From Nordic Semiconductor - BlueBorne: Lessons learned
Now that the dust has settled a little on BlueBorne, we take a look at how it came to be, its impact, and whether Nordic Semiconductor customers should be concerned. Read on for the full story.
Big Issues: Uncommon but devastating
High-profile, catastrophic security vulnerabilities are thankfully few and far between. When they do come along, they give us a chance to learn valuable lessons and help make sure that they become even rarer.
Most security issues rarely make the news outside of specialist security circles. They’re minor issues that are easily fixed without the public needing to be aware of them. Every time a user updates their operating system or device firmware, there will likely be security updates fixing holes before they become a risk.
Recently the world woke up to news of a new issue, dubbed Krack, that exposes all Wi-Fi connections to a potential attack. It’s been widely reported in the non-tech media and is clearly a big deal. At this stage, it’s rated as ‘hard to exploit but hard to patch’ and the outcome is still very much unknown.
Just a few weeks before, there was a big issue involving Bluetooth, known as BlueBorne.
What is BlueBorne?
BlueBorne is a vulnerability in Bluetooth implementations which could allow a hacker to gain control of devices and either steal information from them or use them for a man-in-the-middle attack on other devices. All major operating systems were vulnerable to some extent, making it big news in the tech world.
It was discovered in April 2017 by security researchers who then contacted all the major operating system providers. They mostly patched their systems in time for the public disclosure in September. By the time it was disclosed to the public, Windows, Linux, Android and iOS had all made fixes available.
What made BlueBorne such bad news?
First things first, Bluetooth is an extremely secure protocol by design. Over the last ten years, Bluetooth vulnerabilities have been of low severity and, crucially, haven’t allowed hackers to execute code remotely.
BlueBorne managed to be such a dangerous threat by exploiting the way that operating systems implement Bluetooth. It wasn’t the protocol itself that was the problem, but the fact that Bluetooth radios are always on, constantly searching for devices and signals. This meant hackers could connect to smartphones and computers silently and take over the device without the need for any user interaction.
Is the threat still ongoing?
While fixes were made available before the issue was disclosed to the public, some manufacturers did better than others. Apple, for example, had mitigated the threat in iOS 10 before it was known so any iOS devices that had been updated were never at risk. iOS 9 devices (iPhone 4S and earlier, for example) will always be vulnerable but, as of January 2017, that accounted for fewer than 20% of all iOS devices in use.
Microsoft responded rapidly and updated all affected versions of Windows still under active support. Google quickly produced a patch for Android but due to the fact that Android implementations are controlled by handset makers, it’s impossible to know whether all Android devices, particularly older ones, have been fixed.
Read more: How to secure mobile payments
The problem with smart devices
These kinds of attacks, where attackers can gain control of devices and their peripherals, are typical of today’s feature-rich smartphones and digital devices. When a device needs to do many things, easily and seamlessly, then any exploit that can access the device has the potential to be devastating.
In contrast, constrained and embedded systems, using bare-metal or Real-Time Operating Systems (RTOS) are much harder to exploit and of very little value even if an exploit is found.
BlueBorne and Nordic Semiconductor
If our customers are designing products that connect to affected smartphones or computers, those devices could be compromised. But apart from iOS, where the vulnerability in pre-10 versions relates to LEAP (a proprietary extension to Bluetooth low energy), all the vulnerabilities relate to Bluetooth Classic (BR/EDR), and not our domain of Bluetooth low energy. So, Android wearables that only use BLE were not impacted.
As it was related solely to the Bluetooth implementation in operating systems, wearables that simply use Bluetooth to communicate were not gateways, although the exploit could have allowed attackers to take them over via the affected phones and computers.
Lesson number one
The biggest lesson learned is that security is everyone’s concern. Protocol designers, chip manufacturers, device creators and Operating System architects must all do their part to make sure there are no weak links in the chain.
At Nordic Semiconductor, we’ll help you at every stage to make sure your devices are secure. If you’re still unsure, or if you need to discuss specific points, feel free to post a question in the Nordic Developer Zone.
It will get the swift attention of our expert engineers, and become part of our open knowledge base to benefit the entire community.
Stay up to date with industry and supplier news!