Tag Archives: Bluetooth

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.



Bluetooth Vulnerability Does Not Require Any User Interaction

Similar to the WiFi bug we reported about in July (see post), this Bluetooth bug does not require the user to interact with the hacker, does not require the user to connect to an infected Bluetooth device or anything like that.  All it requires is that Bluetooth is turned on in the device.

The good news, if there is any, is that this is not a hardware problem and it is not a protocol problem, it is a software implementation error.  A plain old bug.  Which means that it can be patched.

Of course, every COOL bug has to have a name;  this one is called BlueBorne.

ASSUMING that the manufacturer of your phone is still releasing patches for the model of phone that you have.  For example, most Android 4 and earlier users are not getting any patches and many Android 5 users are not getting patches.  iPhone 4 users are not going to get patched and this newest version of iOS will be the last patches for the iPhone 5 and 5c.

And, this is not limited to phones.

While Apple has patched this bug in iOS 10 (so most recently purchased iPhone users are good), Microsoft just released a Windows patch in July.  This means that Windows users are safe IF they are running on a supported version of Windows and have installed the July patch release.  Google says that the September patch release fixes the bug, but that has to wind its way through the manufacturer’s release process and then your carrier’s release process UNLESS you are using a Google Pixel phone, in which case, you should already have the patch.  Linux teams are working on a patch, but that has not been released yet.

The bigger issue is all of those Internet of Things appliances from light bulbs to TVs that will likely NEVER be patched and will, therefore, always be an opportunity for a hacker.

Of course, as with all Bluetooth connections, the attacker has to be within 30-100 feet or so, depending on the equipment that the hacker is using.  That makes Starbucks a perfect place to launch an attack on unsuspecting users.

For those of you who do not have the patch yet, such as users using obsolete Android phones, and Linux based IoT devices, the only possible defense is to disable Bluetooth.  That may not be what you want to hear, but that will protect your device.

Information for this post came from Wired.