF exchanges with low-power peripherals, such as cell phones, PDAs, and mobile computers, to communicate with each other over short distances, typically within a range of about 10 meters.
This technology enables the seamless exchange of data, such as files, audio, and other medias between devices without the need for cables. Bluetooth is widely used in various applications, including wireless headphones, speakers, keyboards, printers and smart home devices.
Over the years, it has evolved with advancements such as Bluetooth Low Energy (BLE) for even lower power consumption, making it suitable for a broader range of applications, including fitness trackers and IoT devices.
What are the vulnerabilities of Bluetooth?
Bluetooth has shown many vulnerabilities in recent years. As it is an increasingly adopted technology, more and more security breaches have been revealed. Let’s review the most impactful ones :
BlueBorne Attack
Those Bluetooth-based Remote Code Execution vulnerabilities (buffer overflows) were revealed by the Armis group in 2017. They affect GNU/Linux’s Bluetooth stack, allowing full device takeover and impacting computers, mobile phones and the expanding realm of IoT devices.
It is important to note that those attacks do not require the targeted device to be paired with the attacker’s device or even to be in discoverable mode.
BleedingTooth
A few years later, searching for other potential overflows in Linux’s Bluetooth Stack,Andy Nguyen discovered the BleedingTooth family of vulnerabilities, including BadVibes, BadChoice and BadKarma.
By reviewing the source code of Linux’s Bluetooth packet parser, he discovered that the buffer for HCI advertisment reports allows storage of 31 bytes of incoming data.
However, in the new specifications for Bluetooth 5.0, the max advertisement packet size was extended to 255 bytes.
The original Linux implementation did not include a change accounting for this new capacity, creating a potential buffer overflow situation.
As a result, when this vulnerability is correctly exploited it can give full control of a device by writing arbitrary memory sections.
Once a device has been successfully exploited, an attacker could send commands to activate the camera, capture images and videos, recover documents, enter applications, access conversations, record these conversations, activate the microphone, and more.
BlueBugging Attack
Another dangerous attack vector is BlueBugging.
This time, it is an attack that is possible by attempting to pair with the target device. It might involve exploiting non-existent, weak, or default PINs used in the pairing process, or vulnerabilities in the Bluetooth stack that allow unauthorized pairing.
After pairing, the goal of the attacker will be to exploit the known vulnerabilities. The attacker uses specialized BlueBugging software that, once paired, exploits vulnerabilities to gain unauthorized access to the device’s command set.
Given the specificities of Bluetooth, hackers are usually close to their targets, since the waves used do not have a maximum range that goes beyond 10 meters. After establishing a connection, an attacker could use Attention (AT) commands to control the target device. AT commands can instruct the device to initiate calls, send text messages, or even enable call forwarding.
Bluetooth DDoS Attack using Flipper Zero
Sometimes, it can even be possible to hack a device without using a laptop.
This is the vulnerability discovered less than a year ago by Jeroen van der Ham using his Flipper Zero.
The Flipper Zero is a portable multi-tool device designed for hackers and security researchers. It is built to interact with various wireless protocols and wired interfaces. It can emulate RFID badges, infrared remote controls, analyze radio signals, and much more, making it a common tool for testing the security of wireless systems.
It has been demonstrated that using a custom firmware (Xtreme) and its Apple BLE Spam app to spam an iPhone via Bluetooth with an unlimited stream of notifications, iphones running some specific iOS versions (>= iOS 17) crashed and could not be used again until they were hard reset. Whereas earlier versions (<= iOS 16) simply received uninterrupted notifications.
Note : Even new updates could security Bluetooth breaches, software updates require constant attention and constant monitoring to limit their potential damage.
Other Bluetooth types of attack
Among the most well known ways to exploit a device using Bluetooth, we can also find:
- Bluejacking: Sending anonymous unsollicited information to a Bluetooth-enabled device.
- Car Whisperer: This specific attack is used to hack a hands-free Bluetooth system in cars. Attackers can exploit vulnerabilities to eavesdrop on conversations happening inside the car and even communicate with the passengers through the car’s speakers.
And many more!
How to protect yourself?
The first step to protecting yourself from being exposed is obviously to turn off your Bluetooth when you don’t need it.
As we saw, most of the time, the vulnerabilities come from the architecture of your device. As a result, the second step is to always make sure to update your device to ensure discovered bugs are fixed.
In case you have a PIN code to pair with other devices, make sure to change it often and use a safe one.
Sources
Cybersecurity company Armis that disclosed BlueBorne vulnerabilities
BlueBorne Vulnerability Research Paper
L&T Technology Service Bluetooth Hacking report