Tykhonov K. Blueborne vulnerabilities in bluetooth implementations in different operation systems // International scientific journal "Internauka". — 2018. — №13.
Student of the Faculty of Informatics
and Computer Science of the
National Technical University of Ukraine
“Igor Sikorsky Kyiv Polytechnic Institute”
BLUEBORNE VULNERABILITIES IN BLUETOOTH IMPLEMENTATIONS IN DIFFERENT OPERATION SYSTEMS
Summary. Ubiquitous adaptation of protocols and technologies for implementations of old solutions in new platform make it more unsecured. That leads to constant change and adaptation. Many solutions aren’t revised and insufficiently tested, which is connected to spectrum of systems and devices. It isn’t surprising that one of the main and most popular technology stacks - Bluetooth have serious vulnerabilities.
Key words: Bluetooth, BlueBorn, Information Security.
Bluetooth is standard of wireless technology for data exchange at short distances that providing exchange of information between mobile phones, personal computers, printers, earphones etc. Annually world electronics market gets more than 3.6 billion devices supporting Bluetooth technology .
Realization of Bluetooth protocols stack can be conditionally divided in two groups:
Security parameters :
This technology is tremendous and sufficiently protected. But the inability to test all implementations of such large technology led to serious problems.
BlueBorne is term uniting a number of vulnerabilities of safety in Bluetooth at Android, iOS, Linux and Windows systems. Vulnerabilities have been found for the first time by Armis, IoT firm of safety, on September 12, 2017. According to Armis, "the vector of BlueBorne attack can potentially affect all devices with Bluetooth opportunities estimated today more than on 8,2 billion devices .
A number of problems became a basis for this vector of the attack:
In Bluetooth basics of communication is principle of association and binding devices by means of their unique identifiers. For gaining access to another device through Bluetooth it is necessary to be authenticated, and after to become authorized. But modern means of protection didn't provide additional check for device without interface (without an opportunity to confirm connection). These devices used default key which is consisted in device memory. And device without interface undergoes all security checks and their security access level is equal to level of device which has passed all protocols of protection with user interface. This vulnerability is partially solved by possibility from one of devices to request protection check against Men-In-the-middle attack, but this check isn't always requested by device, as leads to the vulnerability manifestation .
During creation of new connection participants generate packages - request configuration and response configuration. These packages contain a basic information about future connection and are used for basic configuration.
When fuller connection is required, system uses Pending state. It is blocking until obtaining full answer from the device for making bound. Realization of this feature also became vulnerability as size of received answer isn't controlled, and it is become possible to set size of the buffer for the proceeding answer. This vulnerability allows the overflowing the buffer of 64 bytes in size that will lead to stack overflow exception.
SDP allows you to access all services and applications that device supports. This service works with L2CAP. When connection has set, client will response by sending inquiry. If response consist information about MTU, then a part of the answer will be returned, and the subsequent answers will be added to available response. Then same inquiry will be sent again on the server. Main problem of this decision is that the answer isn't standardized and it isn't used by client directly. Due to lack of the uniform standard there was an opportunity to obtain information, outside the buffer of answers .
BNEP facilitates network encapsulation via Bluetooth. In most cases, this is used to allow an Internet sharing on Bluetooth . The problem was noticed on last protocol realization in Android OS at the moment when system receiving several control messages in one L2CAP message. The error is hidden in an attempt to read information received in advance, which will result in buffer size being increased. This vulnerability allows overflowing of 8 bytes on the heap following a buffer of any chosen size.
But this isn’t the only vulnerability in BNEP implementation. The problem was in the function that handles all control messages. The specification allows ignoring unrecognized extension messages by receiving side and it tries to skip these messages using the extension length from the extension header.
There are similar actions for selection and configuration of the exploit for all vectors of attack on all operating systems (OS).
Stages of BlueBorn attack:
As further stages of attack will differ for different vulnerabilities and systems it is necessary to pass to detailed description of these differences.
BlueBorne Attack on Android
Then there is a connection to in advance defined MAC address. Following stage - sending request to the device. Victims device information will be response to this inquiry that will allow getting further full access over him.
BlueBorne Attack on Windows
Vulnerability in Windows allows malefactors to carry out Man-in-The-Middle attack. It is similar to vulnerability that was found in Android systems. Connection also happens by means of MAC address. Attack happens according to the similar scenario and allows to substitute obtain and get transferred information. Identity of the attack is connected to similarities of implementations in different systems.
BlueBorne Attack on Linux
In Linux OS is two vectors of attack which allow malefactors to control completely infected devices.
BlueBorne Attack on iOS
There is no detailed information on this vulnerability neither in documentation of Armis nor in open sources. Judging from the description vulnerability proves similarly above described. The main difference - a way of influence through the system of voice commands, more precisely her vulnerability.
The vulnerabilities described above are not so complex. And it points to difficulties with implementation of massive protocols as Bluetooth.
Bluetooth implementations have not received the same level of scrutiny and research like other outward-facing protocols. This might be result of Bluetooth’s relative complexity.
The lack of testing and analysis led to the emergence of huge direction for attack. This analysis should raise the issue of vulnerability and help in its understanding.