The new BlueBorne vulnerability should scare the security community because it is a non-traditional attack vector not addressed by conventional security solutions. Fortunately, Symantec customers, Symantec Endpoint Protection Mobile (SEP Mobile) is not a conventional solution and is agnostic to the attack vector.
Bluetooth was once considered quite secure due to years of implementation peer review from researchers. Unfortunately, in the last ten years researchers turned their eyes elsewhere. During those ten years Bluetooth has been implemented in a plethora of new devices, operating systems, and frameworks. As a result, implementations have apparently lost some of that initial security focus, and vulnerabilities have unfortunately flown under the radar for too long.
Enter BlueBorne, leveraging a newly discovered attack vector that puts an estimated eight billion worldwide devices – mobile, desktop, and IoT – with Bluetooth at risk of infection. BlueBorne exposes an extremely potent new attack vector that attackers will seek to leverage widely, mostly as a result of a few key traits:
- People’s systems almost always have Bluetooth turned on. And, perhaps unbeknownst to most, Bluetooth is always scanning the airwaves for devices looking to connect (even if you’ve never paired with them before). This means that BlueBorne is quite literally spreading through the airwaves undetected.
- Adding to its contagiousness is the fact that BlueBorne (via Bluetooth) is compatible with basically any/all software versions and doesn’t require any specific conditions beyond an active Bluetooth. It also doesn’t require any user interaction to infect the device.
- Once BlueBorne finds a device via Bluetooth, it can analyze the MAC address to determine the device’s operating system. Then it can deliver a payload tailored to that operating system. This makes it extremely adaptable.
And, finally, as if being highly contagious and adaptable wasn’t enough, Bluetooth also has inherently high administrative permissions on devices. This means that when a device is infected, the attacker has virtually full control over the device and can accomplish any number of potent actions which include, but aren’t limited to, man-in-the-middle attacks and remote code execution.
All in all, this is a nasty new threat vector that existing security solutions aren’t looking for. It can spread quickly, easily, stealthily, and lethally. And it will, of course, take time for Bluetooth to be patched across all eight billion devices. This will all make BlueBorne an extremely attractive medium for attackers for some time.
How does it work?
BlueBorne consists of 4 vulnerabilities affecting Android devices: One is an information leak vulnerability which helps to facilitate the next ones; two are vulnerabilities that allow remote code execution (RCE) as the Android Bluetooth user; the last one allows creating a network interface that device traffic will be routed through, similar to a man-in-the-middle (MiTM) hotspot.
So, is there any good news? Yes, actually, there is! First, these vulnerabilities were patched in the Android OS in the security patch of September 2017, and Apple patched it in iOS 10. So, anyone can now update their operating system to protect themselves from this threat. Yet not everyone can or will, and what about protecting your device from these types of threats before they are disclosed and patched? That’s where SEP Mobile shines.
Although most security solutions probably can’t stop BlueBorne from infecting a device today, SEP Mobile still has mechanisms to render it harmless by defeating the payload itself. SEP Mobile has several ways to handle this. Among other detections, SEP Mobile uses an advanced Indicators of Compromise (IoC) engine on every mobile device it monitors to identify exploits that are being used to gain control over the device in real time. This engine uses deep knowledge of each device system, how it should look and behave, and how proper apps and processes are supposed to interact with it. So, as soon as BlueBorne attempts to infiltrate a mobile device protected by SEP Mobile, we would flag that as malicious activity and activate the appropriate protections to keep the device and sensitive data safe. Other detections will alert and automatically protect if an attacker attempts to achieve network MiTM, regardless of the exploit. SEP Mobile now also explicitly alerts for systems that are vulnerable to CVE-2017-0783.
Many of the methods used by SEP Mobile for predicting and detecting mobile threats are agnostic to the method, or vector, of the attack. It means that we don’t have to know (or try to predict) the signature of every threat or attack vector in existence. We can instead focus on stopping the malicious activities they will attempt. This is the beauty of a future-proofed mobile threat defense solution.
In addition to being able to stop malicious payloads using this Bluetooth vulnerability, Symantec will continue to protect our customers’ mobile devices from many other exploits that are as of yet unknown. It should still give businesses peace of mind that their end user’s mobile devices will remain safe from today’s attacks, as well as those that will appear tomorrow.
What to do now
Always be sure to update your mobile device to the latest security patch as soon as possible. If you’d like to learn more about how SEP Mobile can protect your enterprise’s mobile devices, be sure to visit our website or drop us a line.