The BleedingTooth vulnerability and other Bluetooth security risks

Bleedingtooth - A newly discovered Linux vulnerability poses a threat to many devices


Have you ever heard of BleedingTooth?

And we do not mean the really disturbing looking mushroom which goes by this name and is totally real (we double checked) but one of the lately discovered vulnerabilities in Linux systems. It had hit the tech news recently, when Andy Nguyen, a Google security researcher pointed it out and demonstrated in a video, how an attack can be carried out in real-time. The code is also available at github if you would like to have a look at it yourself.

(Bonus information for IT security newbies: what Andy Nguyen did is called PoC – proof of concept exploit. This means he executed the attack solely to prove the vulnerability exists and can be misused.)

bleedingtooth mushroomThis is the BleedingTooth we are not going to talk about. Photo by Bernypisa, licensed under CC BY 3.0.

Possible victims - Android smartphones

Suddenly all Linux users were feeling at unease. And not only they were the ones concerned, but since android devices such as smartphones also run on Linux kernel, we can say the number of devices which could potentially be attacked grew very high. That’s why many users asked: Can my device be targeted and misused because of this vulnerability? To answer this question, let’s first look at in what this vulnerability consists. 

The culprits - Linux Bluetooth bugs

Every Bluetooth application under Linux use a set of communication protocols known as BlueZ, in order to carry out the data transfer. In three of those protocols, security gaps were found. Intel security center assessed those vulnerabilities as follows:

  •     CVE-2020-12351 with a CVSS score of 8.3, classified as “high” severity
  •     CVE-2020-12352 and CVE-2020-24490 with a CVSS score of 5.3, classified as “moderate" severity

The most dangerous of these three, the high severity level bug makes it possible to smuggle and execute malicious code inside the attacked system. This kind of attack is also called RCE – remote code execution. Who would like to go more into detail, the security gap is caused by improper input validation which may lead to an unauthenticated user enabling escalation of privilege via adjacent access. 

Or, as Francis Perry of Google's Product Security Incident Response Team put it:

A remote attacker in short distance knowing the victim's bd address (Bluetooth address) can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well.

In the case of BleedingTooth, all the attacker needs is for the victim to be within Bluetooth range (this range varies from device to device but for most devices and smartphone is around 10 meters). The exploit consists in sending a special data packet to the victims device. Know you might be wondering, surely the victim needs to do something not so smart as download a suspicious looking data bundle or click and give consent to some shady looking app to do something, but no. And this is the most scary part: the victim does not need to do anything in order for the attacker to carry out the exploit. That’s why it’s called a zero-click vulnerability. There is no need for an interaction from the victim’s part.

How dangerous is BleedingTooth

So far everything we learned about BleedingTooth sounded so dreadful and serious as though we need to get rid of our faulty devices or update our kernel version really quickly. Also, many IoT (Internet of Things) devices such as smart TVs, smart speaker or smart household appliances do not receive updates (or if they do, they are very infrequent), so it is very probable that many of these devices which are used in both homes and businesses will be theoretically stay vulnerable to such exploits as BleedingTooth for the rest of their lifetime. And Bleedingtooth is of course not the only known vulnerability of these devices, there were many before like the BlueBorne vulnerability, discovered back in 2017 or even BlueFrag, reported in February 2020. However, there are no reports of any of them being actively exploited. But why is that? 

  • these security bugs occur only in certain versions of Linux, and in the case of BleedingTooth in kernel version number between 4.8 and 5.10, which reduces the number of potential vulnerable devices;      
  • almost all Bluetooth security flaws need the attacker to be physically close to the device, because of the Bluetooth range limitations;      
  • the attacker needs to have highly specialized knowledge in the area;

All these factors contribute to the relatively small probability of a true attack. In most real world attacks, hackers tend to prefer tried and tester exploits that are known to work as desired in comparison to new, niche exploits that only work on a small range of possibly affected devices.


Other known Bluetooth exploits

While the fact that the real world risk of getting attacked by BleedingTooth is small is a comforting thought, there were and are many other ways someone with bad intentions might misuse the Bluetooth funtionality and compromise a device. Here is a short list of known “Blue” exploits:

  1. BlueJacking

    It was the earliest form of a Bluetooth attack, and consists of the attacker sending unsolicited messages over Bluetooth to Bluetooth-enabled devices. Maybe it sounds more like a nuisance than a threat but consider that phone messages can be a means of phishing attacks. 

  2. BlueSnarfing

    In this attack, the hacker pairs his device with your without you r knowledge. This gives him opportunity to steal your data, such as images, emails, contact lists, calendars, etc. A BlueSnarf attack may be carried out when a Bluetooth-capable device is set to “discoverable” mode (this means that the Bluetooth function is turned on and also the device can be located by other compatible devices within range).

  3. BlueBugging 

    The most dangerous threat, when Bluetooth is used to establish a backdoor on the victim’s device. This backdoor can than be used to spy on the user’s activity. 

  4. BlueSmacking 

    Ill-minded attackers can crash your devices, block them from receiving phone calls, messages or emails and even drain your battery by performing a DDOS (Distributed Denial of Service attack) attack. It works by overwhelming your device by sending too many or too big data packs. The device cannot handle such traffic and stops working and freezes. 


Tips on how to stay safe from Bluetooth based hacker attacks

The level of Bluetooth security directly depends on which Bluetooth versions the devices use. Since this cannot be modified, there are other precautions we can take by changing the way we use our devices. And since in the world of information security, it is always better to be safe than sorry, here are some basic rules to follow in order to decrease the risk of your device being hacked by a Bluetooth attack:
      

  • Do always switch off your Bluetooth function when not in use. This will neutralize most of all security concerns.       
  • Never accept pairing requests from unknown devices.    
  • Always double-check the device you are going to connect to and be on the lookout for any misspellings in the device name.
  • Keep your firmware up-to-date at all times. Make sure that your device uses the latest software and protocol versions.      
  • Keep your device in “invisible” mode. Be careful, since many devices have the discovery mode activated by default. 

Image from Pixabay.

 
 
Iveta Karailievova

Iveta Karailievova

Originally coming from a marketing background, decided to turn her life around and immerse herself into the wonderful exciting and most importantly – never boring world of technology and web development. Proud employee at MA-NO . Easily loses track of time when enjoying working on code. Big fan of Placebo, cats and pizza.

 
 
 

Related Posts

The ultimate cybersecurity checklist for programmers

In today's digital age, cybersecurity has become an essential concern for programmers. With cyber threats on the rise, it is crucial for programmers to adopt robust security practices to protect…

Network attacks and how to avoid them

Nowadays it is impossible to list all the different types of attacks that can be carried out on a network, as in the world of security this varies continuously. We…

6 Best Alternative Privacy Focused Browsers in 2021

In today's article we take a look at free private browsers which are relevant in 2021. We will compare their advantages and disadvantages, specs, etc. Let's get into it. What are alternative…

Security of Internet providers: can we trust it?

This year has been a time of many changes. Now, more people are connected to the Internet through their home routers for teleworking, shopping, or leisure. This is where the…

Brief History of Biometric Authentication

These days, biometric authentication seems to be part of every little gadget or device we use. You’ve no doubt used it when logging onto your laptop, your tablet, or your…

A beginner’s guide to software vulnerabilities

What are software vulnerabilities The number of devices connected to the Internet is growing every day. And among those devices we find not only computers and smartphones, but also an ever-rising…

Network and port scanning with Zenmap

This article goes out to all the computer nerds who are, when it comes to networking, more on the noob-side of the crowd. It does not have to be complicated…

Google Dorks: How to find interesting data and search like hacker

Go the words Google and Hacking together? Well if you thought that we will learn how to use hack Google, you might be wrong. But we can Use Google search engine…

How to block any website with a password from your browser

We are going to explain how to block any website with a password from your browser, and for this purpose we are going to use an extension called Block Site.…

Double VPN: what it is and how it works

Privacy on the web is a very important factor for users and there are more and more tools to help us maintain it. Without a doubt VPN services have had…

How to securely access the Dark Web in 15 steps. Second part

Let's continue with the 2nd part of our article in which we try to give you some advice on how to safely and securely explore the dark web. Let's restart from…

How to securely access the Dark Web in 15 steps. First part

The dark web can be a pretty dangerous place if you don't take the right precautions. You can stay relatively safe with a good antivirus and a decent VPN. However,…