Security Week 45: Something About Bluetooth Vulnerabilities

 3r3394. 3r3-31. Security Week 45: Something About Bluetooth Vulnerabilities The time has come to correct a three-week error in the numbering of digests laid at the very beginning of this year. Therefore, today's release is a little leap, and it is devoted to vulnerabilities affecting the Bluetooth wireless interface. Three significant studies of this topic have been noted over the past year, but even the most extensive BlueBorne vulnerability series did not cause such a resonance as, say, the vulnerability of 3r-33. HeartBleed
. 3r380.  3r3394. 3r380.  3r3394. Taken together, these studies are of particular interest, since we are talking about an unexpected attack vector, which in some cases allows you to completely circumvent the local area network of the enterprise or the security system of the client device. It is enough to get closer to the devices for a relatively short distance, or to have a good antenna. The most interesting in this context is the most recent vulnerability found in Bluetooth-equipped wireless access points. 3r380.  3r3394. 3r311.
3r380.  3r3394. A vulnerability in Texas Instruments' Bluetooth Low Energy modules was found by Armis ( News 3r3777., 3r3r177. Study ). According to the established tradition, a name was invented for it - Bleedingbit - and a logo. 3r380.  3r3394. 3r380.  3r3394.
3r380.  3r3394. These chips can be used to extend the functionality of wireless Wi-Fi access points from manufacturers such as Cisco, Meraki and Aruba. As a rule, the Bluetooth Low Energy module is used to identify user devices — for example, to optimize a wireless network, for advertising and marketing purposes, or to track equipment movements. A total of two vulnerabilities were discovered. The first (CVE-2018-1698? susceptible to a number of Cisco and Meraki devices) causes a buffer overflow by sending a prepared data packet via Bluetooth with a further interception of control over the device. 3r380.  3r3394. 3r380.  3r3394. The second vulnerability (CVE-2018-7080) affects only Aruba devices (for example, access point 3r332. 203R3r377.). There you can remotely use the firmware update system of the Bluetooth chip, which should normally be disabled. In fact, it is not always disabled, as access to the device via the diagnostic interface is not always blocked. At Aruba access points, a firmware update is possible after entering the password, but it turned out to be the same for all devices in the series. 3r380.  3r3394. 3r380.  3r3394. Let's return to the first vulnerability. The attack based on it uses packets Bluetooth Advertising . This functionality can be used for advertising or informational purposes and involves the exchange of data without authorization of devices. Data can be sent by a fixed access point, or it can be collected from customers. It is the collection process that is exploited in the intended attack. It can be used, for example, to identify customers in a store who have a certain application installed on their smartphone. In general, this is such an unobvious functionality that, as it has now become known, may have applications that are unexpected both for customers and for companies that own infrastructure. The article on the site 3r340. ArsTechnica
it is argued that even in the context of this vulnerability there is still something to dig, although the original problem is already closed by the manufacturer of the Bluetooth chip. 3r380.  3r3394. 3r380.  3r3394. And what else happened on the topic of Bluetooth vulnerabilities? The most serious problem is discovered 3r377. in September last year, the same company Armis Labs. The BlueBorne vulnerability series (3r3-348. Study in PDF 3r3777.) Was found in the Bluetooth protocol, which means that the overwhelming majority of Bluetooth devices were affected by it: Windows and Android, and iOS, and Linux Tizen, if it is interesting to someone). 3r380.  3r3394. 3r380.  3r3394.
3r3355.

3r380.  3r3394. On Linux, it was necessary to update both the BlueZ stack and the kernel itself (subject to version ???–???). The attack, as usual, should be aimed at a specific device, but it is possible even if the module is not available for detection. In the context of Android, as shown in the video above, you can take control of the device or use one of the vulnerabilities to conduct a Man-In-The-Middle attack. In almost all cases, vulnerabilities lead to partial data leakage from the device’s RAM. In September of this year, according to Armis Labs, more than two billion devices (of the initial five, or eight billion) remained vulnerable. 3r380.  3r3394. 3r380.  3r3394. Finally, in July of this year, researchers from Israel found (3r3686. News 3r3-377., 3r3-370. More 3r3-377.) Vulnerability in the data encryption protocol. This is a typical scientific study: the problem was in the mechanism of checking the elliptic curves used to encrypt the transmitted data. More precisely, in the absence of this verification itself, which theoretically allows for a Man-In-The-Middle attack. An attack is possible in the process of establishing a connection between two devices: an attacker can intervene in this process and inject an incorrect encryption key with subsequent interception of data. 3r380.  3r3394. 3r380.  3r3394. According to the results of all three studies, BluBorne’s vulnerabilities represent the most serious danger, but practical cyber attacks have not been reported here. Perhaps because even a “simple” scenario requires the presence of the victim’s Bluetooth module in the coverage area, while there are plenty of ways to attack devices remotely. Meanwhile, the very first 3r3r76. virus for smartphones
In the absence of a permanent connection of devices to the network, I used Bluetooth technology for distribution. There are still a few more errors in the code, and we may face a mass attack spreading through the airborne path between mobile devices, without using the Internet at all. And we may not encounter it, but it’s worthwhile to continue monitoring the Bluetooth vulnerabilities. As with complex Specter /Meltdown attacks, the spectrum of threats using a Bluetooth connection has not yet been fully determined. 3r380.  3r3394. 3r380.  3r3394. Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with a healthy skepticism.
3r3394. 3r3394.
! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r388. 3r3394.
3r3394. 3r3394. 3r3394. 3r3394.
+ 0 -

Add comment