Bluetooth is the invisible glue that binds the devices together. Which means that when there are bugs, it affects everything from iPhones to Android devices, to scooters, and even physical authentication keys used to secure other accounts. The order of magnitude can be staggering: the BlueBorne Fault, first revealed in September 2017, touched five billion personal computers, phones and IoT units.
As with any computing standard, there is always a possibility of vulnerabilities in the code itself of the Bluetooth protocol itself, or in its lighter brother, Bluetooth Low Energy. But security researchers say that the major reason why Bluetooth bugs are generated is more related to the magnitude of the written standard, which is being facilitated by the consortium known as the Bluetooth Special Interest Group. Bluetooth offers so many deployment options that developers do not necessarily have a perfect understanding of the choices available, which can lead to erroneous implementations.
"One of the main reasons why Bluetooth is involved in so many cases is the complexity of this protocol," said Ben Seri, one of the researchers who discovered BlueBorne and vice president of research of the security company Armis embedded devices. "The Bluetooth standard has about 3,000 pages – if you compare that to other wireless protocols like Wi-Fi, for example, Bluetooth is 10 times longer." Bluetooth SIG tried to do something very complete that suits many other diverse needs, but because of its complexity, it is very difficult to know how to use it if you are a manufacturer. "
Bluetooth, as you probably know from your portable speaker, wireless keyboard, or toothbrush, allows two proximal devices to connect over the air. The pairing can last as long as both devices are used, such as with a fitness tracker and a smartphone. It can also be temporary, a way to configure a device or authenticate a user. Bluetooth Low Energy is a condensed version of the protocol for devices with limited computing and energy resources.
"All the details are buried in hundreds of pages of illegible specifications."
Matthew Green, Johns Hopkins University
Basically, Bluetooth and BLE open a channel that allows two devices to communicate – an extremely useful arrangement, but one that also opens the door to dangerous interactions. Without strong cryptographic authentication controls, malicious third parties can use Bluetooth and BLE to connect to a device to which they should not have access, or induce targets to think that their unauthorized device is a trusted device.
"The standard often describes a subject in a scattered way," said Syed Rafiul Hussain, researcher in safety engineering at Purdue University. "And that often leaves manufacturers with the complex interactions of the protocol, which is another source of vulnerability."
Ken Kolderup, vice president of marketing at Bluetooth SIG, said the group was very aware of the challenge and importance of training developers to master the vast possibilities of Bluetooth. He explains that the documentation is so complete because the protocol not only defines a radio frequency layer for Bluetooth, it also contains components at each layer of technology, from hardware to applications, to ensure interoperability between devices. Bluetooth.
"Bluetooth is no longer limited to wireless audio streaming, there is energy-efficient data transfer, a mesh network, and it's a very large field," Kolderup says. . "But security is obviously very important – the standard offers modes of operation ranging from the lack of security up to 128 AES encryptions or secure connections only mode." We put it as much as requested by the community."
A recent example, however, illustrates how the process may fail. In February, researchers at the McAfee security company reported Bluetooth Low Energy misconfiguration issues in a smart lock called BoxLock. The device was designed to use a Bluetooth Low Energy configuration called "Just Works Mode", which allows devices to pair without a password or other cryptographic protection. This allowed McAfee searchers to connect to any lock, analyze BLE commands on the device, and determine the type of command to unlock. In addition, BoxLock had configured this command to be in read / write mode. So, once the attackers knew what to target, they could initiate an unlock. BoxLock has since fixed the vulnerabilities.
BoxLock has encountered two common Bluetooth problems. It has deployed a relatively insecure version for a device – a lock – that requires increased security. And it made life easier for hackers by leaving Bluetooth traffic in the open.
"The problem is that BoxLock used a very insecure BLE implementation," says Steve Povolny, head of advanced threat research at McAfee. "I would not say it's an unsafe protocol." This is partly because Bluetooth has not been studied as comprehensively by the security community as some things, and that providers and the manufacturers are not sure what the potential flaws are. "
Although Bluetooth technology has been extensively researched, researchers say that the lack of in-depth monitoring is historically a result of the complexity of reading the standard, let alone understanding how it works and all implementations. possible. On the positive side, it created a kind of security thanks to the darkness, in which the attackers also found it easier to develop attacks against other protocols and systems rather than taking the time to strive to play with Bluetooth.
"I really could not give an informed opinion about the true security of Bluetooth, and I strongly suspect that protocol designers could not either," said Matthew Green, cryptographer at Johns University Hopkins. "That's because all the details are buried in hundreds of pages of illegible specifications, and many device manufacturers have been inspired by this to design their own security as a sort of" complementary "layer they use via Bluetooth … what a mess the protocol itself has been. "
"We encourage users to use the maximum level of security that your product can support."
Ken Kolderup, Bluetooth SIG
But in recent years, the Bluetooth lockup has started to erode. After significant vulnerabilities such as BlueBorne, researchers are focusing more and more on awareness of Bluetooth implementation and configuration. And attackers are beginning to see Bluetooth as a real option for launching attacks. On Monday, for example, security firm Kaspersky Lab released results for a Korean-speaking, menacing, talkative player with close ties to the state, who has integrated a Bluetooth scanner into his malicious Windows program, apparently to search for potentially exposed Bluetooth devices. .
The Bluetooth GIS indicates that it is considering a new generation of resources for developers, including the ability to create a security audit tool that coders can use to verify their Bluetooth implementations. And Kolderup of GIS said that the consortium is encouraging control of specifications and contributions on potential vulnerabilities and ways to improve its overall security. The GIS also employs to better publish existing resources on the secure implementation of Bluetooth, such as the guide to the National Institute of Standards and Technology.
"More and more devices are becoming interconnected, which suddenly creates a set of challenges that you need to be aware of when creating a product," he says. "We encourage users to use the maximum level of security your product can support, and we encourage you to lock it."
The researchers point out that the risks associated with Bluetooth security – and the potential benefits of malicious hackers – are growing, as Bluetooth is increasingly spreading into consumer environments, such as smart devices and wearables, to be more and more embraced by companies and governments large scale deployment in offices, hospitals and industrial control environments.
"Bluetooth is used for smart keys, for encryption and sensitive authentication," says Seri, of Armis. "And just as much, medical devices connected to the wireless infrastructure.All kinds of things in professional environments where it's easy to manage and unsupervised.This is not secure . "
Researchers say more Bluetooth GIS tools and training resources would go a long way toward making the Bluetooth implementation more manageable. In the meantime, whenever you do not use Bluetooth? Just turn it off.
More great cable stories