While the use of Bluetooth technology and other RF (radio frequency) enabled devices is commonplace in our daily lives, especially in the modern office environment, few users actually understand how the technology works. Further, even fewer understand the security risks associated with Bluetooth devices.
We love the conveniences that tethering devices to wireless printers, speakers and headphones provide, so is the concern about security in the office being overhyped?
The Not-So-Bygone BlueBorne Threat
The security industry works quickly to squash vulnerabilities as quickly as they are discovered, but that doesn’t mean after the vulnerabilities are discovered ALL devices are immunized to the threat. The BlueBorne vulnerability registered on our collective radar late in 2017, but many devices never received the patches and updates necessary to remove the nine possible threat vectors.
Research suggests that two billion devices are still vulnerable to BlueBorne through the neglect of updates or never having received patches in the first place.
BlueBorne worked differently than other threats to Bluetooth-enabled devices like bluebugging or bluejacking. This attack targeted different parts of the Bluetooth stack. BlueBorne would attempt to pose as a device that wished to connect but the exploit would be executed before the connection attempt would require a user to perform an action.
Part of the reason BlueBorne was so effective was that the attack didn’t rely on the internet connectivity of the device, which was a little-explored area of the cybersecurity research community at the time. The attacker would manipulate the timestamp and size of the discovery query and send a second discovery query as a separate service to the original target. This effectively activated the failsafe connection of the device and allowed unfettered access.
BlueBorne affected pre-iOS 10 devices on Android, Window and Linux platforms. While important lessons have been learned from the BlueBorne event, many devices will remain vulnerable to emerging attack vectors.
Negotiation Vulnerability
In August of 2019, another notable security vulnerability was detected in Bluetooth technology. Bluetooth BR/EDR devices using specification versions 1.0 to 5.1 are vulnerable to Key Negotiation of Bluetooth (KNOB) attacks.
This bug effectively allowed an attacker to brute force the encryption key used by devices during pairing. The information revealed by the Center for IT-Security, Privacy and Accountability (CISPA) reported that in some cases, attackers are able to reduce the encryption key to a single octet.
In theory, if the keys of two devices have been exposed by an attack, bad actors can manipulate the data being exchanged between the devices. This would expose users to a third-party having the ability to inject commands and monitor the keystroke of the compromised device. ICASI did mention they had not yet seen this attack vector be deployed maliciously.
The official statement from Bluetooth: “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection. If one of the devices did not have the vulnerability, then the attack would not be successful.
“The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window.”
Why We Should Care
According to shipping data, there are around 8.2 billion Bluetooth-enabled devices in use throughout the world. Knowing that a good chunk of these devices are not operating with the current version of the firmware, or will not be updated when a new vulnerability is discovered is a very enticing opportunity for criminals.
Bad actors understand that a LOT of valuable data can be obtained through Bluetooth devices, and the barrier to entry may be lower than traditional hacking methods because of the comparatively weak security protocols.
This presents a critical issue for IT managers and security professionals advising clients in certain industries. The aftermath of a data breach for any small business can be devastating, but tightly regulated industries like finance and healthcare risk higher regulatory penalties and exponentially higher damage to their reputation in the wake of a breach.
Of course, we can’t expect the modern office environment in these industries to revert back to dot-matrix printers and telephones with 30-foot chords.
For the security community, staying ahead of the curve in securing Bluetooth-enabled devices requires more investment in researching the threat landscape. From a business perspective, investing in partnerships with vendors and advisors who understand threats holistically, including those from wearable, wireless devices are a meaningful step towards a stronger cybersecurity strategy.