Let's talk about Blueborne, the latest Bluetooth vulnerability

Android dudes
Android dudes (Image credit: Jerry Hildenbrand / Android Central)

We got to see something cool and terrible (yes, it's possible to be both at the same time) earlier this week when Armis Security published the details of a new Bluetooth exploit. Called "Blueborne," the exploit allows a person with the right tools and who is within Bluetooth range of your smart thing — laptop, phone, car, or anything else that runs Android (as well as most every other operating systems, including iOS and Windows) — to gain control over the device without any action from the user.

That's because the exploit cleverly attacks portions of the software needed to establish a connection to hijack the Bluetooth stack itself, which is pretty much done in a universal way because of how complicated Bluetooth is and how the stack itself handles so many things the OS could be doing instead.

Interested yet? If not, you should be.

Before we go any further, here is the good(ish) news: Apple, Google, and Microsoft have all patched the exploit. On the Android side, we saw the fix in this month's security patch released the same day the vulnerability was made public. This surely isn't a coincidence and kudos to Armis for working with the companies who write the software we all use every day to get this fixed. Of course, almost every Android-powered device doesn't yet have this patch and won't for a while.

I'll resist the temptation to make this all about Android's update woes and the million-and-one different reasons that it happens. I'll just say that if you value being protected against most vulnerabilities like this you currently have three options: an Android-powered device from BlackBerry, an Android-powered device direct from Google, or an iPhone. You decide what to do here.

Instead let's talk about what Blueborne is and how it does it, as well as what you can do about it.

What is Blueborne?

It's a series of simple attacks on various parts of the Bluetooth stack running on almost every smart device in the world. Including 2 billion Android phones. It's not a MiTM (Man in The Middle) attack, where someone intercepts Bluetooth traffic between you and a thing you're connected to. Instead, it's posed as a device that wants to discover and connect over Bluetooth but the exploit happens before the connection attempt gets to a stage where a user needs to act.

For people into this sort of thing, the short version of how the exploit works on Android is that the attacker sends out a discovery query, then manipulates both the timestamp and size of a second discovery query for a separate service to the same machine. This causes a buffer underflow and bypasses the standard Bluetooth Security Management Protocols to hit the failsafe "just works" connection. While it sounds crazy that this works, it's better than the default BlueZ stack version of the exploit which is a straight-up buffer overflow that bypasses every connection check. I'm not familiar enough with Windows or iOS to parse the exploit code for those operating systems, but if you are hit the link in the opening paragraph and check it out. Then hit the comments and help us all understand better.

If you're not into looking through code (it's a special sort of illness, I do admit) the short short version is that a person with a computer that has a Bluetooth connection can type a few lines in a terminal and connect to your phone. How easy it is for him or her to connect is ridiculous (we'll talk about why that is later) and anyone with even just a passing knowledge of this sort of thing can do it. That's why it was important that Armis hold the release until Apple, Google, and Microsoft were able to act.

The scary part is what happens after the connection is made. There is no secret magic app that roots your phone and hacks all your data. It's too easy to prevent any process from getting that level of control, and permissions prevent it from happening unless a process does have that level of access. Instead, an attacker can act as the logged in user. That's you.

With 8 billion devices that need to connect, Bluetooth is a big target for people who want to steal data.

In the example video above we see the attacker establishing a Bluetooth mouse connection to a sleeping Pixel, then doing the same things you could do if you were holding it in your hands. Apps can be started, pictures, video, and audio can be recorded, and your files can be downloaded directly to the attacker's computer. there is nothing on your phone to say "Stop, this is not cool" because it is cool — it's acting as you. And none of your data is safe. If the attacker is unable to access a sandboxed directory, he or she can simply open the associated app and pull images of what's on the screen while it is running.

The frustrating part of all this is why it works. I'm not talking about how the stack is exploited and someone crashes their way in, I mean why in the broader sense. Why something this preventable was able to slip past the experts who oversee security and are really good at writing this sort of thing out of the operating system. And the answer is that it happened because Bluetooth is a giant, complicated mess.

It's not the Bluetooth SIG's (Special Interest Group) fault, even if it is their responsibility to ultimately address this. Bluetooth started out in 1998 as a simple short-range wireless connection. It's now on more than 8 billion devices worldwide and has grown and grown in features and complexity. And it has to be backward compatible, so portions of it have to be left as-is when it comes to things like advanced connection security standards. If an encrypted paired-key connection can't be established, it has to be able to try something less secure and keep trying until it connects, runs out of ways to try, or the security management features tell it to stop. Exploit the SMP layer and you're in. And as new features get added to newer versions, it only gets worse.

There are exploits in proprietary software, too. We just don't know about them until it's too late.

The people writing an operating system and the security team whose job it is to break it will all take their share of the responsibility here, too. The problem here is that they're dealing with impossibly complex code in the Bluetooth stack and while they are busy trying to patch it against one thing other things could also be exploited. Google did change a good bit of the "default" Bluetooth implementation for Linux, as did Apple and Microsoft. The things you use are well-protected against things like a man in the middle attack or a way to get admin permission over Bluetooth. That's because those have traditionally been the way Bluetooth was exploited, and there is always plenty of work to do prevent it from happening.

Finally, this is a great example of why open-source code is great. The researchers at Armis were able to find this exploit, see exactly how it works and determine exactly how to patch it because they have access to the code itself. While Apple and Microsoft don't use a fully open source Bluetooth stack, they knew exactly where to look to patch their version. If every company involved used closed proprietary code this exploit would still exist, but we wouldn't know about it until it was too late and other folks knew about it, too.

What should you do about it?

Every person reading this probably has one or more Bluetooth devices. Your watch, your phone, your laptop, your TV, and the list could go on and on; Bluetooth is everywhere and on almost everything. That means you're likely to have Bluetooth enabled on your phone, and that's all it takes to be vulnerable to this if your phone is still unpatched.

The saving grace here is that Bluetooth is a short-range connection standard. Bluetooth 5 is working on extending the range, but you're pretty much confined to about 30 feet before the signal gets bad. That means you're really only at risk when you're within 30 feet of the person trying to get into your phone.

Bluetooth's short range means an attacker has to be near you to use the Blueborne exploit.

And the way this exploit works is scary, but it also means you're probably going to notice it. If your phone is sleeping and locked, an attacker can still connect. But as soon as they attempt to access your stuff or get tricky and try to take control, the screen would light up and they would need to unlock the phone. For now, at least. Don't think for a minute that people aren't working on a way around this because they are. And they will find it.

I'm not going to suggest you stop using your smartwatch or your favorite Bluetooth headset and shut down Bluetooth permanently. But there are a few things we can do to make it harder for someone to get in through Bluetooth while we're waiting for a patch. And again — if your phone has the September 2017 security patch, you're protected.

  • Shut Bluetooth off when you're not using it. You're probably safe at home or at work, but if you get into the habit of turning Bluetooth off when you don't need it you won't forget the next time you go to Starbucks. There is no way for an attacker to turn Bluetooth on. At least not yet.
  • Make sure you have a secure lock screen. Dead stop. If you don't already have a password, PIN, pattern, fingerprints or anything else set up so your phone is locked until you unlock it yourself, go do it now.
  • Turn off trusted devices while you're at it. Tapping in a 4-digit PIN or scanning your eyeballs is way more convenient than getting new credit cards and talking to your bank, even once. Trust me, I've been there. (Thanks, Target. Idiots, I swear.)
  • Don't leave your phone unattended. Put it in your pocket or purse and take it with you even if you're only stepping away for a minute or two.
  • If you see the screen turn on, look and see why. This is the biggest "flaw" in the exploit; it will turn your screen on if someone tries to do anything after they are connected.
  • Ask the company you gave money to when you bought your phone when you should expect an update to fix this. Asking nicely lets it know that you care about it, and when enough people show they care a company will decide to care. The patch is available to every phone running Android 4.4 and higher.

There probably isn't an army of people armed with laptops and Mountain Dew patrolling the streets, ready to hack "all the phones" through Bluetooth. But there could be that one guy, and he could be at McDonald's or the library or anywhere else. In cases like this, it's always better to be safe because the things we can do are pretty easy.

Your stuff is worth it.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Downside to having a rooted phone and being stuck with April 1st security patch.. But knowing android so many devices never get updated. They are all vulnerable.
  • My rooted phone is on the latest security patch.
  • Please explain, so I can too.
    Moto X Pure Edition, here.
  • The essential phone already has the September security update, you can add that to the list of unaffected devices.
  • But what about the devices you are connecting to? In order for this to be secure all devices that are connected to each other needs to be patched as you can use an affected device to get into a unaffected device.
  • How is my BT earbud going to get a security patch?
  • Your BT earbud probably doesn't have a filesystem, let alone a user interface, and undoubtedly has limited bluetooth protocols, so there's very little an attacker could do if he/she took control of your earbud. There's a good chance that your earbud doesn't use a Microsoft OS or Apple OS or Linux kernel, so it might not have this vulnerability.
  • Thanks a lot Jerry. This is very helpful, and much appreciated.
  • I really don't keep BT on unless it's actually in use, and I stopped using trusted devices when I got a device with a good FP reader. My network group also handles security, and we have captured Bluetooth data and re-assembled phone conversations without much trouble. No MiTM, just radio packet capture.
  • Armis has an app that will tell you if you're affected or if nearby devices are at risk. It's pretty decent.
  • My Note 8 still says August 1st security patch, but I could have sworn I got an update the day after I got it that said it patched Blueborn. Did anyone else see this? Edit: Armis app says I'm vulnerable. Maybe it was my S7 that got the update? I don't remember, I know I saw it though.
  • On their Security Blog, Samsung is not mentioning BlueBorne at all https://security.samsungmobile.com/securityPost.smsb
  • I received an update from VZW yesterday that says it has the Aug. security patch. After the update I ran Blueborne Scanner again & it indicated that my Note8 was still vulnerable. Then Blueborne Scanner updated earlier 2day. Ran it again and now the Note8 is not vulnerable. So is the Aug. security patch the one that fixes the vulnerability & was what the press told 'incorrect'? How much can we trust the scanner? Inquiring minds want to know...
  • 7 Edge - and currently on the August 1st security patch.. today's date is September 16th. Admittedly I skimmed through the article - and I would assume the next OS update would take the update fix to a new fundamental level. It - still - amazes - me - how people don't care about updates or OS updates. Enough said I guess...
  • Coincidentally, I woke up to my phone (S7E) wanting to install an update this morning, and it turns out it was the August 1 patch. So it took Samsung 1.5 months to get the August 1 - released patch to my phone.
  • If you have a pin or password for your lockscreen, can wouldbe attackers do anything other than turn on your screen?
  • Yep, malware is becoming a more serious threat to Android every year. Although it's not something the vast majority have to worry about, eventually, they will. Better to be proactive about defense now, than cleaning up the mess later. Sophos mobile security is a very comprehensive app, and is the one of the only free one left, that don't have ads or a subscription. They also have free protection for home computers too. A great combination with superior detection. They scored 100% on recent independent tests.
  • This is why I will only get a phone that receives timely security updates, even if most of the exploits are rare or chances of being infected are low. Currently BlackBerry Android, not vulnerable to this exploit as I have the September patch. Next phone will have the same criteria.
  • Thanks for the heads up.
    I fortunately very seldom use bluetooth. And the only phone I use bluetooth in is the Z3 Compact which is just a glorified mp3 player. And it's to play music either to a pair of Samsung Level wireless headphones or music speakers (be it the soundbars around the house or a Nokia JBL PowerUp).
    So a hacker that would: 1 - be able to get near me to hack it; 2 - be able to hack it...wouldn't get much of a reward apart from, maybe, a rather extensive music library...which is locally stored anyway because it was ripped from physical discs as I absolutely loathe buying music digitally.
    Still...better be aware of these things.
  • So you don't mind the attacker reading everything you type, all your messages, all your email?
  • He said the phone he uses Bluetooth for is pretty much an MP3 player - not the phone he'd use for messaging and such.
  • I came for the Bloodborne jokes. Apparently, no one here plays video games. Boo. My Z5 Compact probably won't get anymore security updates, at least not soon. Bummer. I hope I don't get hacked before I get a new phone. I've got my eye in the new Pixel, though, since Sony apparently can't release fully-featured phones in the US. It's honestly pretty frustrating to buy new phones these days. I loved being up-to-date with security and OS updates on my Nexus 5, but I much prefer the smaller form factor of the Xperia Compact line. Unfortunately, Sony has that fingerprint sensor thing in the US, and international models aren't 100% compatible with all of the current T-Mobile spectrum, so importing isn't very enticing. It honestly sucks choosing between a comfortable form factor or overall features. I think the new Pixel will be an OK form factor if the bezels are smaller than the Nexus 5 with the same size screen, but it's still pushing my limits.
  • Me too. Coming for Bloodborne jokes. But only you alone mention Bloodborne...
    Just keep your bluetooth off until you change a new phone. Didn't know bluetooth is used that frequently at other countries. At my 3rd world country, seldom see anyone turn on bluetooth.
  • What can't basic fixes be sullied by Google play store when you log in... That would solve it
  • The fixes for the 4 vulnerabilities aren't "basic", they're very low level, in the ROM. If Google had found a way of mitigating them through a Google Play Services update, they surely would've done so.
  • I think the screen going on is just an effect of the demonstrated payload, not of the vulnerability itself. The BT stack probably runs with elevated privileges, so the payload could run as root on your phone, watch, toaster… If the attack can be performed with any BT device, there is really nothing preventing an attacker from writing a virus based on this that exploits phones and in turn lets them exploit others. Make a few payloads for popular models, ride the subway a couple of times and you'll have a phone botnet :-/
  • BlackBerry Mobile should be bragging about things like this. These are the type of things that gives the underdog an advantage. With the right people and message in marketing and public relations, so much could be accomplished!
  • Exactly dude.
  • I think this may be a very serious issue.
    I ask on reddit on the Android Wear sub reddit how often Android Wear devices are updated and it doesn't look good.
    www.reddit.com/r/AndroidWear/comments/70hore/security_patch_sept_2017_fo... We already know that the LG Watch Sport is affected and all other Android Wear watches (not BLE only) are affected, and these devices you cannot turn off the bluetooth radio. Also does not seem to be only Win/Linix/Unix/Mac affected as well. Even other devices are being affected (might be linux underneath though):
    Someone was able to brick there Pokemon Go wearable device (Go-Tcha) because of this. When the bad people starts to interrogate the code, and may use other known exploits in conjunction with BlueBorne we might see a lot of things breaking... Not looking forward to the next 3-6 months when the exploits matures.
  • I don't keep my bluetooth on except when I'm using it, but, even then, the default setting is "visible only to paired devices." That should provide some level of protection, no? (Galaxy S5, no more updates.)
  • That's my question too. Is the "not visible" setting that is available on many phones a deterrent?
  • No, not a deterrent. Visible only to certain devices includes some listening, which makes it vulnerable. Apparently, any filtering your phone does is insufficient.
  • Asking HTC makes no difference. Even Samsung updated the 2014 galaxy S4 a week ago. Meanwhile my HTC M8 is on the 01-2016 security patch and HTC does not care.
  • >I'm an RHCE and electrical engineer What engineering school did you graduate from?
  • Who are you asking?
  • He's asking Jerry Hildebrand, the author, who said that he was an RHCE and an engineer.
  • "Hildenbrand." Sorry, Jerry.
  • I thought maybe I'd see more comments voicing my sentiments, that maybe oem's were way too eager to drop the headphone jack. I was already going to avoid upgrading to anything that didn't have one, just 1 more reason to stay with the idea.
  • I know people who have the headphone jack on their phone and continually leave their Bluetooth on. Simply because they are periodically using their car throughout the day and don't want to toggle the Bluetooth on or off each time they get into or out of their car.
  • Could you please tell us where you got the info from that a PIN Code or any Screen Lock protects from this vulnerability? In the demo it shows how he got full shell access, which means you don't really have to unlock the phone to install apps and grant permissions.
  • Try free Bluetooth+ app in play store. New 'BlueBorne quarantine' feature added. Root is required.
  • i have trusted Bluetooth in my house and for my car and since im using the LG G6 i use the finger printer to unlock can i still leave my Bluetooth on with these safe guards in place or should i turn it off when out with the public.
  • I installed Bluetooth Firewall. I cannot completely turn off bluetooth and don't have the latest patch. So i made my devices as trusted and turned on blueborne protection.
  • Why on earth Jerry Hildebrand keeps mentioning BlackBerry as one of the few options that remain the most secure, is beyond me. At the moment BlackBerry is not keeping the promise to monthly update their devices for about half a year already now... I'm typing this on a DTEK60 purchased at Belsimpel in the Netherlands. Belsimpel is an official BlackBerry dealer, as they state. My DTEK60 was update on September 5th with the August update. And that was in par with the folks that purchased their DTEK60 phones directly from ShopBlackBerry. As of this moment the DTEK's have not received the September update although BlackBerry has stated otherwise. Word is that also not all of the KEYone phones purchased at ShopBlackBerry have received the update.
    May this be a fair warning to people that are considering buying a BlackBerry because it is supposed to be up to date all the time. They are NOT!
  • "Word is"? That's your evidence?... Poster below with a Blackberry Android begs to differ. The other BLACKBERRY point that hasn't been raised, is that millions of BLACKBERRY's super-secure BB10 (not to be confused with iphone x) smartphones all-touch or touch-and-keyboard smartphones (because for some, on-screen keyboards are just a pane in the glass), are not vulnerable to this particular hack . Neither are blackberry's running the older BB operating systems. BB10 fans say to Apple and Android fans..when it comes to personal security welcome to 2013, why did it take you so long to get here? Here is a list of some of the BB10 smartphones that BLACKBERRY has made:
    All-touch slabs :Z10, LEAP, Z30
    Touch screens with Physical-keyboards: Q10, Classic, and Passport. The most recent being the Passport. The Latest reasonably affordable Blackberry Android (much less than $1g) is the KEYone (touch with physical keyboard) with a newer device unveiling on the horizon.
  • I had a Passport. Loved it. Couldn't use it any longer because of the Android runtime not getting updated.
    Wether or not it was secure enough, didn't matter. I couldn't use it for work any longer. So I decided to get me a DTEK60 because the KEYone wasn't available yet November 2016.
    And now I'm stuck with an Android device which is not safe with Bluetooth because it's manufacturer isn't capable of updating fast enough.
    In the Crackberry Forums there are enough people with a KEYone purchased at ShopBlackBerry that claim they didn't receive the September update despite BlackBerry claiming they did.
    You may beg to differ, my own experience is proof enough for me. BlackBerry is failing badly.