The Bleedingtooth Vulnerability and Other Bluetooth Security Risks

Bleedingtooth - A newly discovered Linux vulnerability poses a threat to many devices



Have you ever heard of BleedingTooth?

And we do not mean the really disturbing looking mushroom which goes by this name and is totally real (we double checked) but one of the lately discovered vulnerabilities in Linux systems. It had hit the tech news recently, when Andy Nguyen, a Google security researcher pointed it out and demonstrated in a video, how an attack can be carried out in real-time. The code is also available at github if you would like to have a look at it yourself.

(Bonus information for IT security newbies: what Andy Nguyen did is called PoC – proof of concept exploit. This means he executed the attack solely to prove the vulnerability exists and can be misused.)

bleedingtooth mushroomThis is the BleedingTooth we are not going to talk about. Photo by Bernypisa, licensed under CC BY 3.0.

Possible victims - Android smartphones

Suddenly all Linux users were feeling at unease. And not only they were the ones concerned, but since android devices such as smartphones also run on Linux kernel, we can say the number of devices which could potentially be attacked grew very high. That’s why many users asked: Can my device be targeted and misused because of this vulnerability? To answer this question, let’s first look at in what this vulnerability consists. 

The culprits - Linux Bluetooth bugs

Every Bluetooth application under Linux use a set of communication protocols known as BlueZ, in order to carry out the data transfer. In three of those protocols, security gaps were found. Intel security center assessed those vulnerabilities as follows:

  •     CVE-2020-12351 with a CVSS score of 8.3, classified as “high” severity
  •     CVE-2020-12352 and CVE-2020-24490 with a CVSS score of 5.3, classified as “moderate" severity

The most dangerous of these three, the high severity level bug makes it possible to smuggle and execute malicious code inside the attacked system. This kind of attack is also called RCE – remote code execution. Who would like to go more into detail, the security gap is caused by improper input validation which may lead to an unauthenticated user enabling escalation of privilege via adjacent access. 

Or, as Francis Perry of Google's Product Security Incident Response Team put it:

A remote attacker in short distance knowing the victim's bd address (Bluetooth address) can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well.

In the case of BleedingTooth, all the attacker needs is for the victim to be within Bluetooth range (this range varies from device to device but for most devices and smartphone is around 10 meters). The exploit consists in sending a special data packet to the victims device. Know you might be wondering, surely the victim needs to do something not so smart as download a suspicious looking data bundle or click and give consent to some shady looking app to do something, but no. And this is the most scary part: the victim does not need to do anything in order for the attacker to carry out the exploit. That’s why it’s called a zero-click vulnerability. There is no need for an interaction from the victim’s part.

How dangerous is BleedingTooth

So far everything we learned about BleedingTooth sounded so dreadful and serious as though we need to get rid of our faulty devices or update our kernel version really quickly. Also, many IoT (Internet of Things) devices such as smart TVs, smart speaker or smart household appliances do not receive updates (or if they do, they are very infrequent), so it is very probable that many of these devices which are used in both homes and businesses will be theoretically stay vulnerable to such exploits as BleedingTooth for the rest of their lifetime. And Bleedingtooth is of course not the only known vulnerability of these devices, there were many before like the BlueBorne vulnerability, discovered back in 2017 or even BlueFrag, reported in February 2020. However, there are no reports of any of them being actively exploited. But why is that? 

  • these security bugs occur only in certain versions of Linux, and in the case of BleedingTooth in kernel version number between 4.8 and 5.10, which reduces the number of potential vulnerable devices;      
  • almost all Bluetooth security flaws need the attacker to be physically close to the device, because of the Bluetooth range limitations;      
  • the attacker needs to have highly specialized knowledge in the area;

All these factors contribute to the relatively small probability of a true attack. In most real world attacks, hackers tend to prefer tried and tester exploits that are known to work as desired in comparison to new, niche exploits that only work on a small range of possibly affected devices.


Other known Bluetooth exploits

While the fact that the real world risk of getting attacked by BleedingTooth is small is a comforting thought, there were and are many other ways someone with bad intentions might misuse the Bluetooth funtionality and compromise a device. Here is a short list of known “Blue” exploits:

  1. BlueJacking

    It was the earliest form of a Bluetooth attack, and consists of the attacker sending unsolicited messages over Bluetooth to Bluetooth-enabled devices. Maybe it sounds more like a nuisance than a threat but consider that phone messages can be a means of phishing attacks. 

  2. BlueSnarfing

    In this attack, the hacker pairs his device with your without you r knowledge. This gives him opportunity to steal your data, such as images, emails, contact lists, calendars, etc. A BlueSnarf attack may be carried out when a Bluetooth-capable device is set to “discoverable” mode (this means that the Bluetooth function is turned on and also the device can be located by other compatible devices within range).

  3. BlueBugging 

    The most dangerous threat, when Bluetooth is used to establish a backdoor on the victim’s device. This backdoor can than be used to spy on the user’s activity. 

  4. BlueSmacking 

    Ill-minded attackers can crash your devices, block them from receiving phone calls, messages or emails and even drain your battery by performing a DDOS (Distributed Denial of Service attack) attack. It works by overwhelming your device by sending too many or too big data packs. The device cannot handle such traffic and stops working and freezes. 


Tips on how to stay safe from Bluetooth based hacker attacks

The level of Bluetooth security directly depends on which Bluetooth versions the devices use. Since this cannot be modified, there are other precautions we can take by changing the way we use our devices. And since in the world of information security, it is always better to be safe than sorry, here are some basic rules to follow in order to decrease the risk of your device being hacked by a Bluetooth attack:
      

  • Do always switch off your Bluetooth function when not in use. This will neutralize most of all security concerns.       
  • Never accept pairing requests from unknown devices.    
  • Always double-check the device you are going to connect to and be on the lookout for any misspellings in the device name.
  • Keep your firmware up-to-date at all times. Make sure that your device uses the latest software and protocol versions.      
  • Keep your device in “invisible” mode. Be careful, since many devices have the discovery mode activated by default. 

Image from Pixabay.

 
 
Iveta Karailievova

Iveta Karailievova

Originally coming from a marketing background, decided to turn her life around and immerse herself into the wonderful exciting and most importantly – never boring world of technology and web development. Proud employee at MA-NO . Easily loses track of time when enjoying working on code. Big fan of Placebo, cats and pizza.

 
 
 

Related Posts

A beginner’s guide to software vulnerabilities

What are software vulnerabilities The number of devices connected to the Internet is growing every day. And among those devices we find not only computers and smartphones, but also an ever-rising…

Network and port scanning with Zenmap

This article goes out to all the computer nerds who are, when it comes to networking, more on the noob-side of the crowd. It does not have to be complicated…

Google Dorks: How to find interesting data and search like hacker

Go the words Google and Hacking together? Well if you thought that we will learn how to use hack Google, you might be wrong. But we can Use Google search engine…

How to block any website with a password from your browser

We are going to explain how to block any website with a password from your browser, and for this purpose we are going to use an extension called Block Site.…

Double VPN: what it is and how it works

Privacy on the web is a very important factor for users and there are more and more tools to help us maintain it. Without a doubt VPN services have had…

How to securely access the Dark Web in 15 steps. Second part

Let's continue with the 2nd part of our article in which we try to give you some advice on how to safely and securely explore the dark web. Let's restart from…

How to securely access the Dark Web in 15 steps. First part

The dark web can be a pretty dangerous place if you don't take the right precautions. You can stay relatively safe with a good antivirus and a decent VPN. However,…

How to Browse the Internet Anonymously: 6 tips

Most of the actions you take online are not as private as you might imagine. Nowadays, countless people and groups try to follow our online behaviour as closely as possible. Our…

Mobile cryptophones on the market (legals)

As we have said, it is a market often at the borders of legality, also because these devices are particularly used by criminals. Some models, however, are also available through…

What is a Cryptophone and how it works

The so-called cryptophones, are anti-interception smartphones as they use encryption methods to protect all communication systems. Here are all the details and the truth about these "unassailable" phones. The recent Encrochat affair,…

What cybersecurity professionals have learned from the lockdown experience

The COVID-19 pandemic has radically changed the rules of the game for most companies and individuals in a very short time; it has also changed the international computing universe. Sudden…

Browse safely and privately from your mobile phone using a VPN

Every day our smartphones suffer attacks, viruses, malware and information theft. In this article you will be able to deduce if you need a VPN in your mobile phone to…

We use our own and third-party cookies to improve our services, compile statistical information and analyze your browsing habits. This allows us to personalize the content we offer and to show you advertisements related to your preferences. By clicking "Accept all" you agree to the storage of cookies on your device to improve website navigation, analyse traffic and assist our marketing activities. You can also select "System Cookies Only" to accept only the cookies required for the website to function, or you can select the cookies you wish to activate by clicking on "settings".

Accept All Only sistem cookies Configuration