Cybersecurity Snapshots #10 - Organizations Need to Take Bluetooth Security Seriously

Cybersecurity Snapshots #10 -

Organizations Need to Take Bluetooth Security Seriously

Bluetooth security is coming under increased scrutiny as its use grows beyond personal applications. Researchers are starting to emphasize that the risks of Bluetooth security, and potential rewards for malicious hackers are increasing significantly. Bluetooth is spreading from being mainly used in consumer settings to being adopted more and more by enterprises and governments for large-scale deployment in corporate offices, hospitals, and industrial control environments. As more devices are using Bluetooth, more Bluetooth bugs are being discovered by security researchers.

Academic researchers recently found that Bluetooth chips from Apple, Qualcomm, Intel, Samsung, and others contained security flaws that allowed Bluetooth Impersonation Attacks (BIAS). The researchers conducted BIAS attacks on more than 28 unique Bluetooth chips by attacking 30 different devices. All the devices tested were vulnerable to the BIAS attack. Academic researchers found that the bugs discovered allow an attacker to insert a rogue device into an established Bluetooth paring, masquerading as a trusted endpoint. This attack would allow an adversary to capture sensitive data from the other device.

Another Bluetooth vulnerability was discovered recently by researchers at Purdue University. The high-severity Bluetooth vulnerability they call "BLURtooth" exists in the pairing process for Bluetooth 4.0 through 5.0 implementations. The vulnerability could allow an unauthenticated adversary within wireless range (330 feet for Bluetooth 4.0 devices, and 800 feet for Bluetooth 5.0) to eavesdrop or alter communications between paired devices.

Another recently discovered vulnerability allows an adversary to hack Android cellphones via Bluetooth. Researchers at DBAPPSecurity have discovered an authentication bypass vulnerability, dubbed "BlueRepli." An adversary can bypass authentication by imitating a device that has previously been connected with a target. Victims do not need to give permission to a device for the exploit to work. The exploit makes it so that the victim has no awareness at all when attackers access their phone book or SMS messages. If the vulnerability is exploited, attackers can steal users' contacts, call logs, and short messages. The vulnerability also allows adversaries to send fake text messages from victims' devices if they exploit any device made by one particular Android manufacturer.

Security researchers believe that most Bluetooth bugs are due to faulty implementations as a result of the written standard's scale and complexity. The Bluetooth standard is about 3000 pages long, defines the radio frequency layer for Bluetooth, and has components at every layer of tech, from hardware up through applications, to guarantee interoperability between Bluetooth devices. According to Matthew Green, a cryptographer at Johns Hopkins University, the standard's complexity makes it very hard for developers to have a full mastery of the available choices, which results in faulty implementations.

Since Bluetooth is being used in more corporate offices, hospitals, and industrial control environments, security researchers strongly suggest that organizations address Bluetooth wireless technology in their security policies. A security policy that defines requirements for Bluetooth security is the foundation for all other Bluetooth related countermeasures. The security policy should include a list of approved uses for Bluetooth, a list of the types of information that may be transferred over Bluetooth networks, and, if used, requirements for selecting and using Bluetooth personal identification numbers. Organizations should ensure that their Bluetooth users are made aware of their security responsibilities regarding Bluetooth uses, and the annual required security awareness programs should be updated to include Bluetooth security policy guidelines. Security researchers also suggest that Bluetooth capabilities on personal devices be turned off when not in use, and one should refrain from transferring sensitive data to another device using Bluetooth.