The BleedingTooth vulnerability and other Bluetooth security risks

Have you ever heard of BleedingTooth?

And we do not mean the really disturbing looking mushroom which goes by this name and is totally real (we double checked) but one of the lately discovered vulnerabilities in Linux systems. It had hit the tech news recently, when Andy Nguyen, a Google security researcher pointed it out and demonstrated in a video, how an attack can be carried out in real-time. The code is also available at github if you would like to have a look at it yourself.

(Bonus information for IT security newbies: what Andy Nguyen did is called PoC – proof of concept exploit. This means he executed the attack solely to prove the vulnerability exists and can be misused.)

This is the BleedingTooth we are not going to talk about. Photo by Bernypisa, licensed under CC BY 3.0.

Possible victims - Android smartphones

Suddenly all Linux users were feeling at unease. And not only they were the ones concerned, but since android devices such as smartphones also run on Linux kernel, we can say the number of devices which could potentially be attacked grew very high. That’s why many users asked: Can my device be targeted and misused because of this vulnerability? To answer this question, let’s first look at in what this vulnerability consists. 

The culprits - Linux Bluetooth bugs

Every Bluetooth application under Linux use a set of communication protocols known as BlueZ, in order to carry out the data transfer. In three of those protocols, security gaps were found. Intel security center assessed those vulnerabilities as follows:

•     CVE-2020-12351 with a CVSS score of 8.3, classified as “high” severity
•     CVE-2020-12352 and CVE-2020-24490 with a CVSS score of 5.3, classified as “moderate" severity

The most dangerous of these three, the high severity level bug makes it possible to smuggle and execute malicious code inside the attacked system. This kind of attack is also called RCE – remote code execution. Who would like to go more into detail, the security gap is caused by improper input validation which may lead to an unauthenticated user enabling escalation of privilege via adjacent access. 

Or, as Francis Perry of Google's Product Security Incident Response Team put it:

A remote attacker in short distance knowing the victim's bd address (Bluetooth address) can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well.

In the case of BleedingTooth, all the attacker needs is for the victim to be within Bluetooth range (this range varies from device to device but for most devices and smartphone is around 10 meters). The exploit consists in sending a special data packet to the victims device. Know you might be wondering, surely the victim needs to do something not so smart as download a suspicious looking data bundle or click and give consent to some shady looking app to do something, but no. And this is the most scary part: the victim does not need to do anything in order for the attacker to carry out the exploit. That’s why it’s called a zero-click vulnerability. There is no need for an interaction from the victim’s part.

How dangerous is BleedingTooth

So far everything we learned about BleedingTooth sounded so dreadful and serious as though we need to get rid of our faulty devices or update our kernel version really quickly. Also, many IoT (Internet of Things) devices such as smart TVs, smart speaker or smart household appliances do not receive updates (or if they do, they are very infrequent), so it is very probable that many of these devices which are used in both homes and businesses will be theoretically stay vulnerable to such exploits as BleedingTooth for the rest of their lifetime. And Bleedingtooth is of course not the only known vulnerability of these devices, there were many before like the BlueBorne vulnerability, discovered back in 2017 or even BlueFrag, reported in February 2020. However, there are no reports of any of them being actively exploited. But why is that? 

• these security bugs occur only in certain versions of Linux, and in the case of BleedingTooth in kernel version number between 4.8 and 5.10, which reduces the number of potential vulnerable devices;      
• almost all Bluetooth security flaws need the attacker to be physically close to the device, because of the Bluetooth range limitations;      
• the attacker needs to have highly specialized knowledge in the area;

All these factors contribute to the relatively small probability of a true attack. In most real world attacks, hackers tend to prefer tried and tester exploits that are known to work as desired in comparison to new, niche exploits that only work on a small range of possibly affected devices.

Other known Bluetooth exploits

While the fact that the real world risk of getting attacked by BleedingTooth is small is a comforting thought, there were and are many other ways someone with bad intentions might misuse the Bluetooth funtionality and compromise a device. Here is a short list of known “Blue” exploits:

1. BlueJacking

   It was the earliest form of a Bluetooth attack, and consists of the attacker sending unsolicited messages over Bluetooth to Bluetooth-enabled devices. Maybe it sounds more like a nuisance than a threat but consider that phone messages can be a means of phishing attacks. 

2. BlueSnarfing

   In this attack, the hacker pairs his device with your without you r knowledge. This gives him opportunity to steal your data, such as images, emails, contact lists, calendars, etc. A BlueSnarf attack may be carried out when a Bluetooth-capable device is set to “discoverable” mode (this means that the Bluetooth function is turned on and also the device can be located by other compatible devices within range).

3. BlueBugging 

   The most dangerous threat, when Bluetooth is used to establish a backdoor on the victim’s device. This backdoor can than be used to spy on the user’s activity. 

4. BlueSmacking 

   Ill-minded attackers can crash your devices, block them from receiving phone calls, messages or emails and even drain your battery by performing a DDOS (Distributed Denial of Service attack) attack. It works by overwhelming your device by sending too many or too big data packs. The device cannot handle such traffic and stops working and freezes. 

Tips on how to stay safe from Bluetooth based hacker attacks

The level of Bluetooth security directly depends on which Bluetooth versions the devices use. Since this cannot be modified, there are other precautions we can take by changing the way we use our devices. And since in the world of information security, it is always better to be safe than sorry, here are some basic rules to follow in order to decrease the risk of your device being hacked by a Bluetooth attack:
      

• Do always switch off your Bluetooth function when not in use. This will neutralize most of all security concerns.       
• Never accept pairing requests from unknown devices.    
• Always double-check the device you are going to connect to and be on the lookout for any misspellings in the device name.
• Keep your firmware up-to-date at all times. Make sure that your device uses the latest software and protocol versions.      
• Keep your device in “invisible” mode. Be careful, since many devices have the discovery mode activated by default. 

Image from Pixabay.